#	$OpenBSD: Makefile,v 1.34 2021/12/21 13:50:35 tobhe Exp $

# Copyright (c) 2020 Tobias Heider <tobhe@openbsd.org>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

REGRESS_SETUP_ONCE =	setup
REGRESS_CLEANUP =	cleanup
CLEANFILES =		*.conf *.cnf *.csr *.key *.crt *.srl

LEFT_SSH ?=
RIGHT_SSH ?=
LEFT_ADDR ?=
RIGHT_ADDR ?=

.if empty(LEFT_SSH) || empty(RIGHT_SSH) || empty(LEFT_ADDR) || empty(RIGHT_ADDR)
regress:
	@echo this test needs two remote machines to operate
	@echo LEFT_SSH RIGHT_SSH RIGHT_ADDR LEFT_ADDR are not defined
	@echo SKIPPED
.endif

TEST_FLOWS = \
	[ -z $$tmode ] && tmode=tunnel; \
	_ret=1; \
	count=0; \
	dynamic=${RIGHT_ADDR}; \
	if [ -n "$$config_address" ]; then \
		dynamic="172.16.13.[0-9]+"; \
	fi; \
	[ -z "$$maxwait" ] && maxwait=3; \
	while [[ $$count -le $$maxwait ]]; do \
		ipsecctlleft=`ssh ${LEFT_SSH} ipsecctl -sa`; \
		ipsecctlright=`ssh ${RIGHT_SSH} ipsecctl -sa`; \
		flowleft=`echo "$$ipsecctlleft" \
		    | sed -E -n "/^flow $$flowtype in from $$dynamic\
		    to ${LEFT_ADDR} peer ${RIGHT_ADDR} srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]*\
		    dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; \
		flowright=`echo "$$ipsecctlright" \
		    | sed -E -n "/^flow $$flowtype in from ${LEFT_ADDR}\
		    to $$dynamic peer ${LEFT_ADDR} srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]*\
		    dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; \
		saleft_rtol=`echo "$$ipsecctlleft" \
		    | sed -n "/^$$flowtype $$tmode from ${RIGHT_ADDR} to ${LEFT_ADDR}/p"`; \
		saleft_ltor=`echo "$$ipsecctlleft" \
		    | sed -n "/^$$flowtype $$tmode from ${LEFT_ADDR} to ${RIGHT_ADDR}/p"`; \
		saright_rtol=`echo "$$ipsecctlright" \
		    | sed -n "/^$$flowtype $$tmode from ${RIGHT_ADDR} to ${LEFT_ADDR}/p"`; \
		saright_ltor=`echo "$$ipsecctlright" \
		    | sed -n "/^$$flowtype $$tmode from ${LEFT_ADDR} to ${RIGHT_ADDR}/p"`; \
		if [[ -n "$$saleft_ltor" && -n "$$saleft_rtol" && \
		     -n "$$saright_ltor" && -n "$$saright_rtol" && \
		     -n "$$flowleft" && -n "$$flowright" ]]; then \
			 _ret=0; \
			 break; \
		fi; \
		let count=$$count+1; \
	done; \
	if [[ "$${_ret}" -ne 0 ]]; then \
		echo "SAs not found:\n$$ipsecctlleft\n$$ipsecctlright"; \
	fi

TEST_PING = \
	_ret=1; \
	if [[ "${IPV}" == "6" ]]; then ping="ping6"; else ping="ping"; fi; \
	dump=`ssh ${LEFT_SSH} "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & \
	    $$ping -w 1 -n -c 5 ${RIGHT_ADDR} > /dev/null && \
	    tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; \
	    kill -9 \\$$! > /dev/null 2>&1 || true"`; \
	rtol=`echo "$$dump" \
	    | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: ${LEFT_ADDR} > ${RIGHT_ADDR}/p"`; \
	ltor=`echo "$$dump" \
	    | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: ${RIGHT_ADDR} > ${LEFT_ADDR}/p"`; \
	if [[ -z "$$rtol" || -z "$$ltor" ]]; then \
		_ret=1; \
	else \
		_ret=0; \
	fi; \
	echo "$$dump"

TEST_SINGLEIKESA = \
	count=`ssh ${LEFT_SSH} "ikectl show sa | grep -c iked_sas"`; \
	if [[ "$$count" != "1" ]]; then \
		echo "error: too many IKE SAs."; \
		exit 1; \
	fi

SETUP_CONFIG = \
	from=$$local; \
	to=$$peer; \
	if [[ -z "$$mode" ]]; then mode="active"; fi; \
	authstr=""; \
	if [[ "$$auth" = "psk" ]]; then \
		authstr="psk $$psk"; \
	fi; \
	ipcomp=""; \
	if [[ "$$flowtype" = "ipcomp" ]]; then \
		ipcomp="ipcomp"; \
	fi; \
	global=""; \
	if [ "$$fragmentation" = true ]; then \
		global="$${global}set fragmentation\n"; \
	fi; \
	if [ "$$singleikesa" = true ]; then \
		global="$${global}set enforcesingleikesa\n"; \
	fi; \
	if [ "$$intermediate" = true ]; then \
		global="$${global}set cert_partial_chain\n"; \
	fi; \
	confstr=""; \
	if [ -n "$$config_address" ]; then \
		if [ "$$side" = left ]; then \
			mode=passive; \
			confstr="config address $$config_address"; \
			if [[ "$$config_address" == */* ]]; then \
				to="dynamic"; \
			else \
				to="$$config_address"; \
			fi; \
		else \
			mode=active; \
			confstr="request address any"; \
			if [[ "$$config_address" == */* ]]; then \
				from="dynamic"; \
			else \
				from="$$config_address"; \
			fi; \
		fi; \
	fi; \
	echo "MODE=\"$$mode\"" >> $@_$$side.conf; \
	echo "TMODE=\"$$tmode\"" >> $@_$$side.conf; \
	echo "FROM=\"$$from\"" >> $@_$$side.conf; \
	echo "TO=\"$$to\"" >> $@_$$side.conf; \
	echo "LOCAL_ADDR=\"$$local\"" >> $@_$$side.conf; \
	echo "PEER_ADDR=\"$$peer\"" >> $@_$$side.conf; \
	echo "IPCOMP=\"$$ipcomp\"" >> $@_$$side.conf; \
	echo "SRCID=\"\\\"$$srcid\\\"\"" >> $@_$$side.conf; \
	echo "DSTID=\"$$dstid\"" >> $@_$$side.conf; \
	echo "AUTH=\"$$authstr\"" >> $@_$$side.conf; \
	echo "CONFIG=\"$$confstr\"" >> $@_$$side.conf; \
	echo "IKESA=\"$$ikesa\"" >> $@_$$side.conf; \
	echo "$$global" >> $@_$$side.conf; \
	cat ${.CURDIR}/iked.in >> $@_$$side.conf

DEPLOY_CONFIGS = \
	chmod 0600 $@_left.conf; \
	echo "cd /tmp\nput $@_left.conf test.conf" | sftp -q ${LEFT_SSH}; \
	chmod 0600 $@_right.conf; \
	echo "cd /tmp\nput $@_right.conf test.conf" | sftp -q ${RIGHT_SSH}; \
	rm -f $@_left.conf $@_right.conf

SETUP_CONFIGS = \
	if [[ "$$auth" = "psk" ]]; then \
		psk=`openssl rand -hex 20`; \
	fi; \
	side=left; \
	srcid=$$leftid; \
	local=${LEFT_ADDR}; \
	peer=${RIGHT_ADDR}; \
	    ${SETUP_CONFIG}; \
	side=right; \
	srcid=$$rightid; \
	local=${RIGHT_ADDR}; \
	peer=${LEFT_ADDR}; \
	    ${SETUP_CONFIG}; \
	${DEPLOY_CONFIGS}

SETUP_SYSCTL = \
	ssh ${LEFT_SSH} "sysctl $$sysctl"; \
	ssh ${RIGHT_SSH} "sysctl $$sysctl"

SETUP_START = \
	ssh ${LEFT_SSH} "ipsecctl -F; pkill iked; iked $$iked_flags -f /tmp/test.conf"; \
	ssh ${RIGHT_SSH} "ipsecctl -F; pkill iked; iked $$iked_flags -f /tmp/test.conf"

SETUP_RELOAD_RIGHT = \
	ssh ${RIGHT_SSH} "ikectl reload"

SETUP_CERT = \
	echo "ALTNAME = $$name-from-$$caname" > $$name-from-$$caname.cnf; \
	cat ${.CURDIR}/crt.in >> $$name-from-$$caname.cnf; \
	openssl req -config $$name-from-$$caname.cnf -new -key $$name.key -nodes \
	    -out $$name-from-$$caname.csr; \
	openssl x509 -extfile $$name-from-$$caname.cnf -extensions req_cert_extensions \
	     -req -in $$name-from-$$caname.csr -CA $$caname.crt -CAkey $$caname.key \
	     -CAcreateserial -out $$name-from-$$caname.crt

SETUP_INTERMEDIATE = \
	echo "ALTNAME = $$name-from-$$caname" > $$name-from-$$caname.cnf; \
	cat ${.CURDIR}/crt.in >> $$name-from-$$caname.cnf; \
	openssl genrsa -out $$name-from-$$caname.key 2048; \
	openssl req -config $$name-from-$$caname.cnf -new -key $$name-from-$$caname.key -nodes \
	    -out $$name-from-$$caname.csr; \
	openssl x509 -extfile $$name-from-$$caname.cnf -extensions v3_intermediate_ca \
	    -req -in $$name-from-$$caname.csr -CA $$caname.crt -CAkey $$caname.key \
	    -CAcreateserial -out $$name-from-$$caname.crt

SETUP_CA = \
	openssl genrsa -out $$caname.key 2048; \
	openssl req -subj "/C=DE/ST=Bavaria/L=Munich/O=iked/CN=$$caname" \
	     -new -x509 -key $$caname.key -out $$caname.crt

cleanup:
	-ssh ${LEFT_SSH} 'rm -f /tmp/test.conf; ipsecctl -F; pkill iked; \
	    rm -f /etc/iked/ca/*; rm -f /etc/iked/certs/*; rm -f /etc/iked/private/*; \
	    sysctl "net.inet.esp.udpencap_port=4500"; \
	    rm -f /tmp/pf.conf; pfctl -d; pfctl -f /etc/pf.conf;'
	-ssh ${RIGHT_SSH} 'rm -f /tmp/test.conf; ipsecctl -F; pkill iked; \
	    rm -f /etc/iked/ca/*; rm -f /etc/iked/certs/*; rm -f /etc/iked/private/*; \
	    sysctl "net.inet.esp.udpencap_port=4500"; \
	    rm -f /tmp/pf.conf; pfctl -d; pfctl -f /etc/pf.conf;'

setup_certs: ca-both.crt left-from-ca-both.crt left.key right-from-ca-both.crt \
    right.key ca-left.crt right-from-ca-left.crt ca-right.crt left-from-ca-right.crt \
    ca-none.crt left-from-ca-none.crt right-from-ca-none.crt \
    intermediate-from-ca-none.crt left-from-intermediate-from-ca-none.crt \
    right-from-intermediate-from-ca-none.crt
	echo "cd /etc/iked\n \
	    put left-from-ca-both.crt certs\n \
	    put left-from-ca-right.crt certs\n \
	    put left-from-ca-none.crt certs\n \
	    put left-from-intermediate-from-ca-none.crt certs\n \
	    put right-from-ca-none.crt certs\n \
	    put left.key private/local.key\n \
	    put intermediate-from-ca-none.crt ca\n \
	    put ca-left.crt ca\n \
	    put ca-both.crt ca\n" | sftp ${LEFT_SSH} -q; \
	echo "cd /etc/iked\n \
	    put right-from-ca-both.crt certs\n \
	    put right-from-ca-left.crt certs\n \
	    put right-from-ca-none.crt certs\n \
	    put right-from-intermediate-from-ca-none.crt certs\n \
	    put left-from-ca-none.crt certs\n \
	    put right.key private/local.key\n \
	    put intermediate-from-ca-none.crt ca\n \
	    put ca-right.crt ca\n \
	    put ca-both.crt ca\n" | sftp ${RIGHT_SSH} -q; \
	ssh ${LEFT_SSH} "openssl rsa -in /etc/iked/private/local.key -pubout > /etc/iked/local.pub"; \
	ssh ${RIGHT_SSH} "openssl rsa -in /etc/iked/private/local.key -pubout > /etc/iked/local.pub"

setup_pf: pf.in
	echo "cd /tmp\nput ${.CURDIR}/pf.in pf.conf" | sftp -q ${LEFT_SSH}
	echo "cd /tmp\nput ${.CURDIR}/pf.in pf.conf" | sftp -q ${RIGHT_SSH}
	-ssh ${LEFT_SSH} "pfctl -f /tmp/pf.conf; pfctl -e"
	-ssh ${RIGHT_SSH} "pfctl -f /tmp/pf.conf; pfctl -e"

setup: setup_pf setup_certs

.PHONY: setup_certs

test_flows:
	${TEST_FLOWS}

left.key right.key:
	openssl genrsa -out $@ 2048

ca-both.crt ca-both.key:
	caname=ca-both; ${SETUP_CA}

left-from-ca-both.crt: ca-both.crt ca-both.key left.key
	caname=ca-both; name=left; ${SETUP_CERT}

right-from-ca-both.crt: ca-both.crt ca-both.key right.key
	caname=ca-both; name=right; ${SETUP_CERT}

ca-left.crt ca-left.key:
	caname=ca-left; ${SETUP_CA}

right-from-ca-left.crt right.key: ca-left.crt ca-left.key
	caname=ca-left; name=right; ${SETUP_CERT}

ca-right.crt ca-right.key:
	caname=ca-right; ${SETUP_CA}

left-from-ca-right.crt left.key: ca-right.crt ca-right.key
	caname=ca-right; name=left; ${SETUP_CERT}

ca-none.crt ca-none.key:
	caname=ca-none; ${SETUP_CA}

left-from-ca-none.crt left.key: ca-none.crt ca-none.key
	caname=ca-none; name=left; ${SETUP_CERT}

right-from-ca-none.crt right.key: ca-none.crt ca-none.key
	caname=ca-none; name=right; ${SETUP_CERT}

intermediate-from-ca-none.crt intermediate-from-ca-none.key:
	caname=ca-none name=intermediate; ${SETUP_INTERMEDIATE}

left-from-intermediate-from-ca-none.crt left.key: \
     intermediate-from-ca-none.crt intermediate-from-ca-none.key
	caname=intermediate-from-ca-none; name=left; ${SETUP_CERT}

right-from-intermediate-from-ca-none.crt right.key: \
     intermediate-from-ca-none.crt intermediate-from-ca-none.key
	caname=intermediate-from-ca-none; name=right; ${SETUP_CERT}

REGRESS_TARGETS = run-ping-fail
run-ping-fail:
	ssh ${LEFT_SSH} "ipsecctl -F; pkill iked || true"
	ssh ${RIGHT_SSH} "ipsecctl -F; pkill iked || true"
	${TEST_PING}; \
	if [[ $$_ret -ne 1 ]]; then exit 1; fi

REGRESS_TARGETS += run-cert-single-ca
run-cert-single-ca:
	leftid=left-from-ca-both; \
	rightid=right-from-ca-both; \
	    ${SETUP_CONFIGS}
	${SETUP_START}
	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi

REGRESS_TARGETS += run-cert-single-ca-asn1dn
run-cert-single-ca-asn1dn:
	leftid="/C=DE/ST=Bavaria/L=Munich/O=iked/CN=left-from-ca-both"; \
	rightid="/C=DE/ST=Bavaria/L=Munich/O=iked/CN=right-from-ca-both"; \
	    ${SETUP_CONFIGS}
	${SETUP_START}
	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi

REGRESS_TARGETS += run-cert-no-ca
run-cert-no-ca:
	leftid=left-from-ca-none; \
	rightid=right-from-ca-none; \
	    ${SETUP_CONFIGS}
	${SETUP_START}
	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi

REGRESS_TARGETS += run-config-address
run-config-address:
	flowtype=esp; \
	config_address=172.16.13.36; \
	leftid=left-from-ca-both; \
	rightid=right-from-ca-both; \
	    ${SETUP_CONFIGS}
	${SETUP_START}
	config_address=172.16.13.36; \
	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi

REGRESS_TARGETS += run-config-address-pool
run-config-address-pool:
	flowtype=esp; \
	config_address=172.16.13.36/31; \
	leftid=left-from-ca-both; \
	rightid=right-from-ca-both; \
	    ${SETUP_CONFIGS}
	${SETUP_START}
	config_address=172.16.13.36/31; \
	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi

REGRESS_TARGETS += run-dstid-fail
run-dstid-fail:
	leftid=left-from-ca-both; \
	rightid=right-from-ca-both; \
	    side=left; \
	    srcid=$$leftid; \
	    local=${LEFT_ADDR}; \
	    peer=${RIGHT_ADDR}; \
	    ${SETUP_CONFIG}; \
	    side=right; \
	    mode=passive; \
	    srcid=$$rightid; \
	    local=${RIGHT_ADDR}; \
	    peer=${LEFT_ADDR}; \
	    dstid="dstid invalid"; \
	    ${SETUP_CONFIG}; \
	    ${DEPLOY_CONFIGS}
	${SETUP_START}
	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 1 ]]; then exit 1; fi
	${TEST_PING}; if [[ $$_ret -ne 1 ]]; then exit 1; fi

REGRESS_TARGETS += run-dstid
run-dstid:
	flowtype=esp; \
	leftid=left-from-ca-both; \
	rightid=right-from-ca-both; \
	    side=left; \
	    srcid=$$leftid; \
	    local=${LEFT_ADDR}; \
	    peer=${RIGHT_ADDR}; \
	    dstid="dstid $$rightid"; \
	    ${SETUP_CONFIG}; \
	    side=right; \
	    srcid=$$rightid; \
	    local=${RIGHT_ADDR}; \
	    peer=${LEFT_ADDR}; \
	    dstid="dstid $$leftid"; \
	    ${SETUP_CONFIG}; \
	    ${DEPLOY_CONFIGS}
	${SETUP_START}
	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi

REGRESS_TARGETS += run-dstid-multi
run-dstid-multi:
	flowtype=esp; \
	leftid=left-from-ca-both; \
	rightid=right-from-ca-both; \
	    side=left; srcid=$$leftid; local=${LEFT_ADDR}; peer=${RIGHT_ADDR}; \
	    dstid="dstid $$rightid"; \
	    ${SETUP_CONFIG}; \
	    side=right; mode=passive; srcid=$$rightid; local=${RIGHT_ADDR}; \
	    peer=${LEFT_ADDR}; dstid="dstid $$leftid"; \
	    ${SETUP_CONFIG}; \
	    dstid="dstid roflol"; \
	    ${SETUP_CONFIG}; \
	    ${DEPLOY_CONFIGS}
	${SETUP_START}
	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi

REGRESS_TARGETS += run-srcid-multi
run-srcid-multi:
	flowtype=esp; \
	leftid=left-from-ca-both; \
	rightid=right-from-ca-both; \
	    side=left; srcid=$$leftid; local=${LEFT_ADDR}; peer=${RIGHT_ADDR}; \
	    dstid="dstid $$rightid"; \
	    ${SETUP_CONFIG}; \
	    side=right; mode=passive; srcid="borked"; local=${RIGHT_ADDR}; \
	    peer=${LEFT_ADDR}; dstid=""; \
	    ${SETUP_CONFIG}; \
	    srcid=$$rightid; \
	    ${SETUP_CONFIG}; \
	    srcid="roflol"; \
	    ${SETUP_CONFIG}; \
	    ${DEPLOY_CONFIGS}
	${SETUP_START}
	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi

REGRESS_TARGETS += run-cert-multi-ca
run-cert-multi-ca:
	flowtype=esp; \
	leftid=left-from-ca-right; \
	rightid=right-from-ca-left; \
	    ${SETUP_CONFIGS}
	${SETUP_START}
	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi

REGRESS_TARGETS += run-cert-second-altname
run-cert-second-altname:
	flowtype=esp; \
	leftid=left-from-ca-both-alternative; \
	rightid=right-from-ca-both@openbsd.org; \
	    ${SETUP_CONFIGS}
	${SETUP_START}
	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi

REGRESS_TARGETS += run-invalid-ke
run-invalid-ke:
	flowtype=esp; \
	leftid=left-from-ca-both; \
	rightid=right-from-ca-both; \
	    side=left; srcid=$$leftid; local=${LEFT_ADDR}; peer=${RIGHT_ADDR}; \
	    dstid="dstid $$rightid"; \
	    ikesa="ikesa group ecp256 group curve25519"; \
	    ${SETUP_CONFIG}; \
	    side=right; mode=passive; srcid=$$rightid; local=${RIGHT_ADDR}; \
	    peer=${LEFT_ADDR}; dstid="dstid $$leftid"; \
	    ikesa="ikesa group curve25519"; \
	    ${SETUP_CONFIG}; \
	    ${DEPLOY_CONFIGS}
	${SETUP_START}
	flowtype=esp; maxwait=6; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi

REGRESS_TARGETS += run-psk-fail
run-psk-fail:
	auth=psk; \
	leftid=left-from-ca-both; \
	rightid=right-from-ca-both; \
	flowtype=esp; \
	    side=left; \
	    srcid=$$leftid; \
	    local=${LEFT_ADDR}; \
	    peer=${RIGHT_ADDR}; \
	    dstid="dstid $$rightid"; \
	    psk=`openssl rand -hex 20`; \
	    ${SETUP_CONFIG}; \
	    side=right; \
	    srcid=$$rightid; \
	    local=${RIGHT_ADDR}; \
	    peer=${LEFT_ADDR}; \
	    dstid="dstid $$leftid"; \
	    psk=`openssl rand -hex 20`; \
	    ${SETUP_CONFIG}; \
	    ${DEPLOY_CONFIGS}
	${SETUP_START}
	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 1 ]]; then exit 1; fi
	${TEST_PING}; if [[ $$_ret -ne 1 ]]; then exit 1; fi

REGRESS_TARGETS += run-psk
run-psk:
	auth=psk; \
	leftid=left; \
	rightid=right; \
	flowtype=esp; \
	    ${SETUP_CONFIGS}
	${SETUP_START}
	flowtype=esp; ${TEST_FLOWS}; \
	if [[ $$_ret -ne 0 ]]; then exit 1; fi
	${TEST_PING}; \
	if [[ $$_ret -ne 0 ]]; then exit 1; fi

REGRESS_TARGETS += run-intermediate-fail
run-intermediate-fail:
	leftid=left-from-intermediate-from-ca-none; \
	rightid=right-from-intermediate-from-ca-none; \
	    ${SETUP_CONFIGS}
	${SETUP_START}
	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 1 ]]; then exit 1; fi
	${TEST_PING}; if [[ $$_ret -ne 1 ]]; then exit 1; fi

REGRESS_TARGETS += run-intermediate
run-intermediate:
	intermediate=true; \
	leftid=left-from-intermediate-from-ca-none; \
	rightid=right-from-intermediate-from-ca-none; \
	    ${SETUP_CONFIGS}
	${SETUP_START}
	if [[ $$_ret -ne 0 ]]; then exit 1; fi
	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi

REGRESS_TARGETS += run-fragmentation
run-fragmentation:
	flowtype=esp; \
	fragmentation=true; \
	leftid=left-from-ca-both; \
	rightid=right-from-ca-both; \
	    ${SETUP_CONFIGS}
	${SETUP_START}
	flowtype=esp; ${TEST_FLOWS}; \
	if [[ $$_ret -ne 0 ]]; then exit 1; fi
	${TEST_PING}; \
	if [[ $$_ret -ne 0 ]]; then exit 1; fi

REGRESS_TARGETS += run-transport
run-transport:
	flowtype=esp; \
	tmode=transport; \
	leftid=left-from-ca-both; \
	rightid=right-from-ca-both; \
	    ${SETUP_CONFIGS}
	${SETUP_START}
	tmode=transport; flowtype=esp; \
	    ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi

REGRESS_TARGETS += run-singleikesa
run-singleikesa:
	flowtype=esp; \
	singleikesa=true; \
	leftid=left-from-ca-both; \
	rightid=right-from-ca-both; \
	    ${SETUP_CONFIGS}
	${SETUP_START}
	sleep 1; ${SETUP_RELOAD_RIGHT}; \
	sleep 3; ${TEST_SINGLEIKESA}

REGRESS_TARGETS += run-ipcomp
run-ipcomp:
	flowtype=ipcomp; \
	leftid=left-from-ca-both; \
	rightid=right-from-ca-both; \
	    ${SETUP_CONFIGS}
	sysctl="net.inet.ipcomp.enable=1"; \
	    ${SETUP_SYSCTL}
	${SETUP_START}
	flowtype=ipcomp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi

REGRESS_TARGETS += run-udpencap-port
run-udpencap-port:
	flowtype=esp; \
	leftid=left-from-ca-both; \
	rightid=right-from-ca-both; \
	    ${SETUP_CONFIGS}; \
	sysctl="net.inet.esp.udpencap_port=9999"; \
	    ${SETUP_SYSCTL};
	iked_flags=-p9999; \
	    ${SETUP_START};
	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
	sysctl="net.inet.esp.udpencap_port=4500"; \
	    ${SETUP_SYSCTL};

.include <bsd.regress.mk>