#!/usr/bin/perl # # $Copyright$ # # $Id: RTU_A_In_2SA_DspiDipsrc.seq,v 1.1.1.1 2000/10/31 22:38:51 sekiya Exp $ # ###################################################################### BEGIN { unshift(@INC, '../ipsec/'); $V6evalTool::TestVersion = '$Name: $ '; } use V6evalTool; use IPSEC; %pktdesc = ( ### TBD ); $IF0 = Link0; $IF1 = Link1; #----- check NUT type ipsecCheckNUT(router); #----- set SAD,SPD vLogHTML("*** Target initialization phase ***
"); ipsecClearAll(); ## SG1 vs NUT ipsecSetSAD( "src=$IPSEC::IPsecAddr{IPSEC_SG1_NET2_ADDR}" , "dst=$IPSEC::IPsecAddr{IPSEC_NUT_NET0_ADDR}" , "spi=0x1000" , "mode=tunnel" , "direction=in" , "protocol=ah" , "aalgo=hmac-md5" , "aalgokey=0123456789ABCDEF", "nsrc=$IPSEC::IPsecAddr{IPSEC_NET4_ADDR}" , "ndst=$IPSEC::IPsecAddr{IPSEC_NET1_ADDR}" , ); # No SPD entry #ipsecSetSPD( # "src=$IPSEC::IPsecAddr{IPSEC_NET4_ADDR}" , # "dst=$IPSEC::IPsecAddr{IPSEC_NET1_ADDR}" , # "upperspec=any" , # "direction=in" , # "protocol=ah" , # "mode=tunnel" , # "tsrc=$IPSEC::IPsecAddr{IPSEC_SG1_NET2_ADDR}" , # "tdst=$IPSEC::IPsecAddr{IPSEC_NUT_NET0_ADDR}" , # ); ## SG2 vs NUT ipsecSetSAD( "src=$IPSEC::IPsecAddr{IPSEC_SG2_NET2_ADDR}" , "dst=$IPSEC::IPsecAddr{IPSEC_NUT_NET0_ADDR}" , "spi=0x2000" , "mode=tunnel" , "direction=in" , "protocol=ah" , "aalgo=hmac-md5" , "aalgokey=foo0foo1foo2foo3", "nsrc=$IPSEC::IPsecAddr{IPSEC_NET6_ADDR}" , "ndst=$IPSEC::IPsecAddr{IPSEC_NET1_ADDR}" , ); # No SPD entry #ipsecSetSPD( # "src=$IPSEC::IPsecAddr{IPSEC_NET6_ADDR}" , # "dst=$IPSEC::IPsecAddr{IPSEC_NET1_ADDR}" , # "upperspec=any" , # "direction=in" , # "protocol=ah" , # "mode=tunnel" , # "tsrc=$IPSEC::IPsecAddr{IPSEC_SG2_NET2_ADDR}" , # "tdst=$IPSEC::IPsecAddr{IPSEC_NUT_NET0_ADDR}" , # ); ipsecEnable(); #====================================================================== vLogHTML("*** Target testing phase ***
"); vCapture($IF0); vCapture($IF1); # NET1 NET0 NET2 NET4 # HOST1_NET1 <- NUT <- Router <- SG1 <- HOST1_NET4 # <====tunnel-1=== # NET2 NET6 # <- SG2 <- HOST1_NET6 # <====tunnel-2=== # <====tunnel-1=== ($stat, %ret) = ipsecForwardDecap($IF0, $IF1, 'ahtun_from_sg1_net2_echo_request_from_host1_net4_to_host1_net1_on_net0', 'echo_request_from_host1_net4_to_host1_net1_on_net1'); if ($stat ne 'GOT_PACKET') { vLogHTML('TN received no decapuslated packet from NUT
'); ipsecExitFail(); } vLogHTML("TN received decapsulated packet from HOST1_NET4 to HOST1_NET1.
"); vLogHTML("Tunnel over 1st SA bundle is available.
"); # <====tunnel-2=== ($stat, %ret) = ipsecForwardDecap($IF0, $IF1, 'ahtun_from_sg2_net2_echo_request_from_host1_net6_to_host1_net1_on_net0', 'echo_request_from_host1_net6_to_host1_net1_on_net1'); if ($stat ne 'GOT_PACKET') { vLogHTML('TN received no decapuslated packet from NUT
'); ipsecExitFail(); } vLogHTML("TN received decapsulated packet from HOST1_NET6 to HOST1_NET1.
"); vLogHTML("Tunnel over 2nd SA bundle is available.
"); vLogHTML("Tunnel over coexisting two SA bundles are available.
"); ipsecExitPass(); ###################################################################### __END__ =head1 NAME RTU_A_In_2SA_DspiDipsrc - Router Tunnel Mode AH Inbound 2 SA selection, Different SPI, Different IPsrc =head1 TARGET Router =head1 SYNOPSIS =begin html 
  RTU_A_In_2SA_DspiDipsrc.seq [-tooloption ...] -pkt RTU_A_2SA_DspiDip.def
    -tooloption : v6eval tool option
  See also HTR_A_common.def and HTR_common.def
=end html =head1 INITIALIZATION =begin html

For details of Network Topology, see 00README

Set NUT's SAD and SPD as following: 

                           (Link0)  (Link1)
            NET4   NET2      NET0   NET1
  HOST1_NET4 -- SG1 +- Router -- NUT -- HOST1_NET1
                 ===|=tunnel======> (SA1)
            NET6    |
  HOST1_NET6 -- SG2 +
                 =====tunnel======> (SA2)

Security Association Database (SAD) for SA1

source address SG1_NET2
destination address NUT_NET0
SPI 0x1000
mode tunnel
protocol AH
AH algorithm HMAC-MD5
AH algorithm key 0123456789ABCDEF

Security Policy Database (SPD) for SA1

No SPD entry

Security Association Database (SAD) for SA2

source address SG2_NET2
destination address NUT_NET0
SPI 0x2000
mode tunnel
protocol AH
AH algorithm HMAC-MD5
AH algorithm key foo0foo1foo2foo3

Security Policy Database (SPD) for SA2

No SPD entry
=end html =head1 TEST PROCEDURE =begin html 
 Tester                      Target                      Tester
              (Link0)                     (Link1)
   |                           |                           |
   |-------------------------->|                           |
   |      ICMP Echo Request    |                           |
   |       From Host1Net4      |                           |
   |        (using SA1)        |                           |
   |                           |                           |
   |                           |-------------------------->|
   |                           |      ICMP Echo Request    |
   |                           |       From Host1Net4      |
   |                           |                           |
   |                           |                           |
   |-------------------------->|                           |
   |      ICMP Echo Request    |                           |
   |       From Host1Net6      |                           |
   |        (using SA2)        |                           |
   |                           |                           |
   |                           |-------------------------->|
   |                           |      ICMP Echo Request    |
   |                           |       From Host1Net6      |
   |                           |                           |
   |                           |                           |
   v                           v                           v
  1. Send ICMP Echo Request FromHost1Net4 using SA1 to Link0
  2. Receive ICMP Echo Request FromHost1Net4 from Link1
  3. Send ICMP Echo Request FromHost1Net6 using SA2 to Link0
  4. Receive ICMP Echo Request FromHost1Net6 from Link1

ICMP Echo Request FromHost1Net4 using SA1 to Link0

IP Header Source Address SG1_NET2
Destination Address NUT_NET0
AH SPI 0x1000
Algorithm HMAC-MD5
Key 0123456789ABCDEF
IP Header Source Address HOST1_NET4
Destination Address HOST1_NET1
ICMP Type 128 (Echo Request)

ICMP Echo Request FromHost1Net4 from Link1

IP Header Source Address HOST1_NET4
Destination Address HOST1_NET1
ICMP Type 128 (Echo Request)

ICMP Echo Request FromHost1Net6 using SA2 to Link0

IP Header Source Address SG2_NET2
Destination Address NUT_NET0
AH SPI 0x2000
Algorithm HMAC-MD5
Key foo0foo1foo2foo3
IP Header Source Address HOST1_NET6
Destination Address HOST1_NET1
ICMP Type 128 (Echo Request)

ICMP Echo Request FromHost1Net6 from Link1

IP Header Source Address HOST1_NET6
Destination Address HOST1_NET1
ICMP Type 128 (Echo Request)
=end html =head1 JUDGEMENT PASS: Both ICMP Echo Request (using SA1, SA2) received =head1 SEE ALSO perldoc V6evalTool =begin html 
  IPSEC.html IPsec Test Common Utility
=end html =cut