#!/usr/bin/perl # # Copyright (C) 1999,2000 Yokogawa Electric Corporation and # YDC Corporation. # All rights reserved. # # Redistribution and use of this software in source and binary # forms, with or without modification, are permitted provided that # the following conditions and disclaimer are agreed and accepted # by the user: # # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in # the documentation and/or other materials provided with # the distribution. # # 3. Neither the names of the copyrighters, the name of the project # which is related to this software (hereinafter referred to as # "project") nor the names of the contributors may be used to # endorse or promote products derived from this software without # specific prior written permission. # # 4. No merchantable use may be permitted without prior written # notification to the copyrighters. # # 5. The copyrighters, the project and the contributors may prohibit # the use of this software at any time. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHTERS, THE PROJECT AND # CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING # BUT NOT LIMITED THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS # FOR A PARTICULAR PURPOSE, ARE DISCLAIMED. IN NO EVENT SHALL THE # COPYRIGHTERS, THE PROJECT OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, # INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES # (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, # STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING # IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. # # $Id: HTR_A_Out_2SA_DspiDipdst.seq,v 1.1.1.1 2000/10/31 22:39:37 sekiya Exp $ # ###################################################################### BEGIN { unshift(@INC, '../ipsec/'); $V6evalTool::TestVersion = '$Name: $ '; } use V6evalTool; use IPSEC; %pktdesc = ( ### TBD ); $IF = Link0; #----- check NUT type ipsecCheckNUT(host); #----- set SAD,SPD vLogHTML("*** Target initialization phase ***
"); ipsecClearAll(); ## HOST1 vs NUT ipsecSetSAD( "src=$IPSEC::IPsecAddr{IPSEC_NUT_NET3_ADDR}" , "dst=$IPSEC::IPsecAddr{IPSEC_HOST1_NET5_ADDR}" , "spi=0x1000" , "mode=transport" , "protocol=ah" , "aalgo=hmac-md5" , "aalgokey=0123456789ABCDEF" ); ipsecSetSPD( "src=$IPSEC::IPsecAddr{IPSEC_NUT_NET3_ADDR}" , "dst=$IPSEC::IPsecAddr{IPSEC_HOST1_NET5_ADDR}" , "upperspec=any" , "direction=out" , "protocol=ah" , "mode=transport" , ); ## HOST2 vs NUT ipsecSetSAD( "src=$IPSEC::IPsecAddr{IPSEC_NUT_NET3_ADDR}" , "dst=$IPSEC::IPsecAddr{IPSEC_HOST2_NET5_ADDR}" , "spi=0x2000" , "mode=transport" , "protocol=ah" , "aalgo=hmac-md5" , "aalgokey=foo0foo1foo2foo3" ); ipsecSetSPD( "src=$IPSEC::IPsecAddr{IPSEC_NUT_NET3_ADDR}" , "dst=$IPSEC::IPsecAddr{IPSEC_HOST2_NET5_ADDR}" , "upperspec=any" , "direction=out" , "protocol=ah" , "mode=transport" , ); #====================================================================== vLogHTML("*** Target testing phase ***
"); vCapture($IF); # ping TN(HOST1) <-> NUT ($stat, %ret) = ipsecPing2NUT($IF, 'echo_request_from_host1', 'echo_reply_to_host1_ah'); if ($stat ne 'GOT_REPLY') { vLogHTML("TN received no echo reply from NUT to HOST1.
"); ipsecExitFail(); } vLogHTML("TN received echo reply from NUT to HOST1.
"); vLogHTML("Ping over 1st SA bundle is available.
"); # ping TN(HOST2) <-> NUT ($stat, %ret) = ipsecPing2NUT($IF, 'echo_request_from_host2', 'echo_reply_to_host2_ah'); if ($stat ne 'GOT_REPLY') { vLogHTML("TN received no echo reply from NUT to HOST2.
"); ipsecExitFail(); } vLogHTML("TN received echo reply from NUT to HOST2.
"); vLogHTML("Ping over 2nd SA bundle is available.
"); vLogHTML("Ping over coexisting two SA bundles are available.
"); ipsecExitPass(); ###################################################################### __END__ =head1 NAME HTR_A_Out_2SA_DspiDipdst - Host Transport Mode AH Outbound 2 SA selection, Differnt SPI, Different IPdst =head1 TARGET Host =head1 SYNOPSIS =begin html 
  HTR_A_Out_2SA_DspiDipdst.seq [-tooloption ...] -pkt HTR_A_2SA_DspiDip.def
    -tooloption : v6eval tool option
  See also HTR_A_common.def and HTR_common.def
=end html =head1 INITIALIZATION =begin html

For details of Network Topology, see 00README

Set NUT's SAD and SPD as following: 

              NET5      NET3
    HOST1_NET5 -- Router -- NUT
         <----transport------ (SA1)
    HOST2_NET5
         <----transport------ (SA2)

Security Association Database (SAD) for SA1

source address NUT_NET3
destination address HOST1_NET5
SPI 0x1000
mode transport
protocol AH
AH algorithm HMAC-MD5
AH algorithm key 0123456789ABCDEF

Security Policy Database (SPD) for SA1

source address NUT_NET3
destination address HOST1_NET5
upper spec any
direction out
protocol AH
mode transport

Security Association Database (SAD) for SA2

source address NUT_NET3
destination address HOST2_NET5
SPI 0x2000
mode transport
protocol AH
AH algorithm HMAC-MD5
AH algorithm key foo0foo1foo2foo3

Security Policy Database (SPD) for SA2

source address NUT_NET3
destination address HOST2_NET5
upper spec any
direction out
protocol AH
mode transport
=end html =head1 TEST PROCEDURE =begin html 
 Tester                      Target
   |                           |
   |-------------------------->|
   |      ICMP Echo Request    |
   |        From Host1         |
   |                           |
   |<--------------------------|
   |      ICMP Echo Reply      |
   |         To Host1          |
   |        (using SA1)        |
   |                           |
   |                           |
   |-------------------------->|
   |      ICMP Echo Request    |
   |        From Host2         |
   |                           |
   |<--------------------------|
   |      ICMP Echo Reply      |
   |         To Host2          |
   |        (using SA2)        |
   |                           |
   v                           v
  1. Send ICMP Echo Request from Host1
  2. Receive ICMP Echo Reply using SA1 to Host1
  3. Send ICMP Echo Request from Host2
  4. Receive ICMP Echo Reply using SA2 to Host2

ICMP Echo Request from Host1

IP Header Source Address HOST1_NET5
Destination Address NUT_NET3
ICMP Type 128 (Echo Request)

ICMP Echo Reply using SA1 to Host1

IP Header Source Address NUT_NET3
Destination Address HOST1_NET5
AH SPI 0x1000
Algorithm HMAC-MD5
Key 0123456789ABCDEF
ICMP Type 129 (Echo Reply)

ICMP Echo Request from Host2

IP Header Source Address HOST2_NET5
Destination Address NUT_NET3
ICMP Type 128 (Echo Request)

ICMP Echo Reply using SA2 to Host2

IP Header Source Address NUT_NET3
Destination Address HOST2_NET5
AH SPI 0x2000
Algorithm HMAC-MD5
Key foo0foo1foo2foo3
ICMP Type 129 (Echo Reply)
=end html =head1 JUDGEMENT PASS: Both ICMP Echo Reply with AH (using SA1, SA2) received =head1 SEE ALSO perldoc V6evalTool =begin html 
  IPSEC.html IPsec Test Common Utility
=cut