freeswan/pluto/test/bin/dowhack

   1 #!/bin/sh
   2
   3 # A collection of whack sequences to test Pluto.
   4 # Generally, we command the west Pluto to negotiate with east.
   5 # Sometimes north and south come into play.
   6
   7 . CONFIG
   8
   9 WESTHOST="--host $WESTIP --ikeport $IKEPORT"
  10 WESTNET="$WESTHOST --client $WESTSUBNET"
  11
  12 EASTHOST="--host $EASTIP --ikeport $IKEPORT"
  13 EASTNET="$EASTHOST --client $EASTSUBNET"
  14
  15 ANYHOST="--host %any --ikeport $IKEPORT"
  16 OPPO="--host %opportunistic --ikeport $IKEPORT"
  17
  18 WESTWHACK="../whack --ctlbase ./pluto.west"
  19 EASTWHACK="../whack --ctlbase ./pluto.east"
  20
  21 TIMES="--rekeymargin 350 --ikelifetime 900 --ipseclifetime 800"
  22 TIMES0="$TIMES --keyingtries 0"
  23 TIMES1="$TIMES --keyingtries 1"
  24 TIMES2="$TIMES --keyingtries 2"
  25
  26 LIST="1 2 3 4 5"
  27
  28 function perform() {
  29         echo "$@"
  30         "$@" || echo RC: $?
  31         }
  32
  33 function me() {
  34         perform $WESTWHACK "$@"
  35         }
  36
  37 function him() {
  38         perform $EASTWHACK "$@"
  39         }
  40
  41 function both() {
  42         perform $WESTWHACK "$@"
  43         perform $EASTWHACK "$@"
  44         }
  45
  46 for i
  47 do
  48 case "$i" in
  49 listen) both --listen
  50         ;;
  51 kall)   both --keyid 127.95.7.2 --pubkeyrsa 0sAQOeSJscIy2XZHfs+PODDqdgJR2FmdfRNqzURVL5q2fesMHmibMLPM5cTPx2HvYKBX3YyB+BdHoojmFNixV+RTrKyyN0Og4PYwhdw0FUApDvOg7KYe1CeLUeTAUzT5Pq7MdclRW5bYY84hXSfKgaPwPTwuiLKEnVdbhGgwxqwfQ6ow==
  52         both --keyid @east.example.com --pubkeyrsa 0sAQNWmttqbM8nIypsHEULynOagFyV1MQ+/1yF5sa32abxBb2fimah7NsHM9l/KpNo7RGtiP0L6triedsZ0xz1Maa4DPnZlrtexu5uIH+FH34SUr7Xe2RcHnLVOznHMzacgcjrOUvV/nA9OEGvm7vRsMAWm/VjNuNugogFreiYEpFMQQ==
  53         both --keyid 127.95.7.3 --pubkeyrsa 0sAQN4JFU9gRnG336z1n1cV2LA6ACi1TjXfv3pvl6DRqa6uqBFM9RO4oArPc6FsBkBwEmMr8cpeFn4mVaepVe63qnvmQbGXVcRwhx0a509M824HjnyM04Xpoh2UuP/Mhnkm1cynunRuyGqXaZhlj4s+GbcOxPXhopz94wer+Qs/qvGqw==
  54         both --keyid @north.example.com --pubkeyrsa 0sAQN4JFU9gRnG336z1n1cV2LA6ACi1TjXfv3pvl6DRqa6uqBFM9RO4oArPc6FsBkBwEmMr8cpeFn4mVaepVe63qnvmQbGXVcRwhx0a509M824HjnyM04Xpoh2UuP/Mhnkm1cynunRuyGqXaZhlj4s+GbcOxPXhopz94wer+Qs/qvGqw==
  55         both --keyid 127.95.7.4 --pubkeyrsa 0sAQOKe6+kbDtp4PB8NZshjCBw8z5wuGCAddokgSDATW47tNmQhUvzlnT1ia1ZsyiRFph1LJkz+A0bkbOhPr1vWUJHK6/s+Y8Rf7GSZC0Fi5Fr4DgpWwswzFaLl4baRfeu8z4k147dtSoG4K/6UfQ+IbqML5lwm92uRqONszbn/PDDPQ==
  56         both --keyid @south.example.com --pubkeyrsa 0sAQOKe6+kbDtp4PB8NZshjCBw8z5wuGCAddokgSDATW47tNmQhUvzlnT1ia1ZsyiRFph1LJkz+A0bkbOhPr1vWUJHK6/s+Y8Rf7GSZC0Fi5Fr4DgpWwswzFaLl4baRfeu8z4k147dtSoG4K/6UfQ+IbqML5lwm92uRqONszbn/PDDPQ==
  57         both --keyid 127.95.7.1 --pubkeyrsa 0sAQOOyFBeFFr9CWXgn1aOEvTr98HG4inSckTXlyYi5x85G+Q1+PZ/roqB3OtnRS2XbXFb3n92QjZMJ403wQUwMAt6uzXzXDle5VvFn7cVXq3ch0jqQUxIFcdIIFR2wtkxvAr20xSOHNF/ozmKVZLkrHLu4RvVCCbSNa5toqLXblkcOQ==
  58         both --keyid @west.example.com --pubkeyrsa 0sAQOFtqrs57eghHmYREoCu1iGn4kXd+a6yT7wCFUk54d9i08mR4h5uFKPhc9fq78XNqz1AhrBH3SRcWAfJ8DaeGvZ0ZvCrTQZn+RJzX1FQ4fjuGBO0eup2XUMsYDw01PFzQ9O4qlwly6niOcMTxvbWgGcl+3DYfRvHgxet8kNtfqzHQ==
  59         ;;
  60 shutdown)       both --shutdown
  61         ;;
  62 status) both --status
  63         ;;
  64
  65 # "isakmp": ISAKMP SA only; PSK or RSA
  66
  67 disakmp-psk) both --name isakmp-psk --psk $EASTHOST --to $WESTHOST $TIMES2 ;;
  68 xisakmp-psk) me --name isakmp-psk --initiate ;;
  69
  70 disakmp-rsa) both --name isakmp-rsa --rsa $EASTHOST --to $WESTHOST $TIMES2 ;;
  71 xisakmp-rsa) me --name isakmp-rsa --initiate ;;
  72
  73 # "ipsec": IPsec SA
  74
  75 dipsec-psk)     both --name ipsec-psk --delete --psk \
  76                 --updown silly $EASTNET --to --updown sally $WESTNET \
  77                 --authenticate --encrypt --pfs $TIMES2
  78         ;;
  79 xipsec-psk)
  80                 me --name ipsec-psk --initiate
  81         ;;
  82
  83 dipsec-rsa)     both --name ipsec-rsa --delete --rsa \
  84                 --updown silly $EASTNET --to --updown sally $WESTNET \
  85                 --authenticate --encrypt --pfs $TIMES2
  86         ;;
  87 xipsec-rsa)
  88                 me --name ipsec-rsa --initiate
  89         ;;
  90
  91 # like dipsec-rsa, except compression is specified
  92 dipsec-rsa-c) both --name ipsec-rsa-c --delete --rsa \
  93                 --updown silly $EASTNET --to --updown sally $WESTNET \
  94                 --authenticate --encrypt --compress $TIMES2
  95         ;;
  96 xipsec-rsa-c)
  97                 me --name ipsec-rsa-c --initiate
  98         ;;
  99
 100 # Road Warrior:
 101
 102 dipsec-psk-rw)
 103         me --name ipsec-psk-rw --delete --psk \
 104                 --updown sally $WESTNET \
 105                 --to --updown silly $EASTNET \
 106                 --encrypt $TIMES2
 107         him --name ipsec-psk-rw --delete --psk \
 108                 --updown silly $ANYHOST \
 109                         --client $WESTSUBNET \
 110                 --to --updown sally $EASTNET --nexthop %direct \
 111                 --encrypt $TIMES2
 112         ;;
 113 xipsec-psk-rw)
 114                 me --name ipsec-psk-rw --initiate
 115         ;;
 116
 117 dipsec-rsa-rw)
 118         me --name ipsec-rsa-rw --delete --rsa \
 119                 --updown sally $WESTNET \
 120                 --to --updown silly $EASTNET \
 121                 --encrypt $TIMES2
 122         him --name ipsec-rsa-rw --delete --rsa \
 123                 --updown silly $ANYHOST \
 124                         --client $WESTSUBNET \
 125                 --to --updown sally $EASTNET --nexthop %direct \
 126                 --encrypt $TIMES2
 127         ;;
 128 xipsec-rsa-rw)
 129                 me --name ipsec-rsa-rw --initiate
 130         ;;
 131
 132 # Opportunism
 133 # --pfs and --rsa required
 134
 135 dipsec-oppo)
 136         # self
 137         me --name ipsec-oppo-me --delete --rsa --pfs \
 138                 --updown sally $WESTHOST --nexthop %direct \
 139                 --to --updown silly $OPPO \
 140                 --encrypt $TIMES2
 141         # clients
 142         me --name ipsec-oppo-mine --delete --rsa --pfs \
 143                 --updown sally $WESTNET --nexthop %direct \
 144                 --to --updown silly $OPPO \
 145                 --encrypt $TIMES2
 146         # self
 147         him --name ipsec-oppo-me --delete --rsa --pfs \
 148                 --updown silly $OPPO \
 149                 --to --updown sally $EASTHOST --nexthop %direct \
 150                 --encrypt $TIMES2
 151         # clients
 152         him --name ipsec-oppo-mine --delete --rsa --pfs \
 153                 --updown silly $OPPO \
 154                 --to --updown sally $EASTNET --nexthop %direct \
 155                 --encrypt $TIMES2
 156         ;;
 157 xipsec-oppo)
 158         # host to host
 159         me --oppohere $WESTIP --oppothere $EASTIP
 160
 161         # host to client
 162         me --oppohere $WESTIP --oppothere $TRURO
 163
 164         # client to host
 165         me --oppohere $VANCOUVER --oppothere $EASTIP
 166
 167         # client to client
 168         me --oppohere $VICTORIA --oppothere $ANTIGONISH
 169
 170         # whack error: 0.0.0.0 or 0::0 isn't a valid client address "0.0.0.0"
 171         # me --oppohere 0.0.0.0 --oppothere $ANTIGONISH
 172
 173         # whack error: 0.0.0.0 or 0::0 isn't a valid client address "0.0.0.0"
 174         # me --oppohere $VICTORIA --oppothere 0.0.0.0
 175
 176         # 033 no suitable connection for opportunism between 127.95.7.22 and 127.95.7.10 with 127.95.7.1 as peer
 177         me --oppohere $ANTIGONISH --oppothere $VICTORIA
 178
 179         # 033 Can't Opportunistically initiate for 127.95.7.10 to 127.95.7.23: no host 23.7.95.127.in-addr.arpa. for TXT record
 180         me --oppohere $VICTORIA --oppothere $ATLANTIS
 181
 182         # Responder says: "ipsec-oppo-me" 127.95.7.1 0.0.0.0/32 #1: gateway 127.95.7.1 claims client 127.95.7.8, but DNS for client fails to confirm: no host 8.7.95.127.in-addr.arpa. for TXT record
 183         # Initiator slowly times out.
 184         # me --oppohere $VANISHED --oppothere $ANTIGONISH
 185         ;;
 186
 187 # stipple: test opportunism by trying a bunch of targets
 188
 189 dstipple-serial|dstipple-parallel)
 190         # self
 191         me --name ipsec-oppo-me --delete --rsa --pfs \
 192                 --updown sally $WESTHOST --nexthop %direct \
 193                 --to --updown silly $OPPO \
 194                 --encrypt $TIMES2
 195         ;;
 196 xstipple-serial)
 197         n=10
 198         a=192.139.70.1
 199         while expr $n > 0 >/dev/null
 200         do
 201                 n=`expr $n - 1`
 202                 me --oppohere $WESTIP --oppothere $a
 203                 a=`ipnext $a`
 204         done
 205         ;;
 206 xstipple-parallel)
 207         n=10
 208         a=192.139.70.1
 209         while expr $n > 0 >/dev/null
 210         do
 211                 n=`expr $n - 1`
 212                 me --oppohere $WESTIP --oppothere $a &
 213                 a=`ipnext $a`
 214         done
 215         wait
 216         ;;
 217 *)
 218         echo "$0: $i unknown"
 219         exit 1
 220         ;;
 221 esac
 222 done