#!/usr/bin/perl # # $Copyright$ # # $Id: HTR_E_In_2SA_DspiDipsrc.seq,v 1.1.1.1 2000/10/31 22:38:51 sekiya Exp $ # ###################################################################### BEGIN { unshift(@INC, '../ipsec/'); $V6evalTool::TestVersion = '$Name: $ '; } use V6evalTool; use IPSEC; %pktdesc = ( ### TBD ); $IF = Link0; #----- check NUT type ipsecCheckNUT(host); #----- set SAD,SPD vLogHTML("*** Target initialization phase ***
"); ipsecClearAll(); ## HOST1 vs NUT ipsecSetSAD( "src=$IPSEC::IPsecAddr{IPSEC_HOST1_NET5_ADDR}" , "dst=$IPSEC::IPsecAddr{IPSEC_NUT_NET3_ADDR}" , "spi=0x1000" , "mode=transport" , "protocol=esp" , "ealgo=des-cbc" , "ealgokey=01234567", ); ipsecSetSPD( "src=$IPSEC::IPsecAddr{IPSEC_HOST1_NET5_ADDR}" , "dst=$IPSEC::IPsecAddr{IPSEC_NUT_NET3_ADDR}" , "upperspec=any" , "direction=in" , "protocol=esp" , "mode=transport" , ); ## HOST2 vs NUT ipsecSetSAD( "src=$IPSEC::IPsecAddr{IPSEC_HOST2_NET5_ADDR}" , "dst=$IPSEC::IPsecAddr{IPSEC_NUT_NET3_ADDR}" , "spi=0x2000" , "mode=transport" , "protocol=esp" , "ealgo=des-cbc" , "ealgokey=foo0foo1" , ); ipsecSetSPD( "src=$IPSEC::IPsecAddr{IPSEC_HOST2_NET5_ADDR}" , "dst=$IPSEC::IPsecAddr{IPSEC_NUT_NET3_ADDR}" , "upperspec=any" , "direction=in" , "protocol=esp" , "mode=transport" , ); #====================================================================== vLogHTML("*** Target testing phase ***
"); vCapture($IF); # ping TN(HOST1) <-> NUT ($stat, %ret) = ipsecPing2NUT($IF, 'echo_request_from_host1_esp', 'echo_reply_to_host1'); if ($stat ne 'GOT_REPLY') { vLogHTML("TN received no echo reply from NUT to HOST1.
"); ipsecExitFail(); } vLogHTML("TN received echo reply from NUT to HOST1.
"); vLogHTML("Ping over 1st SA bundle is available.
"); # ping TN(HOST2) <-> NUT ($stat, %ret) = ipsecPing2NUT($IF, 'echo_request_from_host2_esp', 'echo_reply_to_host2'); if ($stat ne 'GOT_REPLY') { vLogHTML("TN received no echo reply from NUT to HOST2.
"); ipsecExitFail(); } vLogHTML("TN received echo reply from NUT to HOST2.
"); vLogHTML("Ping over 2nd SA bundle is available.
"); vLogHTML("Ping over coexisting two SA bundles are available.
"); ipsecExitPass(); ###################################################################### __END__ =head1 NAME HTR_E_In_2SA_DspiDipsrc - Host Transport Mode ESP Inbound 2 SA selection, Different SPI, Different IPsrc =head1 TARGET Host =head1 SYNOPSIS =begin html 
  HTR_E_In_2SA_DspiDipsrc.seq [-tooloption ...] -pkt HTR_E_2SA_DspiDip.def
    -tooloption : v6eval tool option
  See also HTR_E_common.def and HTR_common.def
=end html =head1 INITIALIZATION =begin html

For details of Network Topology, see 00README

Set NUT's SAD and SPD as following: 

              NET5      NET3
    HOST1_NET5 -- Router -- NUT
         -----transport-----> (SA1)
    HOST2_NET5
         -----transport-----> (SA2)

Security Association Database (SAD) for SA1

source address HOST1_NET5
destination address NUT_NET3
SPI 0x1000
mode transport
protocol ESP
ESP algorithm DES-CBC
ESP algorithm key 01234567

Security Policy Database (SPD) for SA1

source address HOST1_NET5
destination address NUT_NET3
upper spec any
direction in
protocol ESP
mode transport

Security Association Database (SAD) for SA2

source address HOST2_NET5
destination address NUT_NET3
SPI 0x2000
mode transport
protocol ESP
ESP algorithm DES-CBC
ESP algorithm key foo0foo1

Security Policy Database (SPD) for SA2

source address HOST2_NET5
destination address NUT_NET3
upper spec any
direction in
protocol ESP
mode transport
=end html =head1 TEST PROCEDURE =begin html 
 Tester                      Target
   |                           |
   |-------------------------->|
   |      ICMP Echo Request    |
   |        From Host1         |
   |        (using SA1)        |
   |                           |
   |<--------------------------|
   |      ICMP Echo Reply      |
   |         To Host1          |
   |                           |
   |                           |
   |-------------------------->|
   |      ICMP Echo Request    |
   |        From Host2         |
   |        (using SA2)        |
   |                           |
   |<--------------------------|
   |      ICMP Echo Reply      |
   |         To Host2          |
   |                           |
   v                           v
  1. Send ICMP Echo Request using SA1 from Host1
  2. Receive ICMP Echo Reply to Host1
  3. Send ICMP Echo Request using SA2 from Host2
  4. Receive ICMP Echo Reply to Host2

ICMP Echo Request using SA1 from Host1

IP Header Source Address HOST1_NET5
Destination Address NUT_NET3
ESP SPI 0x1000
Algorithm DES-CBC
Key 01234567
ICMP Type 128 (Echo Request)

ICMP Echo Reply to Host1

IP Header Source Address NUT_NET3
Destination Address HOST1_NET5
ICMP Type 129 (Echo Reply)

ICMP Echo Request using SA2 from Host2

IP Header Source Address HOST2_NET5
Destination Address NUT_NET3
ESP SPI 0x2000
Algorithm DES-CBC
Key foo0foo1
ICMP Type 128 (Echo Request)

ICMP Echo Reply to Host2

IP Header Source Address NUT_NET3
Destination Address HOST2_NET5
ICMP Type 129 (Echo Reply)
=end html =head1 JUDGEMENT PASS: Both ICMP Echo Reply (Host1, Host2) received =head1 SEE ALSO perldoc V6evalTool =begin html 
  IPSEC.html IPsec Test Common Utility
=cut