1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
|
SPDX-License-Identifier: BSD-3-Clause
Copyright (c) 2014-2018 Linaro Limited
1. Intro
The odp_ipsec_crypto example application demonstrates an IPsec implementation
using ODP crypto APIs. The application functions as a simple L3 IPv4 router
which supports IPsec 3DES cipher and HMAC-MD5 authentication in both the
transmit and receive directions. Note that only IPsec "transport" mode is
supported.
2. Prerequisites
2.1 SSL development libraries
Development has been done to this point with the openssl-devel libraries,
the makefile specifically links with "-lcrypto".
3. Topology
The following test topology was used for development. Each of the VMs
is running Fedora 32. Sanity testing consists of pinging VM2 from VM0
such that the packets traverse VM1. Packets between VM1 and VM2 are
IPsec AH and ESP encapsulated.
VM0 VM1 (UUT) VM2
+------------+ +--------------+ +------------+
| | (clear) | | (crypto) | |
| | subnet | | subnet | |
| p7p1 |<---------------->| p7p1 p8p1 |<---------------->| p7p1 |
| .2 | 192.168.111.0 | .1 .1 | 192.168.222.0 | .2 |
| | | | | |
+------------+ +--------------+ +------------+
4. VM configurations
4.1 VM0 configuration
VM0 has the following interface configuration:
cat /etc/sysconfig/network-scripts/ifcfg-p7p1
DEVICE=p7p1
HWADDR=08:00:27:76:B5:E0
BOOTPROTO=static
IPADDR=192.168.111.2
NETMASK=255.255.255.0
ONBOOT=yes
In addition, static ARP and IPv4 routes must be added on VM0:
sudo ip route add 192.168.222.0/24 via 192.168.111.1
sudo arp -s 192.168.111.1 08:00:27:04:BF:8C
4.2 VM1 configuration
For the unit under test, IP forwarding and IP tables were disabled.
VM1 has the following interface configurations:
cat /etc/sysconfig/network-scripts/ifcfg-p7p1
DEVICE=p7p1
HWADDR=08:00:27:04:BF:8C
BOOTPROTO=static
IPADDR=192.168.111.1
NETMASK=255.255.255.0
ONBOOT=yes
cat /etc/sysconfig/network-scripts/ifcfg-p8p1
DEVICE=p8p1
HWADDR=08:00:27:4C:55:CC
BOOTPROTO=static
IPADDR=192.168.222.1
NETMASK=255.255.255.0
ONBOOT=yes
The application is launched on VM1 with the following command:
sudo ./odp_ipsec_crypto -i p7p1,p8p1 \
-r 192.168.111.2/32,p7p1,08:00:27:76:B5:E0 \
-r 192.168.222.2/32,p8p1,08:00:27:F5:8B:DB \
-p 192.168.111.0/24,192.168.222.0/24,out,both \
-e 192.168.111.2,192.168.222.2,3des,201,656c8523255ccc23a66c1917aa0cf30991fce83532a4b224 \
-a 192.168.111.2,192.168.222.2,md5,200,a731649644c5dee92cbd9c2e7e188ee6 \
-p 192.168.222.0/24,192.168.111.0/24,in,both \
-e 192.168.222.2,192.168.111.2,3des,301,c966199f24d095f3990a320d749056401e82b26570320292 \
-a 192.168.222.2,192.168.111.2,md5,300,27f6d123d7077b361662fc6e451f65d8 \
-c 2 -m 0
4.3 VM2 configuration
VM2 has the following interface configuration:
cat /etc/sysconfig/network-scripts/ifcfg-p7p1
DEVICE=p7p1
HWADDR=08:00:27:F5:8B:DB
BOOTPROTO=static
IPADDR=192.168.222.2
NETMASK=255.255.255.0
ONBOOT=yes
In addition, static ARP and IPv4 routes must be added on VM2:
sudo ip route add 192.168.111.0/24 via 192.168.222.1
sudo arp -s 192.168.222.1 08:00:27:4c:55:cc
VM2 must be setup with an IPsec configuration complementing
the configuration used by the "odp_ipsec_crypto" application running
on VM1. The configuration is applied using "setkey" (provided by ipsec-tools
package).
VM2 uses the following setkey configuration:
cat setkey_vm2.conf
# Flush the SAD and SPD
flush;
spdflush;
add 192.168.111.2 192.168.222.2 ah 0x200 -A hmac-md5
0xa731649644c5dee92cbd9c2e7e188ee6;
add 192.168.222.2 192.168.111.2 ah 0x300 -A hmac-md5
0x27f6d123d7077b361662fc6e451f65d8;
add 192.168.111.2 192.168.222.2 esp 0x201 -E 3des-cbc
0x656c8523255ccc23a66c1917aa0cf30991fce83532a4b224;
add 192.168.222.2 192.168.111.2 esp 0x301 -E 3des-cbc
0xc966199f24d095f3990a320d749056401e82b26570320292;
spdadd 192.168.111.2 192.168.222.2 any -P in ipsec
esp/transport//require
ah/transport//require;
spdadd 192.168.222.2 192.168.111.2 any -P out ipsec
esp/transport//require
ah/transport//require;
Apply the setkey configuration:
sudo setkey -f setkey_vm2.conf
5. Sanity Test with Real Traffic
Once all three VMs have been configured, static ARP and route entries added,
setkey configuration applied, and odp_ipsec_crypto application is running, VM0
should be able to ping VM2 at the 192.168.222.2 address.
At VM0 console issue the ping to VM2's address:
sudo ping -c 2 -i 0.1 192.168.222.2
PING 192.168.222.2 (192.168.222.2) 56(84) bytes of data.
64 bytes from 192.168.222.2: icmp_req=1 ttl=64 time=33.9 ms
64 bytes from 192.168.222.2: icmp_req=2 ttl=64 time=23.3 ms
At VM2 console use tcpdump to observe IPsec packets:
sudo tcpdump -nt -i p7p1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on p7p1, link-type EN10MB (Ethernet), capture size 65535 bytes
IP 192.168.111.2 > 192.168.222.2: AH(spi=0x00000200,seq=0x6): ESP(spi=0x00000201,seq=0x6), length 88
IP 192.168.222.2 > 192.168.111.2: AH(spi=0x00000300,seq=0x7a): ESP(spi=0x00000301,seq=0x7a), length 88
IP 192.168.111.2 > 192.168.222.2: AH(spi=0x00000200,seq=0x7): ESP(spi=0x00000201,seq=0x7), length 88
IP 192.168.222.2 > 192.168.111.2: AH(spi=0x00000300,seq=0x7b): ESP(spi=0x00000301,seq=0x7b), length 88
6. Standalone Loopback Tests
BASH batch files are now included to run several simple loopback tests that
do not require any packet IO. The scripts create internal "loopback" packet
interfaces.
Before running the example bash scripts add odp_ipsec_crypto to your PATH
export PATH="<path_to_odp_ipsec_crypto>:$PATH"
|
