l2tp.sh 9.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376
  1. #!/bin/bash
  2. # SPDX-License-Identifier: GPL-2.0
  3. #
  4. # L2TPv3 tunnel between 2 hosts
  5. #
  6. # host-1 | router | host-2
  7. # | |
  8. # lo l2tp | | l2tp lo
  9. # 172.16.101.1 172.16.1.1 | | 172.16.1.2 172.16.101.2
  10. # fc00:101::1 fc00:1::1 | | fc00:1::2 fc00:101::2
  11. # | |
  12. # eth0 | | eth0
  13. # 10.1.1.1 | | 10.1.2.1
  14. # 2001:db8:1::1 | | 2001:db8:2::1
  15. source lib.sh
  16. VERBOSE=0
  17. PAUSE_ON_FAIL=no
  18. which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping)
  19. ################################################################################
  20. #
  21. log_test()
  22. {
  23. local rc=$1
  24. local expected=$2
  25. local msg="$3"
  26. if [ ${rc} -eq ${expected} ]; then
  27. printf "TEST: %-60s [ OK ]\n" "${msg}"
  28. nsuccess=$((nsuccess+1))
  29. else
  30. ret=1
  31. nfail=$((nfail+1))
  32. printf "TEST: %-60s [FAIL]\n" "${msg}"
  33. if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
  34. echo
  35. echo "hit enter to continue, 'q' to quit"
  36. read a
  37. [ "$a" = "q" ] && exit 1
  38. fi
  39. fi
  40. }
  41. run_cmd()
  42. {
  43. local ns
  44. local cmd
  45. local out
  46. local rc
  47. ns="$1"
  48. shift
  49. cmd="$*"
  50. if [ "$VERBOSE" = "1" ]; then
  51. printf " COMMAND: $cmd\n"
  52. fi
  53. out=$(eval ip netns exec ${ns} ${cmd} 2>&1)
  54. rc=$?
  55. if [ "$VERBOSE" = "1" -a -n "$out" ]; then
  56. echo " $out"
  57. fi
  58. [ "$VERBOSE" = "1" ] && echo
  59. return $rc
  60. }
  61. ################################################################################
  62. # create namespaces and interconnects
  63. create_ns()
  64. {
  65. local ns=$1
  66. local addr=$2
  67. local addr6=$3
  68. [ -z "${addr}" ] && addr="-"
  69. [ -z "${addr6}" ] && addr6="-"
  70. if [ "${addr}" != "-" ]; then
  71. ip -netns ${ns} addr add dev lo ${addr}
  72. fi
  73. if [ "${addr6}" != "-" ]; then
  74. ip -netns ${ns} -6 addr add dev lo ${addr6}
  75. fi
  76. ip -netns ${ns} ro add unreachable default metric 8192
  77. ip -netns ${ns} -6 ro add unreachable default metric 8192
  78. ip netns exec ${ns} sysctl -qw net.ipv4.ip_forward=1
  79. ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1
  80. ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.forwarding=1
  81. ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.forwarding=1
  82. ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.accept_dad=0
  83. }
  84. # create veth pair to connect namespaces and apply addresses.
  85. connect_ns()
  86. {
  87. local ns1=$1
  88. local ns1_dev=$2
  89. local ns1_addr=$3
  90. local ns1_addr6=$4
  91. local ns2=$5
  92. local ns2_dev=$6
  93. local ns2_addr=$7
  94. local ns2_addr6=$8
  95. ip -netns ${ns1} li add ${ns1_dev} type veth peer name tmp
  96. ip -netns ${ns1} li set ${ns1_dev} up
  97. ip -netns ${ns1} li set tmp netns ${ns2} name ${ns2_dev}
  98. ip -netns ${ns2} li set ${ns2_dev} up
  99. if [ "${ns1_addr}" != "-" ]; then
  100. ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr}
  101. ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr}
  102. fi
  103. if [ "${ns1_addr6}" != "-" ]; then
  104. ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr6}
  105. ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr6}
  106. fi
  107. }
  108. ################################################################################
  109. # test setup
  110. cleanup()
  111. {
  112. cleanup_ns $host_1 $host_2 $router
  113. }
  114. setup_l2tp_ipv4()
  115. {
  116. #
  117. # configure l2tpv3 tunnel on host-1
  118. #
  119. ip -netns $host_1 l2tp add tunnel tunnel_id 1041 peer_tunnel_id 1042 \
  120. encap ip local 10.1.1.1 remote 10.1.2.1
  121. ip -netns $host_1 l2tp add session name l2tp4 tunnel_id 1041 \
  122. session_id 1041 peer_session_id 1042
  123. ip -netns $host_1 link set dev l2tp4 up
  124. ip -netns $host_1 addr add dev l2tp4 172.16.1.1 peer 172.16.1.2
  125. #
  126. # configure l2tpv3 tunnel on host-2
  127. #
  128. ip -netns $host_2 l2tp add tunnel tunnel_id 1042 peer_tunnel_id 1041 \
  129. encap ip local 10.1.2.1 remote 10.1.1.1
  130. ip -netns $host_2 l2tp add session name l2tp4 tunnel_id 1042 \
  131. session_id 1042 peer_session_id 1041
  132. ip -netns $host_2 link set dev l2tp4 up
  133. ip -netns $host_2 addr add dev l2tp4 172.16.1.2 peer 172.16.1.1
  134. #
  135. # add routes to loopback addresses
  136. #
  137. ip -netns $host_1 ro add 172.16.101.2/32 via 172.16.1.2
  138. ip -netns $host_2 ro add 172.16.101.1/32 via 172.16.1.1
  139. }
  140. setup_l2tp_ipv6()
  141. {
  142. #
  143. # configure l2tpv3 tunnel on host-1
  144. #
  145. ip -netns $host_1 l2tp add tunnel tunnel_id 1061 peer_tunnel_id 1062 \
  146. encap ip local 2001:db8:1::1 remote 2001:db8:2::1
  147. ip -netns $host_1 l2tp add session name l2tp6 tunnel_id 1061 \
  148. session_id 1061 peer_session_id 1062
  149. ip -netns $host_1 link set dev l2tp6 up
  150. ip -netns $host_1 addr add dev l2tp6 fc00:1::1 peer fc00:1::2
  151. #
  152. # configure l2tpv3 tunnel on host-2
  153. #
  154. ip -netns $host_2 l2tp add tunnel tunnel_id 1062 peer_tunnel_id 1061 \
  155. encap ip local 2001:db8:2::1 remote 2001:db8:1::1
  156. ip -netns $host_2 l2tp add session name l2tp6 tunnel_id 1062 \
  157. session_id 1062 peer_session_id 1061
  158. ip -netns $host_2 link set dev l2tp6 up
  159. ip -netns $host_2 addr add dev l2tp6 fc00:1::2 peer fc00:1::1
  160. #
  161. # add routes to loopback addresses
  162. #
  163. ip -netns $host_1 -6 ro add fc00:101::2/128 via fc00:1::2
  164. ip -netns $host_2 -6 ro add fc00:101::1/128 via fc00:1::1
  165. }
  166. setup()
  167. {
  168. # start clean
  169. cleanup
  170. set -e
  171. setup_ns host_1 host_2 router
  172. create_ns $host_1 172.16.101.1/32 fc00:101::1/128
  173. create_ns $host_2 172.16.101.2/32 fc00:101::2/128
  174. create_ns $router
  175. connect_ns $host_1 eth0 10.1.1.1/24 2001:db8:1::1/64 \
  176. $router eth1 10.1.1.2/24 2001:db8:1::2/64
  177. connect_ns $host_2 eth0 10.1.2.1/24 2001:db8:2::1/64 \
  178. $router eth2 10.1.2.2/24 2001:db8:2::2/64
  179. ip -netns $host_1 ro add 10.1.2.0/24 via 10.1.1.2
  180. ip -netns $host_1 -6 ro add 2001:db8:2::/64 via 2001:db8:1::2
  181. ip -netns $host_2 ro add 10.1.1.0/24 via 10.1.2.2
  182. ip -netns $host_2 -6 ro add 2001:db8:1::/64 via 2001:db8:2::2
  183. setup_l2tp_ipv4
  184. setup_l2tp_ipv6
  185. set +e
  186. }
  187. setup_ipsec()
  188. {
  189. #
  190. # IPv4
  191. #
  192. run_cmd $host_1 ip xfrm policy add \
  193. src 10.1.1.1 dst 10.1.2.1 dir out \
  194. tmpl proto esp mode transport
  195. run_cmd $host_1 ip xfrm policy add \
  196. src 10.1.2.1 dst 10.1.1.1 dir in \
  197. tmpl proto esp mode transport
  198. run_cmd $host_2 ip xfrm policy add \
  199. src 10.1.1.1 dst 10.1.2.1 dir in \
  200. tmpl proto esp mode transport
  201. run_cmd $host_2 ip xfrm policy add \
  202. src 10.1.2.1 dst 10.1.1.1 dir out \
  203. tmpl proto esp mode transport
  204. ip -netns $host_1 xfrm state add \
  205. src 10.1.1.1 dst 10.1.2.1 \
  206. spi 0x1000 proto esp aead 'rfc4106(gcm(aes))' \
  207. 0x0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f 128 mode transport
  208. ip -netns $host_1 xfrm state add \
  209. src 10.1.2.1 dst 10.1.1.1 \
  210. spi 0x1001 proto esp aead 'rfc4106(gcm(aes))' \
  211. 0x0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f 128 mode transport
  212. ip -netns $host_2 xfrm state add \
  213. src 10.1.1.1 dst 10.1.2.1 \
  214. spi 0x1000 proto esp aead 'rfc4106(gcm(aes))' \
  215. 0x0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f 128 mode transport
  216. ip -netns $host_2 xfrm state add \
  217. src 10.1.2.1 dst 10.1.1.1 \
  218. spi 0x1001 proto esp aead 'rfc4106(gcm(aes))' \
  219. 0x0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f 128 mode transport
  220. #
  221. # IPV6
  222. #
  223. run_cmd $host_1 ip -6 xfrm policy add \
  224. src 2001:db8:1::1 dst 2001:db8:2::1 dir out \
  225. tmpl proto esp mode transport
  226. run_cmd $host_1 ip -6 xfrm policy add \
  227. src 2001:db8:2::1 dst 2001:db8:1::1 dir in \
  228. tmpl proto esp mode transport
  229. run_cmd $host_2 ip -6 xfrm policy add \
  230. src 2001:db8:1::1 dst 2001:db8:2::1 dir in \
  231. tmpl proto esp mode transport
  232. run_cmd $host_2 ip -6 xfrm policy add \
  233. src 2001:db8:2::1 dst 2001:db8:1::1 dir out \
  234. tmpl proto esp mode transport
  235. ip -netns $host_1 -6 xfrm state add \
  236. src 2001:db8:1::1 dst 2001:db8:2::1 \
  237. spi 0x1000 proto esp aead 'rfc4106(gcm(aes))' \
  238. 0x0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f 128 mode transport
  239. ip -netns $host_1 -6 xfrm state add \
  240. src 2001:db8:2::1 dst 2001:db8:1::1 \
  241. spi 0x1001 proto esp aead 'rfc4106(gcm(aes))' \
  242. 0x0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f 128 mode transport
  243. ip -netns $host_2 -6 xfrm state add \
  244. src 2001:db8:1::1 dst 2001:db8:2::1 \
  245. spi 0x1000 proto esp aead 'rfc4106(gcm(aes))' \
  246. 0x0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f 128 mode transport
  247. ip -netns $host_2 -6 xfrm state add \
  248. src 2001:db8:2::1 dst 2001:db8:1::1 \
  249. spi 0x1001 proto esp aead 'rfc4106(gcm(aes))' \
  250. 0x0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f 128 mode transport
  251. }
  252. teardown_ipsec()
  253. {
  254. run_cmd $host_1 ip xfrm state flush
  255. run_cmd $host_1 ip xfrm policy flush
  256. run_cmd $host_2 ip xfrm state flush
  257. run_cmd $host_2 ip xfrm policy flush
  258. }
  259. ################################################################################
  260. # generate traffic through tunnel for various cases
  261. run_ping()
  262. {
  263. local desc="$1"
  264. run_cmd $host_1 ping -c1 -w1 172.16.1.2
  265. log_test $? 0 "IPv4 basic L2TP tunnel ${desc}"
  266. run_cmd $host_1 ping -c1 -w1 -I 172.16.101.1 172.16.101.2
  267. log_test $? 0 "IPv4 route through L2TP tunnel ${desc}"
  268. run_cmd $host_1 ${ping6} -c1 -w1 fc00:1::2
  269. log_test $? 0 "IPv6 basic L2TP tunnel ${desc}"
  270. run_cmd $host_1 ${ping6} -c1 -w1 -I fc00:101::1 fc00:101::2
  271. log_test $? 0 "IPv6 route through L2TP tunnel ${desc}"
  272. }
  273. run_tests()
  274. {
  275. local desc
  276. setup
  277. run_ping
  278. setup_ipsec
  279. run_ping "- with IPsec"
  280. run_cmd $host_1 ping -c1 -w1 172.16.1.2
  281. log_test $? 0 "IPv4 basic L2TP tunnel ${desc}"
  282. run_cmd $host_1 ping -c1 -w1 -I 172.16.101.1 172.16.101.2
  283. log_test $? 0 "IPv4 route through L2TP tunnel ${desc}"
  284. run_cmd $host_1 ${ping6} -c1 -w1 fc00:1::2
  285. log_test $? 0 "IPv6 basic L2TP tunnel - with IPsec"
  286. run_cmd $host_1 ${ping6} -c1 -w1 -I fc00:101::1 fc00:101::2
  287. log_test $? 0 "IPv6 route through L2TP tunnel - with IPsec"
  288. teardown_ipsec
  289. run_ping "- after IPsec teardown"
  290. }
  291. ################################################################################
  292. # main
  293. declare -i nfail=0
  294. declare -i nsuccess=0
  295. while getopts :pv o
  296. do
  297. case $o in
  298. p) PAUSE_ON_FAIL=yes;;
  299. v) VERBOSE=$(($VERBOSE + 1));;
  300. *) exit 1;;
  301. esac
  302. done
  303. run_tests
  304. cleanup
  305. printf "\nTests passed: %3d\n" ${nsuccess}
  306. printf "Tests failed: %3d\n" ${nfail}