testing: Add route-based/net2net-gre scenario

testing/tests/route-based/net2net-gre/description.txt

@@ -0,0 +1,12 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b>
+is set up using GRE interfaces.
+<p/>
+The gateways use <b>route-based forwarding</b> with <b>GRE tunnels</b>, with
+firewall rules to allow traffic to pass. The IPsec traffic selector is limited
+to the GRE protocol, specific routing is achieved with routes on the GRE
+interfaces. The IKE daemon is configured to not install routes with
+<em>charon.install_routes=0</em>, and static routes are installed for the
+target subnets on the VTI interfaces.
+<p/>
+Client <b>alice</b> behind gateway <b>moon</b> pings client <b>bob</b> located
+behind gateway <b>sun</b>.

testing/tests/route-based/net2net-gre/evaltest.dat

@@ -0,0 +1,5 @@
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::gw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_SUN remote-port=4500 remote-id=sun.strongswan.org.*child-sas.*gre.*reqid=1 state=INSTALLED mode=TRANSPORT.*ESP.*local-ts=\[PH_IP_MOON/32\[gre]] remote-ts=\[PH_IP_SUN/32\[gre]]::YES
+sun:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::gw.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=4500 local-id=sun.strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org.*child-sas.*gre.*reqid=1 state=INSTALLED mode=TRANSPORT.*ESP.*local-ts=\[PH_IP_SUN/32\[gre]] remote-ts=\[PH_IP_MOON/32\[gre]]::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES

testing/tests/route-based/net2net-gre/hosts/moon/etc/strongswan.conf

@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+}
+
+charon {
+  install_routes = 0
+}

testing/tests/route-based/net2net-gre/hosts/moon/etc/swanctl/swanctl.conf

@@ -0,0 +1,29 @@
+connections {
+
+   gw-gw {
+      local_addrs  = PH_IP_MOON
+      remote_addrs = PH_IP_SUN
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      children {
+         gre {
+            local_ts  = dynamic[gre]
+            remote_ts = dynamic[gre]
+            mode = transport
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}

testing/tests/route-based/net2net-gre/hosts/sun/etc/strongswan.conf

@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+}
+
+charon {
+  install_routes = 0
+}

testing/tests/route-based/net2net-gre/hosts/sun/etc/swanctl/swanctl.conf

@@ -0,0 +1,29 @@
+connections {
+
+   gw-gw {
+      local_addrs  = PH_IP_SUN
+      remote_addrs = PH_IP_MOON
+
+      local {
+         auth = pubkey
+         certs = sunCert.pem
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         gre {
+            local_ts  = dynamic[gre]
+            remote_ts = dynamic[gre]
+            mode = transport
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}

testing/tests/route-based/net2net-gre/posttest.dat

@@ -0,0 +1,7 @@
+moon::swanctl --terminate --ike gw-gw
+moon::systemctl stop strongswan-swanctl
+sun::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip tunnel del gre-moon
+sun::ip tunnel del gre-sun

testing/tests/route-based/net2net-gre/pretest.dat

@@ -0,0 +1,17 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ip tunnel add gre-moon local PH_IP_MOON remote PH_IP_SUN mode gre key 42
+moon::ip link set gre-moon up
+moon::ip route add 10.2.0.0/16 dev gre-moon
+moon::iptables -A FORWARD -i gre-moon -j ACCEPT
+moon::iptables -A FORWARD -o gre-moon -j ACCEPT
+sun::ip tunnel add gre-sun local PH_IP_SUN remote PH_IP_MOON mode gre key 42
+sun::ip link set gre-sun up
+sun::ip route add 10.1.0.0/16 dev gre-sun
+sun::iptables -A FORWARD -i gre-sun -j ACCEPT
+sun::iptables -A FORWARD -o gre-sun -j ACCEPT
+moon::systemctl start strongswan-swanctl
+sun::systemctl start strongswan-swanctl
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child gre

testing/tests/route-based/net2net-gre/test.conf

@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1