diff options
Diffstat (limited to 'dynamic-layers')
62 files changed, 1837 insertions, 0 deletions
diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/README b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/README new file mode 100644 index 00000000..9578982d --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/README @@ -0,0 +1,77 @@ +test_setkey script usage + +The scripts in this directory may be used for testing +native Linux IPsec with the talitos driver as a loadable module. + +It's assumed that these scripts have been placed in the directory +named /test_setkey. + +The scripts setup_left and setup_right configure the ip addresses +for two boards named 'left' and 'right', which are two gateways for +an IPsec tunnel. Connect the eth1 interfaces of left and right boards together. +For smartbits testing, connect eth0 on each board to a smartbits port. +For other testing (ping, netperf, iperf), connect eth0 on each board to another system. + +The scripts named left.conf-* and right.conf-* are setkey scripts +which configure the IPsec SA and SPD entries. +The scripts ending in -tunnel use tunnel mode IPsec, and the scripts +ending in -transport used transport mode IPsec. +Transport mode is useful for quickly testing security functionality +using ping or netperf between two boards. +Tunnel mode can be used for testing throughput using smartbits or other +performance test equipment. + +There is a top level script called 'setup' which +is used for a one-step setup on the left and right boards. +'setup' uses two or three parameters. The first parameter is the side, left or right. +The second parameter is the setkey suffix for the left.conf- and right.conf- files. +If the third parameter is supplied, the setup will modprobe that name, so +typically you should provide talitos as the third parameter if you want to load the driver. +If you have built the talitos driver into the kernel, omit the third parameter to setup. +You may test software encryption if talitos is built as a module and you omit the third parameter. + +Below are example uses of the 'setup' script. + +1) One-step setup for smartbits + Use a tunnel mode setup on each side. + AES-HMAC-SHA1: + Left side: + /test_setkey/setup left aes-sha1-tunnel talitos + Right side: + /test_setkey/setup right aes-sha1-tunnel talitos + + 3DES-HMAC-SHA1: + Left side: + /test_setkey/setup left 3des-sha1-tunnel talitos + Right side: + /test_setkey/setup right 3des-sha1-tunnel talitos + +2) One-step setup for testing ping, netperf, or iperf between two boards. + Use a transport mode setup on each side. + AES-HMAC-SHA1: + Left side: + /test_setkey/setup left aes-sha1-transport talitos + Right side: + /test_setkey/setup right aes-sha1-transport talitos + + 3DES-HMAC-SHA1: + Left side: + /test_setkey/setup left 3des-sha1-transport talitos + Right side: + /test_setkey/setup right 3des-sha1-transport talitos + +3) Testing ipv4 + To test ipv4 (with no security) over the two gateways, use steps below. + Testing ipv4 is helpful to get your smartbits configuration verified + and also establish a baseline performance for throughput. + + On the left board: + cd /test_setkey + ./setup_left + ./left.ipv4 + + On the right board: + cd /test_setkey + ./setup_right + ./right.ipv4 + diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/auto_left.conf-3des-sha1-tunnel b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/auto_left.conf-3des-sha1-tunnel new file mode 100755 index 00000000..6bd6c5d8 --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/auto_left.conf-3des-sha1-tunnel @@ -0,0 +1,32 @@ +#!/usr/sbin/setkey -f +# +# +# Example ESP Tunnel for VPN. +# +# ========= ESP ========= +# | | +# Network-A Gateway-A Gateway-B Network-B +# 192.168.1.0/24 ---- 200.200.200.10 ------ 200.200.200.20 ---- 192.168.2.0/24 +# +# ====== 83xx board A ====== ===== 83xx board B ===== +# | | | | +# eth0 eth1 eth1 eth0 +# 192.168.1.130 200.200.200.10 200.200.200.20 192.168.2.130 +# +# +# Board A setup +# +# Flush the SAD and SPD +flush; +spdflush; + +# I am gateway A (eth0:192.168.1.130, eth1:200.200.200.10) +# +# Security policies +spdadd 192.168.1.0/24 192.168.2.0/24 any -P out ipsec + esp/tunnel/200.200.200.10-200.200.200.20/require; + +spdadd 192.168.2.0/24 192.168.1.0/24 any -P in ipsec + esp/tunnel/200.200.200.20-200.200.200.10/require; + + diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/auto_right.conf-3des-sha1-tunnel b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/auto_right.conf-3des-sha1-tunnel new file mode 100755 index 00000000..eebf307a --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/auto_right.conf-3des-sha1-tunnel @@ -0,0 +1,31 @@ +#!/usr/sbin/setkey -f +# +# +# Example ESP Tunnel for VPN. +# +# ========= ESP ========= +# | | +# Network-A Gateway-A Gateway-B Network-B +# 192.168.1.0/24 ---- 200.200.200.10 ------ 200.200.200.20 ---- 192.168.2.0/24 +# +# ====== 83xx board A ====== ===== 83xx board B ===== +# | | | | +# eth0 eth1 eth1 eth0 +# 192.168.1.130 200.200.200.10 200.200.200.20 192.168.2.130 +# +# +# Board B setup +# Flush the SAD and SPD +flush; +spdflush; + +# I am gateway B (eth0:192.168.2.130, eth1:200.200.200.20) +# +# Security policies + +spdadd 192.168.2.0/24 192.168.1.0/24 any -P out ipsec + esp/tunnel/200.200.200.20-200.200.200.10/require; + +spdadd 192.168.1.0/24 192.168.2.0/24 any -P in ipsec + esp/tunnel/200.200.200.10-200.200.200.20/require; + diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/flush-setkey b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/flush-setkey new file mode 100755 index 00000000..0be30562 --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/flush-setkey @@ -0,0 +1,4 @@ +#!/usr/sbin/setkey -f + +flush; +spdflush; diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/ipsec.conf.left b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/ipsec.conf.left new file mode 100644 index 00000000..d9d6c0c6 --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/ipsec.conf.left @@ -0,0 +1,29 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="chd 2, knl 2" + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + type=tunnel + auth=esp + compress=no + mobike=no + +conn net-net + left=200.200.200.10 + leftsubnet=192.168.1.0/24 + leftcert=moonCert.pem + leftid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + leftfirewall=yes + right=200.200.200.20 + rightsubnet=192.168.2.0/24 + rightid="C=CH, O=Linux strongSwan, CN=sun.strongswan.org" + auto=add diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/ipsec.conf.right b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/ipsec.conf.right new file mode 100644 index 00000000..c14dee2b --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/ipsec.conf.right @@ -0,0 +1,28 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="chd 2, knl 2" + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + auth=esp + compress=no + mobike=no + +conn net-net + left=200.200.200.20 + leftcert=sunCert.pem + leftid="C=CH, O=Linux strongSwan, CN=sun.strongswan.org" + leftsubnet=192.168.2.0/24 + leftfirewall=yes + right=200.200.200.10 + rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + rightsubnet=192.168.1.0/24 + auto=add diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/ipsec.secrets.left b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/ipsec.secrets.left new file mode 100644 index 00000000..e86d6aa5 --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/ipsec.secrets.left @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/ipsec.secrets.right b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/ipsec.secrets.right new file mode 100644 index 00000000..1095b74c --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/ipsec.secrets.right @@ -0,0 +1,8 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA sunKey.pem + + + + + diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/ipsec_ikev1.conf.left b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/ipsec_ikev1.conf.left new file mode 100644 index 00000000..55025dbc --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/ipsec_ikev1.conf.left @@ -0,0 +1,39 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + left=200.200.200.10 + leftcert=moonCert.pem + leftid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + leftfirewall=yes + +conn net-net + left=%defaultroute + leftsubnet=192.168.1.0/24 + leftcert=moonCert.pem + right=200.200.200.20 + rightsubnet=192.168.2.0/24 + rightid="C=CH, O=Linux strongSwan, CN=sun.strongswan.org" + auto=add + +conn host-host + left=%defaultroute + leftcert=moonCert.pem + right=200.200.200.20 + rightid="C=CH, O=Linux strongSwan, CN=sun.strongswan.org" + auto=add + +conn rw + leftsubnet=192.168.1.0/24 + right=%any + auto=add diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/ipsec_ikev1.conf.right b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/ipsec_ikev1.conf.right new file mode 100644 index 00000000..479791ea --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/ipsec_ikev1.conf.right @@ -0,0 +1,34 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + left=200.200.200.20 + leftcert=sunCert.pem + leftid="C=CH, O=Linux strongSwan, CN=sun.strongswan.org" + leftfirewall=yes + +conn net-net + left=%defaultroute + leftsubnet=192.168.2.0/24 + leftcert=sunCert.pem + right=200.200.200.10 + rightsubnet=192.168.1.0/24 + rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + auto=add + +conn host-host + left=%defaultroute + leftcert=sunCert.pem + right=200.200.200.10 + rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + auto=add diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-3des-md5-transport b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-3des-md5-transport new file mode 100755 index 00000000..5422771b --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-3des-md5-transport @@ -0,0 +1,23 @@ +#!/usr/sbin/setkey -f +#I am 200.200.200.10 + +flush; +spdflush; + +# ESP SAs doing encryption using 192 bit long keys (168 + 24 parity) +# and hmac-md5 authentication using 128 bit long keys +add 200.200.200.10 200.200.200.20 esp 0x10513 + -E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831 + -A hmac-md5 0xd5f603abc8cd9d19319ca32fb955b10f; + +add 200.200.200.20 200.200.200.10 esp 0x10514 + -E 3des-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df + -A hmac-md5 0x1dd90b4c32dcbe9d37b555a23df5170e; + + +spdadd 200.200.200.20 200.200.200.10 any -P in ipsec + esp/transport//require; + +spdadd 200.200.200.10 200.200.200.20 any -P out ipsec + esp/transport//require; + diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-3des-md5-tunnel b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-3des-md5-tunnel new file mode 100755 index 00000000..52bf9c3f --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-3des-md5-tunnel @@ -0,0 +1,42 @@ +#!/usr/sbin/setkey -f +# +# +# Example ESP Tunnel for VPN. +# +# ========= ESP ========= +# | | +# Network-A Gateway-A Gateway-B Network-B +# 192.168.1.0/24 ---- 200.200.200.10 ------ 200.200.200.20 ---- 192.168.2.0/24 +# +# ====== 83xx board A ====== ===== 83xx board B ===== +# | | | | +# eth0 eth1 eth1 eth0 +# 192.168.1.130 200.200.200.10 200.200.200.20 192.168.2.130 +# +# +# Board A setup +# +# Flush the SAD and SPD +flush; +spdflush; + +# I am gateway A (eth0:192.168.1.130, eth1:200.200.200.10) +# +# Security policies +spdadd 192.168.1.0/24 192.168.2.0/24 any -P out ipsec + esp/tunnel/200.200.200.10-200.200.200.20/require; + +spdadd 192.168.2.0/24 192.168.1.0/24 any -P in ipsec + esp/tunnel/200.200.200.20-200.200.200.10/require; + + +# ESP SAs doing encryption using 192 bit long keys (168 + 24 parity) +# and hmac-md5 authentication using 128 bit long keys +add 200.200.200.10 200.200.200.20 esp 0x201 -m tunnel + -E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831 + -A hmac-md5 0xd5f603abc8cd9d19319ca32fb955b10f; + +add 200.200.200.20 200.200.200.10 esp 0x301 -m tunnel + -E 3des-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df + -A hmac-md5 0x1dd90b4c32dcbe9d37b555a23df5170e; + diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-3des-sha1-transport b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-3des-sha1-transport new file mode 100755 index 00000000..e5ee0054 --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-3des-sha1-transport @@ -0,0 +1,22 @@ +#!/usr/sbin/setkey -f +#I am 200.200.200.10 + +flush; +spdflush; + +# ESP SAs doing encryption using 192 bit long keys (168 + 24 parity) +# and hmac-sha1 authentication using 160 bit long keys +add 200.200.200.10 200.200.200.20 esp 0x10513 + -E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831 + -A hmac-sha1 0xe9c43acd5e8d779b6e09c87347852708ab49bdd3; + +add 200.200.200.20 200.200.200.10 esp 0x10514 + -E 3des-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df + -A hmac-sha1 0xea6856479330dc9c17b8f6c37e2a895363d83f21; + +spdadd 200.200.200.20 200.200.200.10 any -P in ipsec + esp/transport//require; + +spdadd 200.200.200.10 200.200.200.20 any -P out ipsec + esp/transport//require; + diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-3des-sha1-tunnel b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-3des-sha1-tunnel new file mode 100755 index 00000000..eb2881db --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-3des-sha1-tunnel @@ -0,0 +1,42 @@ +#!/usr/sbin/setkey -f +# +# +# Example ESP Tunnel for VPN. +# +# ========= ESP ========= +# | | +# Network-A Gateway-A Gateway-B Network-B +# 192.168.1.0/24 ---- 200.200.200.10 ------ 200.200.200.20 ---- 192.168.2.0/24 +# +# ====== 83xx board A ====== ===== 83xx board B ===== +# | | | | +# eth0 eth1 eth1 eth0 +# 192.168.1.130 200.200.200.10 200.200.200.20 192.168.2.130 +# +# +# Board A setup +# +# Flush the SAD and SPD +flush; +spdflush; + +# I am gateway A (eth0:192.168.1.130, eth1:200.200.200.10) +# +# Security policies +spdadd 192.168.1.0/24 192.168.2.0/24 any -P out ipsec + esp/tunnel/200.200.200.10-200.200.200.20/require; + +spdadd 192.168.2.0/24 192.168.1.0/24 any -P in ipsec + esp/tunnel/200.200.200.20-200.200.200.10/require; + + +# ESP SAs doing encryption using 192 bit long keys (168 + 24 parity) +# and hmac-sha1 authentication using 160 bit long keys +add 200.200.200.10 200.200.200.20 esp 0x201 -m tunnel + -E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831 + -A hmac-sha1 0xe9c43acd5e8d779b6e09c87347852708ab49bdd3; + +add 200.200.200.20 200.200.200.10 esp 0x301 -m tunnel + -E 3des-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df + -A hmac-sha1 0xea6856479330dc9c17b8f6c37e2a895363d83f21; + diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-3des-sha256-transport b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-3des-sha256-transport new file mode 100755 index 00000000..b5286320 --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-3des-sha256-transport @@ -0,0 +1,23 @@ +#!/usr/sbin/setkey -f +#I am 200.200.200.10 + +flush; +spdflush; + +# ESP SAs doing encryption using 192 bit long keys (168 + 24 parity) +# and hmac-sha2-256 authentication using 256 bit long keys +add 200.200.200.10 200.200.200.20 esp 0x10513 + -E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831 + -A hmac-sha2-256 0x4de03bebf6beb4fdef5a67d349a09580466cc4e54503333b2a5fd34538c91198; + +add 200.200.200.20 200.200.200.10 esp 0x10514 + -E 3des-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df + -A hmac-sha2-256 0x5e01eb780b7ecc074ca2ca4fa4a5ea2ff841c977da0ce61c49d1fe767ea5452c; + + +spdadd 200.200.200.20 200.200.200.10 any -P in ipsec + esp/transport//require; + +spdadd 200.200.200.10 200.200.200.20 any -P out ipsec + esp/transport//require; + diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-3des-sha256-tunnel b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-3des-sha256-tunnel new file mode 100755 index 00000000..e7726f08 --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-3des-sha256-tunnel @@ -0,0 +1,42 @@ +#!/usr/sbin/setkey -f +# +# +# Example ESP Tunnel for VPN. +# +# ========= ESP ========= +# | | +# Network-A Gateway-A Gateway-B Network-B +# 192.168.1.0/24 ---- 200.200.200.10 ------ 200.200.200.20 ---- 192.168.2.0/24 +# +# ====== 83xx board A ====== ===== 83xx board B ===== +# | | | | +# eth0 eth1 eth1 eth0 +# 192.168.1.130 200.200.200.10 200.200.200.20 192.168.2.130 +# +# +# Board A setup +# +# Flush the SAD and SPD +flush; +spdflush; + +# I am gateway A (eth0:192.168.1.130, eth1:200.200.200.10) +# +# Security policies +spdadd 192.168.1.0/24 192.168.2.0/24 any -P out ipsec + esp/tunnel/200.200.200.10-200.200.200.20/require; + +spdadd 192.168.2.0/24 192.168.1.0/24 any -P in ipsec + esp/tunnel/200.200.200.20-200.200.200.10/require; + + +# ESP SAs doing encryption using 192 bit long keys (168 + 24 parity) +# and hmac-sha2-256 authentication using 256 bit long keys +add 200.200.200.10 200.200.200.20 esp 0x10513 -m tunnel + -E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831 + -A hmac-sha2-256 0x4de03bebf6beb4fdef5a67d349a09580466cc4e54503333b2a5fd34538c91198; + +add 200.200.200.20 200.200.200.10 esp 0x10514 -m tunnel + -E 3des-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df + -A hmac-sha2-256 0x5e01eb780b7ecc074ca2ca4fa4a5ea2ff841c977da0ce61c49d1fe767ea5452c; + diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-aes-md5-transport b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-aes-md5-transport new file mode 100755 index 00000000..96f57837 --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-aes-md5-transport @@ -0,0 +1,23 @@ +#!/usr/sbin/setkey -f +#I am 200.200.200.10 + +flush; +spdflush; + +# ESP SAs doing encryption using 192 bit long keys (168 + 24 parity) +# and hmac-md5 authentication using 128 bit long keys +add 200.200.200.10 200.200.200.20 esp 0x10513 + -E aes-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831 + -A hmac-md5 0xd5f603abc8cd9d19319ca32fb955b10f; + +add 200.200.200.20 200.200.200.10 esp 0x10514 + -E aes-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df + -A hmac-md5 0x1dd90b4c32dcbe9d37b555a23df5170e; + + +spdadd 200.200.200.20 200.200.200.10 any -P in ipsec + esp/transport//require; + +spdadd 200.200.200.10 200.200.200.20 any -P out ipsec + esp/transport//require; + diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-aes-md5-tunnel b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-aes-md5-tunnel new file mode 100755 index 00000000..b2cf84bf --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-aes-md5-tunnel @@ -0,0 +1,42 @@ +#!/usr/sbin/setkey -f +# +# +# Example ESP Tunnel for VPN. +# +# ========= ESP ========= +# | | +# Network-A Gateway-A Gateway-B Network-B +# 192.168.1.0/24 ---- 200.200.200.10 ------ 200.200.200.20 ---- 192.168.2.0/24 +# +# ====== 83xx board A ====== ===== 83xx board B ===== +# | | | | +# eth0 eth1 eth1 eth0 +# 192.168.1.130 200.200.200.10 200.200.200.20 192.168.2.130 +# +# +# Board A setup +# +# Flush the SAD and SPD +flush; +spdflush; + +# I am gateway A (eth0:192.168.1.130, eth1:200.200.200.10) +# +# Security policies +spdadd 192.168.1.0/24 192.168.2.0/24 any -P out ipsec + esp/tunnel/200.200.200.10-200.200.200.20/require; + +spdadd 192.168.2.0/24 192.168.1.0/24 any -P in ipsec + esp/tunnel/200.200.200.20-200.200.200.10/require; + + +# ESP SAs doing encryption using 192 bit long keys (168 + 24 parity) +# and hmac-md5 authentication using 128 bit long keys +add 200.200.200.10 200.200.200.20 esp 0x201 -m tunnel + -E aes-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831 + -A hmac-md5 0xd5f603abc8cd9d19319ca32fb955b10f; + +add 200.200.200.20 200.200.200.10 esp 0x301 -m tunnel + -E aes-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df + -A hmac-md5 0x1dd90b4c32dcbe9d37b555a23df5170e; + diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-aes-sha1-transport b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-aes-sha1-transport new file mode 100755 index 00000000..f3ffaf5c --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-aes-sha1-transport @@ -0,0 +1,22 @@ +#!/usr/sbin/setkey -f +#I am 200.200.200.10 + +flush; +spdflush; + +# ESP SAs doing encryption using 192 bit long keys (168 + 24 parity) +# and hmac-sha1 authentication using 160 bit long keys +add 200.200.200.10 200.200.200.20 esp 0x10513 + -E aes-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831 + -A hmac-sha1 0xe9c43acd5e8d779b6e09c87347852708ab49bdd3; + +add 200.200.200.20 200.200.200.10 esp 0x10514 + -E aes-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df + -A hmac-sha1 0xea6856479330dc9c17b8f6c37e2a895363d83f21; + +spdadd 200.200.200.20 200.200.200.10 any -P in ipsec + esp/transport//require; + +spdadd 200.200.200.10 200.200.200.20 any -P out ipsec + esp/transport//require; + diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-aes-sha1-tunnel b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-aes-sha1-tunnel new file mode 100755 index 00000000..1ab7874f --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-aes-sha1-tunnel @@ -0,0 +1,42 @@ +#!/usr/sbin/setkey -f +# +# +# Example ESP Tunnel for VPN. +# +# ========= ESP ========= +# | | +# Network-A Gateway-A Gateway-B Network-B +# 192.168.1.0/24 ---- 200.200.200.10 ------ 200.200.200.20 ---- 192.168.2.0/24 +# +# ====== 83xx board A ====== ===== 83xx board B ===== +# | | | | +# eth0 eth1 eth1 eth0 +# 192.168.1.130 200.200.200.10 200.200.200.20 192.168.2.130 +# +# +# Board A setup +# +# Flush the SAD and SPD +flush; +spdflush; + +# I am gateway A (eth0:192.168.1.130, eth1:200.200.200.10) +# +# Security policies +spdadd 192.168.1.0/24 192.168.2.0/24 any -P out ipsec + esp/tunnel/200.200.200.10-200.200.200.20/require; + +spdadd 192.168.2.0/24 192.168.1.0/24 any -P in ipsec + esp/tunnel/200.200.200.20-200.200.200.10/require; + + +# ESP SAs doing encryption using 192 bit long keys (168 + 24 parity) +# and hmac-sha1 authentication using 160 bit long keys +add 200.200.200.10 200.200.200.20 esp 0x201 -m tunnel + -E aes-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831 + -A hmac-sha1 0xe9c43acd5e8d779b6e09c87347852708ab49bdd3; + +add 200.200.200.20 200.200.200.10 esp 0x301 -m tunnel + -E aes-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df + -A hmac-sha1 0xea6856479330dc9c17b8f6c37e2a895363d83f21; + diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-aes-sha256-transport b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-aes-sha256-transport new file mode 100755 index 00000000..d2645d6f --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-aes-sha256-transport @@ -0,0 +1,23 @@ +#!/usr/sbin/setkey -f +#I am 200.200.200.10 + +flush; +spdflush; + +# ESP SAs doing encryption using 192 bit long keys (168 + 24 parity) +# and hmac-sha2-256 authentication using 256 bit long keys +add 200.200.200.10 200.200.200.20 esp 0x10513 + -E aes-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831 + -A hmac-sha2-256 0x4de03bebf6beb4fdef5a67d349a09580466cc4e54503333b2a5fd34538c91198; + +add 200.200.200.20 200.200.200.10 esp 0x10514 + -E aes-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df + -A hmac-sha2-256 0x5e01eb780b7ecc074ca2ca4fa4a5ea2ff841c977da0ce61c49d1fe767ea5452c; + + +spdadd 200.200.200.20 200.200.200.10 any -P in ipsec + esp/transport//require; + +spdadd 200.200.200.10 200.200.200.20 any -P out ipsec + esp/transport//require; + diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-aes-sha256-tunnel b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-aes-sha256-tunnel new file mode 100755 index 00000000..8ed697d1 --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-aes-sha256-tunnel @@ -0,0 +1,42 @@ +#!/usr/sbin/setkey -f +# +# +# Example ESP Tunnel for VPN. +# +# ========= ESP ========= +# | | +# Network-A Gateway-A Gateway-B Network-B +# 192.168.1.0/24 ---- 200.200.200.10 ------ 200.200.200.20 ---- 192.168.2.0/24 +# +# ====== 83xx board A ====== ===== 83xx board B ===== +# | | | | +# eth0 eth1 eth1 eth0 +# 192.168.1.130 200.200.200.10 200.200.200.20 192.168.2.130 +# +# +# Board A setup +# +# Flush the SAD and SPD +flush; +spdflush; + +# I am gateway A (eth0:192.168.1.130, eth1:200.200.200.10) +# +# Security policies +spdadd 192.168.1.0/24 192.168.2.0/24 any -P out ipsec + esp/tunnel/200.200.200.10-200.200.200.20/require; + +spdadd 192.168.2.0/24 192.168.1.0/24 any -P in ipsec + esp/tunnel/200.200.200.20-200.200.200.10/require; + + +# ESP SAs doing encryption using 192 bit long keys (168 + 24 parity) +# and hmac-sha2-256 authentication using 256 bit long keys +add 200.200.200.10 200.200.200.20 esp 0x10513 -m tunnel + -E aes-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831 + -A hmac-sha2-256 0x4de03bebf6beb4fdef5a67d349a09580466cc4e54503333b2a5fd34538c91198; + +add 200.200.200.20 200.200.200.10 esp 0x10514 -m tunnel + -E aes-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df + -A hmac-sha2-256 0x5e01eb780b7ecc074ca2ca4fa4a5ea2ff841c977da0ce61c49d1fe767ea5452c; + diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-null-null-transport b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-null-null-transport new file mode 100755 index 00000000..84275d07 --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-null-null-transport @@ -0,0 +1,23 @@ +#!/usr/sbin/setkey -f +#I am 200.200.200.10 + +flush; +spdflush; + +# ESP SAs doing null encryption +# and null authentication +add 200.200.200.10 200.200.200.20 esp 0x10513 + -E null + -A null; + +add 200.200.200.20 200.200.200.10 esp 0x10514 + -E null + -A null; + + +spdadd 200.200.200.20 200.200.200.10 any -P in ipsec + esp/transport//require; + +spdadd 200.200.200.10 200.200.200.20 any -P out ipsec + esp/transport//require; + diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-null-null-tunnel b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-null-null-tunnel new file mode 100755 index 00000000..478d14a8 --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.conf-null-null-tunnel @@ -0,0 +1,42 @@ +#!/usr/sbin/setkey -f +# +# +# Example ESP Tunnel for VPN. +# +# ========= ESP ========= +# | | +# Network-A Gateway-A Gateway-B Network-B +# 192.168.1.0/24 ---- 200.200.200.10 ------ 200.200.200.20 ---- 192.168.2.0/24 +# +# ====== 83xx board A ====== ===== 83xx board B ===== +# | | | | +# eth0 eth1 eth1 eth0 +# 192.168.1.130 200.200.200.10 200.200.200.20 192.168.2.130 +# +# +# Board A setup +# +# Flush the SAD and SPD +flush; +spdflush; + +# I am gateway A (eth0:192.168.1.130, eth1:200.200.200.10) +# +# Security policies +spdadd 192.168.1.0/24 192.168.2.0/24 any -P out ipsec + esp/tunnel/200.200.200.10-200.200.200.20/require; + +spdadd 192.168.2.0/24 192.168.1.0/24 any -P in ipsec + esp/tunnel/200.200.200.20-200.200.200.10/require; + + +# ESP SAs doing null encryption +# and null authentication +add 200.200.200.10 200.200.200.20 esp 0x201 -m tunnel + -E null + -A null; + +add 200.200.200.20 200.200.200.10 esp 0x301 -m tunnel + -E null + -A null; + diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.ipv4 b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.ipv4 new file mode 100755 index 00000000..e219f2ad --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/left.ipv4 @@ -0,0 +1,2 @@ +set -v +route add -net 192.168.2.0 netmask 255.255.255.0 gw 200.200.200.20 diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/moonCert.pem b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/moonCert.pem new file mode 100644 index 00000000..d5c970f4 --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/moonCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIjCCAwqgAwIBAgIBFzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA5MDgyNzEwMDMzMloXDTE0MDgyNjEwMDMzMlowRjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAMTE21vb24u +c3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDK +L2M91Lu6BYYhWxWgMS9z9TMSTwszm5rhO7ZIsCtMRo4PAeYw+++SGXt3CPXb/+p+ +SWKGlm11rPE71eQ3ehgh2C3hAurfmWO0iQQaCw+fdreeIVCqOQIOP6UqZ327h5yY +YpHk8VQv4vBJTpxclU1PqnWheqe1ZlLxsW773LRml/fQt/UgvJkCBTZZONLNMfK+ +7TDnYaVsAtncgvDN78nUNEe2qY92KK7SrBJ6SpUEg49m51F+XgsGcsgWVHS85on3 +Om/G48crLEVJjdu8CxewSRVgb+lPJWzHd8QsU0Vg/7vlqs3ZRMyNtNKrr4opSvVb +A6agGlTXhDCreDiXU8KHAgMBAAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQE +AwIDqDAdBgNVHQ4EFgQUapx00fiJeYn2WpTpifH6w2SdKS4wbQYDVR0jBGYwZIAU +XafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQK +ExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GC +AQAwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggr +BgEFBQcDATA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u +b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCctXg2xeMozaTV +jiBL1P8MY9uEH5JtU0EceQ1RbI5/2vGRdnECND9oADY5vamaaE2Mdq2Qh/vlXnML +o3ii5ELjsQlYdTYZOcMOdcUUXYvbbFX1cwpkBhyBl1H25KptHcgQ/HnceKp3kOuq +wYOYjgwePXulcpWXx0E2QtQCFQQZFPyEWeNJxH0oglg53QPXfHY9I2/Gukj5V0bz +p7ME0Gs8KdnYdmbbDqzQgPsta96/m+HoJlsrVF+4Gqihj6BWMBQ2ybjPWZdG3oH9 +25cE8v60Ry98D0Z/tygbAUFnh5oOvaf642paVgc3aoA77I8U+UZjECxISoiHultY +7QTufOwP +-----END CERTIFICATE----- diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/moonKey.pem b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/moonKey.pem new file mode 100644 index 00000000..4d99866f --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/moonKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAyi9jPdS7ugWGIVsVoDEvc/UzEk8LM5ua4Tu2SLArTEaODwHm +MPvvkhl7dwj12//qfklihpZtdazxO9XkN3oYIdgt4QLq35ljtIkEGgsPn3a3niFQ +qjkCDj+lKmd9u4ecmGKR5PFUL+LwSU6cXJVNT6p1oXqntWZS8bFu+9y0Zpf30Lf1 +ILyZAgU2WTjSzTHyvu0w52GlbALZ3ILwze/J1DRHtqmPdiiu0qwSekqVBIOPZudR +fl4LBnLIFlR0vOaJ9zpvxuPHKyxFSY3bvAsXsEkVYG/pTyVsx3fELFNFYP+75arN +2UTMjbTSq6+KKUr1WwOmoBpU14Qwq3g4l1PChwIDAQABAoIBACBFB/Xqajv6fbn9 +K6pxrz02uXwGmacXAtVIDoPzejWmXS4QA4l17HrJDmelSnhelDKry8nnYHkTrTz7 +mn0wQ4HDWy86o/okJUG/TKRLd6bf79aRQqqohqd3iQkHk43GyzuXH+oGioVKF0fc +ACDWw4wfjL7FMNdHCZ4Bz9DrHO/ysHe9B6rvSYm3VZRhSxaneIkaLkkDadKpVx3f +XNFlMxY4qKPJYYSoJZ61iMqrO7+rnA93tmyDDs8PKU3BtnpfNrdePgleJHhk8Zqy +Ev2/NOCSUxbKE8NCtLpGTs+T0qjjnu4k3WPd3ZOBAan0uPDekHZeHB/aXGLhYcxx +J5SurqECgYEA+F1gppkER5Jtoaudt/CUpdQ1sR9wxf75VBqJ4FiYABGQz9xlG4oj +zL/o572s0iV3bwFpnQa+WuWrxGkP6ZuB/Z82npc0N/vLou/b4dxvg4n7K+eOOEf0 +8FMjsse2tqTIXKCqcmQnR0NPQ1jwuvEKsXP5w/JOlnRXAXnd4jxsJI0CgYEA0GaT +61ySttUW9jC3mxuY6jkQy8TEQqR3nOFvWwmCXIWOpN/MTTPus+Telxp/pdKhU+mo +PmX3Unyne5PvwleWDq3YzltX5ZDZGJ5UJlKuNnfGIzQ6OcHRbb7zBpQG6qSRPuug +bgo688hTnb1L59nK88zWVK45euf6pyuoI+SwIGMCgYEA7yvE8knyhBXvezuv0z1b +eGHmHp5/VDwY0DQKSEAoiBBiWrkLqLybgwXf/KJ8dZZc8En08aFX2GLJyYe/KiB1 +ys3ypEBJqgvRayP+o/9KZ+qNNRd0rqAksPXvL7ABNNt0kzapTSVDae3Yu6s/j1am +DIL5qAeERIDedG5uDPpQzdUCgYB7MtjpP63ABhLv8XbpbBQnCxtByw3W89F+Xcrt +v55gQdhE4cSuMzA/CuMH4vNpPS6AI9aBJNhj3CtKo/cOJachAGb1/wvkO5ALvLW0 +fhZdPstUTnDJain7vfF/hwzbs/PlhXgu9T9KlLfRvXFdG+Sd4g8mumRiozcLkoRw +y6XPTwKBgDJP+s9wXmdG90HST/aqC7FKrVXLpB63dY5swNUfQP6sa0pFnON0r0JC +h/YCsGFFIAebQ2uOkM3g3f9nkwTp7910ov+/5uThvRI2w2BBPy0mVuALPjyyF1Z2 +cb9zpyKiIuXoXRCf4sd8r1lR9bn0Fxx0Svpxf+fpMGSI5quHNBKY +-----END RSA PRIVATE KEY----- diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/pingsizes.sh b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/pingsizes.sh new file mode 100755 index 00000000..faefb245 --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/pingsizes.sh @@ -0,0 +1,19 @@ +#!/bin/bash +# +# Usage: ./pingsizes.sh 1440 20 (or greater) +# + +PINGDEST=${PINGDEST:-200.200.200.10} +k=$1 +lim="$((k+$2))" +((k-=1)) +while [ "$k" != "$lim" ] ; do + echo -n "ping -s $((k+=1)) : " + ping -i 1000 -c 1 -s $k $PINGDEST | grep packets & + sleep 1 + PID=`ps -eaf | grep 'ping -i' | grep -v grep | sed 's/[ ][ ]*/ /g' | cut -d " " -f 2` + if [ -n "$PID" ] ; then + echo "****************** killing $PID" + kill $PID > /dev/null + fi +done diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/pingsizest.sh b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/pingsizest.sh new file mode 100755 index 00000000..d5ff0f7d --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/pingsizest.sh @@ -0,0 +1,19 @@ +#!/bin/bash +# +# Usage: ./pingsizes.sh 1440 20 (or greater) +# + +PINGDEST=${PINGDEST:-200.200.200.10} +k=$1 +lim="$((k+$2))" +((k-=1)) +while [ "$k" != "$lim" ] ; do + echo ping -s $((k+=1)) + ping -i 1000 -c 1 -s $k $PINGDEST & + sleep 1 + PID=`ps -eaf | grep 'ping -i' | sed 's/[ ][ ]*/ /g' | cut -d " " -f 2` + if [ -n "$PID" ] ; then + echo "****************** killing $PID" + kill $PID + fi +done diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/psk.txt b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/psk.txt new file mode 100644 index 00000000..46c1ff41 --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/psk.txt @@ -0,0 +1,2 @@ +200.200.200.20 secretkeyracoon +200.200.200.10 secretkeyracoon diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/racoon.conf b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/racoon.conf new file mode 100644 index 00000000..cf561f51 --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/racoon.conf @@ -0,0 +1,22 @@ +path pre_shared_key "/test_setkey/psk.txt" ; + + remote anonymous + { + exchange_mode main ; + lifetime time 1 hour ; + proposal { + encryption_algorithm 3des; + hash_algorithm sha1; + authentication_method pre_shared_key ; + dh_group 2 ; + } + } + + sainfo anonymous + { + pfs_group 2; + lifetime time 1 hour ; + encryption_algorithm 3des ; + authentication_algorithm hmac_sha1 ; + compression_algorithm deflate ; + } diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-3des-md5-transport b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-3des-md5-transport new file mode 100755 index 00000000..7f82fb46 --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-3des-md5-transport @@ -0,0 +1,23 @@ +#!/usr/sbin/setkey -f +#I am 200.200.200.20 + +flush; +spdflush; + +# ESP SAs doing encryption using 192 bit long keys (168 + 24 parity) +# and hmac-md5 authentication using 128 bit long keys +add 200.200.200.10 200.200.200.20 esp 0x10513 + -E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831 + -A hmac-md5 0xd5f603abc8cd9d19319ca32fb955b10f; + +add 200.200.200.20 200.200.200.10 esp 0x10514 + -E 3des-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df + -A hmac-md5 0x1dd90b4c32dcbe9d37b555a23df5170e; + + +spdadd 200.200.200.20 200.200.200.10 any -P out ipsec + esp/transport//require; + +spdadd 200.200.200.10 200.200.200.20 any -P in ipsec + esp/transport//require; + diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-3des-md5-tunnel b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-3des-md5-tunnel new file mode 100755 index 00000000..5a752579 --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-3des-md5-tunnel @@ -0,0 +1,42 @@ +#!/usr/sbin/setkey -f +# +# +# Example ESP Tunnel for VPN. +# +# ========= ESP ========= +# | | +# Network-A Gateway-A Gateway-B Network-B +# 192.168.1.0/24 ---- 200.200.200.10 ------ 200.200.200.20 ---- 192.168.2.0/24 +# +# ====== 83xx board A ====== ===== 83xx board B ===== +# | | | | +# eth0 eth1 eth1 eth0 +# 192.168.1.130 200.200.200.10 200.200.200.20 192.168.2.130 +# +# +# Board B setup +# +# Flush the SAD and SPD +flush; +spdflush; + +# I am gateway B (eth0:192.168.2.130, eth1:200.200.200.20) +# +# Security policies +spdadd 192.168.2.0/24 192.168.1.0/24 any -P out ipsec + esp/tunnel/200.200.200.20-200.200.200.10/require; + +spdadd 192.168.1.0/24 192.168.2.0/24 any -P in ipsec + esp/tunnel/200.200.200.10-200.200.200.20/require; + + +# ESP SAs doing encryption using 192 bit long keys (168 + 24 parity) +# and hmac-md5 authentication using 128 bit long keys +add 200.200.200.10 200.200.200.20 esp 0x201 -m tunnel + -E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831 + -A hmac-md5 0xd5f603abc8cd9d19319ca32fb955b10f; + +add 200.200.200.20 200.200.200.10 esp 0x301 -m tunnel + -E 3des-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df + -A hmac-md5 0x1dd90b4c32dcbe9d37b555a23df5170e; + diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-3des-sha1-transport b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-3des-sha1-transport new file mode 100755 index 00000000..6ef885d4 --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-3des-sha1-transport @@ -0,0 +1,22 @@ +#!/usr/sbin/setkey -f +#I am 200.200.200.20 + +flush; +spdflush; + +# ESP SAs doing encryption using 192 bit long keys (168 + 24 parity) +# and hmac-sha1 authentication using 160 bit long keys +add 200.200.200.10 200.200.200.20 esp 0x10513 + -E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831 + -A hmac-sha1 0xe9c43acd5e8d779b6e09c87347852708ab49bdd3; + +add 200.200.200.20 200.200.200.10 esp 0x10514 + -E 3des-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df + -A hmac-sha1 0xea6856479330dc9c17b8f6c37e2a895363d83f21; + +# Security policies +spdadd 200.200.200.20 200.200.200.10 any -P out ipsec + esp/transport//require; + +spdadd 200.200.200.10 200.200.200.20 any -P in ipsec + esp/transport//require; diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-3des-sha1-tunnel b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-3des-sha1-tunnel new file mode 100755 index 00000000..16c31578 --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-3des-sha1-tunnel @@ -0,0 +1,41 @@ +#!/usr/sbin/setkey -f +# +# +# Example ESP Tunnel for VPN. +# +# ========= ESP ========= +# | | +# Network-A Gateway-A Gateway-B Network-B +# 192.168.1.0/24 ---- 200.200.200.10 ------ 200.200.200.20 ---- 192.168.2.0/24 +# +# ====== 83xx board A ====== ===== 83xx board B ===== +# | | | | +# eth0 eth1 eth1 eth0 +# 192.168.1.130 200.200.200.10 200.200.200.20 192.168.2.130 +# +# +# Board B setup +# Flush the SAD and SPD +flush; +spdflush; + +# I am gateway B (eth0:192.168.2.130, eth1:200.200.200.20) +# +# Security policies + +spdadd 192.168.2.0/24 192.168.1.0/24 any -P out ipsec + esp/tunnel/200.200.200.20-200.200.200.10/require; + +spdadd 192.168.1.0/24 192.168.2.0/24 any -P in ipsec + esp/tunnel/200.200.200.10-200.200.200.20/require; + +# ESP SAs doing encryption using 192 bit long keys (168 + 24 parity) +# and hmac-sha1 authentication using 160 bit long keys +add 200.200.200.10 200.200.200.20 esp 0x201 -m tunnel + -E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831 + -A hmac-sha1 0xe9c43acd5e8d779b6e09c87347852708ab49bdd3; + +add 200.200.200.20 200.200.200.10 esp 0x301 -m tunnel + -E 3des-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df + -A hmac-sha1 0xea6856479330dc9c17b8f6c37e2a895363d83f21; + diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-3des-sha256-transport b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-3des-sha256-transport new file mode 100755 index 00000000..b9772092 --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-3des-sha256-transport @@ -0,0 +1,23 @@ +#!/usr/sbin/setkey -f +#I am 200.200.200.20 + +flush; +spdflush; + +# ESP SAs doing encryption using 192 bit long keys (168 + 24 parity) +# and hmac-sha2-256 authentication using 256 bit long keys +add 200.200.200.10 200.200.200.20 esp 0x10513 + -E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831 + -A hmac-sha2-256 0x4de03bebf6beb4fdef5a67d349a09580466cc4e54503333b2a5fd34538c91198; + +add 200.200.200.20 200.200.200.10 esp 0x10514 + -E 3des-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df + -A hmac-sha2-256 0x5e01eb780b7ecc074ca2ca4fa4a5ea2ff841c977da0ce61c49d1fe767ea5452c; + + +spdadd 200.200.200.20 200.200.200.10 any -P out ipsec + esp/transport//require; + +spdadd 200.200.200.10 200.200.200.20 any -P in ipsec + esp/transport//require; + diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-3des-sha256-tunnel b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-3des-sha256-tunnel new file mode 100755 index 00000000..e7c5b4e6 --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-3des-sha256-tunnel @@ -0,0 +1,42 @@ +#!/usr/sbin/setkey -f +# +# +# Example ESP Tunnel for VPN. +# +# ========= ESP ========= +# | | +# Network-A Gateway-A Gateway-B Network-B +# 192.168.1.0/24 ---- 200.200.200.10 ------ 200.200.200.20 ---- 192.168.2.0/24 +# +# ====== 83xx board A ====== ===== 83xx board B ===== +# | | | | +# eth0 eth1 eth1 eth0 +# 192.168.1.130 200.200.200.10 200.200.200.20 192.168.2.130 +# +# +# Board A setup +# +# Flush the SAD and SPD +flush; +spdflush; + +# I am gateway B (eth0:192.168.2.130, eth1:200.200.200.20) +# +# Security policies +spdadd 192.168.2.0/24 192.168.1.0/24 any -P out ipsec + esp/tunnel/200.200.200.20-200.200.200.10/require; + +spdadd 192.168.1.0/24 192.168.2.0/24 any -P in ipsec + esp/tunnel/200.200.200.10-200.200.200.20/require; + + +# ESP SAs doing encryption using 192 bit long keys (168 + 24 parity) +# and hmac-sha2-256 authentication using 256 bit long keys +add 200.200.200.10 200.200.200.20 esp 0x10513 -m tunnel + -E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831 + -A hmac-sha2-256 0x4de03bebf6beb4fdef5a67d349a09580466cc4e54503333b2a5fd34538c91198; + +add 200.200.200.20 200.200.200.10 esp 0x10514 -m tunnel + -E 3des-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df + -A hmac-sha2-256 0x5e01eb780b7ecc074ca2ca4fa4a5ea2ff841c977da0ce61c49d1fe767ea5452c; + diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-aes-md5-transport b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-aes-md5-transport new file mode 100755 index 00000000..5d55d001 --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-aes-md5-transport @@ -0,0 +1,23 @@ +#!/usr/sbin/setkey -f +#I am 200.200.200.20 + +flush; +spdflush; + +# ESP SAs doing encryption using 192 bit long keys (168 + 24 parity) +# and hmac-md5 authentication using 128 bit long keys +add 200.200.200.10 200.200.200.20 esp 0x10513 + -E aes-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831 + -A hmac-md5 0xd5f603abc8cd9d19319ca32fb955b10f; + +add 200.200.200.20 200.200.200.10 esp 0x10514 + -E aes-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df + -A hmac-md5 0x1dd90b4c32dcbe9d37b555a23df5170e; + + +spdadd 200.200.200.20 200.200.200.10 any -P out ipsec + esp/transport//require; + +spdadd 200.200.200.10 200.200.200.20 any -P in ipsec + esp/transport//require; + diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-aes-md5-tunnel b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-aes-md5-tunnel new file mode 100755 index 00000000..f49bd54a --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-aes-md5-tunnel @@ -0,0 +1,42 @@ +#!/usr/sbin/setkey -f +# +# +# Example ESP Tunnel for VPN. +# +# ========= ESP ========= +# | | +# Network-A Gateway-A Gateway-B Network-B +# 192.168.1.0/24 ---- 200.200.200.10 ------ 200.200.200.20 ---- 192.168.2.0/24 +# +# ====== 83xx board A ====== ===== 83xx board B ===== +# | | | | +# eth0 eth1 eth1 eth0 +# 192.168.1.130 200.200.200.10 200.200.200.20 192.168.2.130 +# +# +# Board B setup +# +# Flush the SAD and SPD +flush; +spdflush; + +# I am gateway B (eth0:192.168.2.130, eth1:200.200.200.20) +# +# Security policies +spdadd 192.168.2.0/24 192.168.1.0/24 any -P out ipsec + esp/tunnel/200.200.200.20-200.200.200.10/require; + +spdadd 192.168.1.0/24 192.168.2.0/24 any -P in ipsec + esp/tunnel/200.200.200.10-200.200.200.20/require; + + +# ESP SAs doing encryption using 192 bit long keys (168 + 24 parity) +# and hmac-md5 authentication using 128 bit long keys +add 200.200.200.10 200.200.200.20 esp 0x201 -m tunnel + -E aes-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831 + -A hmac-md5 0xd5f603abc8cd9d19319ca32fb955b10f; + +add 200.200.200.20 200.200.200.10 esp 0x301 -m tunnel + -E aes-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df + -A hmac-md5 0x1dd90b4c32dcbe9d37b555a23df5170e; + diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-aes-sha1-transport b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-aes-sha1-transport new file mode 100755 index 00000000..d9c65a45 --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-aes-sha1-transport @@ -0,0 +1,22 @@ +#!/usr/sbin/setkey -f +#I am 200.200.200.20 + +flush; +spdflush; + +# ESP SAs doing encryption using 192 bit long keys (168 + 24 parity) +# and hmac-sha1 authentication using 160 bit long keys +add 200.200.200.10 200.200.200.20 esp 0x10513 + -E aes-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831 + -A hmac-sha1 0xe9c43acd5e8d779b6e09c87347852708ab49bdd3; + +add 200.200.200.20 200.200.200.10 esp 0x10514 + -E aes-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df + -A hmac-sha1 0xea6856479330dc9c17b8f6c37e2a895363d83f21; + +# Security policies +spdadd 200.200.200.20 200.200.200.10 any -P out ipsec + esp/transport//require; + +spdadd 200.200.200.10 200.200.200.20 any -P in ipsec + esp/transport//require; diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-aes-sha1-tunnel b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-aes-sha1-tunnel new file mode 100755 index 00000000..1f10136a --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-aes-sha1-tunnel @@ -0,0 +1,41 @@ +#!/usr/sbin/setkey -f +# +# +# Example ESP Tunnel for VPN. +# +# ========= ESP ========= +# | | +# Network-A Gateway-A Gateway-B Network-B +# 192.168.1.0/24 ---- 200.200.200.10 ------ 200.200.200.20 ---- 192.168.2.0/24 +# +# ====== 83xx board A ====== ===== 83xx board B ===== +# | | | | +# eth0 eth1 eth1 eth0 +# 192.168.1.130 200.200.200.10 200.200.200.20 192.168.2.130 +# +# +# Board B setup +# Flush the SAD and SPD +flush; +spdflush; + +# I am gateway B (eth0:192.168.2.130, eth1:200.200.200.20) +# +# Security policies + +spdadd 192.168.2.0/24 192.168.1.0/24 any -P out ipsec + esp/tunnel/200.200.200.20-200.200.200.10/require; + +spdadd 192.168.1.0/24 192.168.2.0/24 any -P in ipsec + esp/tunnel/200.200.200.10-200.200.200.20/require; + +# ESP SAs doing encryption using 192 bit long keys (168 + 24 parity) +# and hmac-sha1 authentication using 160 bit long keys +add 200.200.200.10 200.200.200.20 esp 0x201 -m tunnel + -E aes-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831 + -A hmac-sha1 0xe9c43acd5e8d779b6e09c87347852708ab49bdd3; + +add 200.200.200.20 200.200.200.10 esp 0x301 -m tunnel + -E aes-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df + -A hmac-sha1 0xea6856479330dc9c17b8f6c37e2a895363d83f21; + diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-aes-sha256-transport b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-aes-sha256-transport new file mode 100755 index 00000000..817a8bd4 --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-aes-sha256-transport @@ -0,0 +1,23 @@ +#!/usr/sbin/setkey -f +#I am 200.200.200.20 + +flush; +spdflush; + +# ESP SAs doing encryption using 192 bit long keys (168 + 24 parity) +# and hmac-sha2-256 authentication using 256 bit long keys +add 200.200.200.10 200.200.200.20 esp 0x10513 + -E aes-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831 + -A hmac-sha2-256 0x4de03bebf6beb4fdef5a67d349a09580466cc4e54503333b2a5fd34538c91198; + +add 200.200.200.20 200.200.200.10 esp 0x10514 + -E aes-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df + -A hmac-sha2-256 0x5e01eb780b7ecc074ca2ca4fa4a5ea2ff841c977da0ce61c49d1fe767ea5452c; + + +spdadd 200.200.200.20 200.200.200.10 any -P out ipsec + esp/transport//require; + +spdadd 200.200.200.10 200.200.200.20 any -P in ipsec + esp/transport//require; + diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-aes-sha256-tunnel b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-aes-sha256-tunnel new file mode 100755 index 00000000..9bca18fb --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-aes-sha256-tunnel @@ -0,0 +1,42 @@ +#!/usr/sbin/setkey -f +# +# +# Example ESP Tunnel for VPN. +# +# ========= ESP ========= +# | | +# Network-A Gateway-A Gateway-B Network-B +# 192.168.1.0/24 ---- 200.200.200.10 ------ 200.200.200.20 ---- 192.168.2.0/24 +# +# ====== 83xx board A ====== ===== 83xx board B ===== +# | | | | +# eth0 eth1 eth1 eth0 +# 192.168.1.130 200.200.200.10 200.200.200.20 192.168.2.130 +# +# +# Board A setup +# +# Flush the SAD and SPD +flush; +spdflush; + +# I am gateway B (eth0:192.168.2.130, eth1:200.200.200.20) +# +# Security policies +spdadd 192.168.2.0/24 192.168.1.0/24 any -P out ipsec + esp/tunnel/200.200.200.20-200.200.200.10/require; + +spdadd 192.168.1.0/24 192.168.2.0/24 any -P in ipsec + esp/tunnel/200.200.200.10-200.200.200.20/require; + + +# ESP SAs doing encryption using 192 bit long keys (168 + 24 parity) +# and hmac-sha2-256 authentication using 256 bit long keys +add 200.200.200.10 200.200.200.20 esp 0x10513 -m tunnel + -E aes-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831 + -A hmac-sha2-256 0x4de03bebf6beb4fdef5a67d349a09580466cc4e54503333b2a5fd34538c91198; + +add 200.200.200.20 200.200.200.10 esp 0x10514 -m tunnel + -E aes-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df + -A hmac-sha2-256 0x5e01eb780b7ecc074ca2ca4fa4a5ea2ff841c977da0ce61c49d1fe767ea5452c; + diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-null-null-transport b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-null-null-transport new file mode 100755 index 00000000..26dfe2e1 --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-null-null-transport @@ -0,0 +1,23 @@ +#!/usr/sbin/setkey -f +#I am 200.200.200.20 + +flush; +spdflush; + +# ESP SAs doing null encryption +# and null authentication +add 200.200.200.10 200.200.200.20 esp 0x10513 + -E null + -A null; + +add 200.200.200.20 200.200.200.10 esp 0x10514 + -E null + -A null; + + +spdadd 200.200.200.20 200.200.200.10 any -P out ipsec + esp/transport//require; + +spdadd 200.200.200.10 200.200.200.20 any -P in ipsec + esp/transport//require; + diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-null-null-tunnel b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-null-null-tunnel new file mode 100755 index 00000000..bc4f38eb --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.conf-null-null-tunnel @@ -0,0 +1,42 @@ +#!/usr/sbin/setkey -f +# +# +# Example ESP Tunnel for VPN. +# +# ========= ESP ========= +# | | +# Network-A Gateway-A Gateway-B Network-B +# 192.168.1.0/24 ---- 200.200.200.10 ------ 200.200.200.20 ---- 192.168.2.0/24 +# +# ====== 83xx board A ====== ===== 83xx board B ===== +# | | | | +# eth0 eth1 eth1 eth0 +# 192.168.1.130 200.200.200.10 200.200.200.20 192.168.2.130 +# +# +# Board B setup +# +# Flush the SAD and SPD +flush; +spdflush; + +# I am gateway B (eth0:192.168.2.130, eth1:200.200.200.20) +# +# Security policies +spdadd 192.168.2.0/24 192.168.1.0/24 any -P out ipsec + esp/tunnel/200.200.200.20-200.200.200.10/require; + +spdadd 192.168.1.0/24 192.168.2.0/24 any -P in ipsec + esp/tunnel/200.200.200.10-200.200.200.20/require; + + +# ESP SAs doing null encryption +# and null authentication +add 200.200.200.10 200.200.200.20 esp 0x201 -m tunnel + -E null + -A null; + +add 200.200.200.20 200.200.200.10 esp 0x301 -m tunnel + -E null + -A null; + diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.ipv4 b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.ipv4 new file mode 100755 index 00000000..67cd1b2c --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/right.ipv4 @@ -0,0 +1,2 @@ +set -v +route add -net 192.168.1.0 netmask 255.255.255.0 gw 200.200.200.10 diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/setup b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/setup new file mode 100755 index 00000000..9e6fa7fa --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/setup @@ -0,0 +1,47 @@ +# setup - quick setup for left or right side of ipsec test +# see README for example use. + +SCRIPT_HOME=/test_setkey/ +cd $SCRIPT_HOME + +export PATH=$SCRIPT_HOME:$PATH + +if [ "$1" != "left" -a "$1" != "right" ] ; then + echo "Usage: $0 side [config] [driver]" + echo " where side is either left or right." + echo " where config is either" + echo " aes-sha1-tunnel (default)" + echo " or 3des-sha1-tunnel" + echo " if driver is supplied, script does 'modprobe driver'" + exit 1 +fi + +SIDE=$1 +POLICY_CFG=$SIDE.conf +DEFAULT_POLICY=aes-sha1-tunnel + +if [ -n "$2" ] ; then + POLICY=$2 +else + POLICY=$DEFAULT_POLICY +fi + +SETKEY_FILE=$POLICY_CFG-$POLICY + +if [ ! -f $SETKEY_FILE ] ; then + echo "Missing setkey command file: $SETKEY_FILE" + exit 1 +fi + +# modprobe any driver name given as last parameter +if [ -n "$3" ] ; then + modprobe $3 +fi + +SETUP_CMD_FILE=./setup_$SIDE +. $SETUP_CMD_FILE + +$SETKEY_FILE + +setkey -D +setkey -D -P diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/setup_left b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/setup_left new file mode 100755 index 00000000..da769099 --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/setup_left @@ -0,0 +1,13 @@ +# board on left setup +set -v +ifconfig eth0 down +ifconfig eth0 hw ether 00:04:9F:11:22:33 +ifconfig eth0 192.168.1.130 netmask 255.255.255.0 +ifconfig eth0 up +ifconfig eth1 down +ifconfig eth1 hw ether 00:E0:0C:00:7D:FD +ifconfig eth1 200.200.200.10 netmask 255.255.255.0 +ifconfig eth1 up +arp -s 192.168.1.21 00:00:00:00:00:01 +route add default dev eth1 +echo 1 > /proc/sys/net/ipv4/ip_forward diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/setup_right b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/setup_right new file mode 100755 index 00000000..f0e333ee --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/setup_right @@ -0,0 +1,13 @@ +# board on right setup +set -v +ifconfig eth0 down +ifconfig eth0 hw ether 00:E0:0C:00:01:FD +ifconfig eth0 192.168.2.130 netmask 255.255.255.0 +ifconfig eth0 up +ifconfig eth1 down +ifconfig eth1 hw ether 00:E0:0C:00:00:FD +ifconfig eth1 200.200.200.20 netmask 255.255.255.0 +ifconfig eth1 up +arp -s 192.168.2.21 00:00:00:00:00:02 +route add default dev eth1 +echo 1 > /proc/sys/net/ipv4/ip_forward diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/strongswan.conf b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/strongswan.conf new file mode 100644 index 00000000..1701f4ab --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/strongswan.conf @@ -0,0 +1,19 @@ +# strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-raw updown + multiple_authentication = no +} + +pluto { + + # plugins to load in pluto + #load = aes des sha1 md5 sha2 hmac gmp random pubkey + +} + +libstrongswan { + + # set to no, the DH exponent size is optimized + # dh_exponent_ansi_x9_42 = no +} diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/strongswanCert.pem b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/strongswanCert.pem new file mode 100644 index 00000000..0865ad22 --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/strongswanCert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDuDCCAqCgAwIBAgIBADANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDEwMDExOFoXDTE5MDkwNzEwMDExOFowRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u +Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y +X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f +FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc +4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/ +7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5 +gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr +K+1LwdqRxo7HgMRiDw8CAwEAAaOBsjCBrzASBgNVHRMBAf8ECDAGAQH/AgEBMAsG +A1UdDwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0j +BGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkw +FwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJv +b3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBACOSmqEBtBLR9aV3UyCI8gmzR5in +Lte9aUXXS+qis6F2h2Stf4sN+Nl6Gj7REC6SpfEH4wWdwiUL5J0CJhyoOjQuDl3n +1Dw3dE4/zqMZdyDKEYTU75TmvusNJBdGsLkrf7EATAjoi/nrTOYPPhSUZvPp/D+Y +vORJ9Ej51GXlK1nwEB5iA8+tDYniNQn6BD1MEgIejzK+fbiy7braZB1kqhoEr2Si +7luBSnU912sw494E88a2EWbmMvg2TVHPNzCpVkpNk7kifCiwmw9VldkqYy9y/lCa +Epyp7lTfKw7cbD04Vk8QJW782L6Csuxkl346b17wmOqn8AZips3tFsuAY3w= +-----END CERTIFICATE----- diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/strongswan_left b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/strongswan_left new file mode 100755 index 00000000..e55c3e42 --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/strongswan_left @@ -0,0 +1,10 @@ +#strongswan on left board +set -v +cp -rf ipsec.conf.left /etc/ipsec.conf +cp -rf ipsec.secrets.left /etc/ipsec.secrets +cp -rf strongswan.conf /etc/ +cp -rf strongswanCert.pem /etc/ipsec.d/cacerts/ +cp -rf moonCert.pem /etc/ipsec.d/certs/ +mkdir /etc/ipsec.d/private +cp -rf sunKey.pem /etc/ipsec.d/private/ +cp -rf moonKey.pem /etc/ipsec.d/private/ diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/strongswan_right b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/strongswan_right new file mode 100755 index 00000000..bcdbb731 --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/strongswan_right @@ -0,0 +1,10 @@ +#strongswan on left board +set -v +cp -rf ipsec.conf.right /etc/ipsec.conf +cp -rf ipsec.secrets.right /etc/ipsec.secrets +cp -rf strongswan.conf /etc/ +cp -rf strongswanCert.pem /etc/ipsec.d/cacerts/ +cp -rf sunCert.pem /etc/ipsec.d/certs/ +mkdir /etc/ipsec.d/private +cp -rf sunKey.pem /etc/ipsec.d/private/ +cp -rf moonKey.pem /etc/ipsec.d/private/ diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/sunCert.pem b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/sunCert.pem new file mode 100644 index 00000000..d0937bab --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/sunCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIDCCAwigAwIBAgIBFjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA5MDgyNzA5NTkwNFoXDTE0MDgyNjA5NTkwNFowRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN1bi5z +dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+V +VIpn6Q5jaU//EN6p6A5cSfUfhBK0mFa2laFFZh/Y0h66AXqqrQ3X917h7YNsSk68 +oowY9h9I3gOx7hNVBsJr2VjdYC+b0q5NTha09/A5mimv/prYj6o0yawxoPjoDs9Y +h7D7Kf+F8fkgk0stlHJZX66J7dNrFXbg1xBld+Ep5Or2FbEZ9QWUpRQTuhdpNt/4 +9YuxQ59DemY9IRbwsrKCHH0mGrJsDdqeb0ap+8QvSXHjCt1fr9MNKWaAFAQLKQI4 +e0da1ntPCEQLeE833+NNRBgGufk0KqGT3eAXqrxa9AEIUJnVcPexQdqUMjcUpXFb +8WNzRWB8Egh3BDK6FsECAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD +AgOoMB0GA1UdDgQWBBRW1p4v2qihzRlcI1PnxbZwluML+zBtBgNVHSMEZjBkgBRd +p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT +EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB +ADAdBgNVHREEFjAUghJzdW4uc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB +BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y +Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAo37LYT9Awx0MK/nA +FZpPJqUr0Ey+O5Ukcsdx7nd00SlmpiQRY8KmuRXCBQnDEgdLstd3slQjT0pJEgWF +0pzxybnI6eOzYAhLfhart+X1hURiNGbXjggm2s4I5+K32bVIkNEqlsYnd/6F9oo5 +ZNO0/eTTruLZfkNe/zchBGKe/Z7MacVwlYWWCbMtBV4K1d5dGcRRgpQ9WivDlmat +Nh9wlscDSgSGk3HJkbxnq695VN7zUbDWAUvWWhV5bIDjlAR/xyT9ApqIxiyVVRul +fYrE7U05Hbt6GgAroAKLp6qJup9+TxQAKSjKIwJ0hf7OuYyQ8TZtVHS7AOhm+T/5 +G/jGGA== +-----END CERTIFICATE----- diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/sunKey.pem b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/sunKey.pem new file mode 100644 index 00000000..d8fad9aa --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo/test_setkey/sunKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA35VUimfpDmNpT/8Q3qnoDlxJ9R+EErSYVraVoUVmH9jSHroB +eqqtDdf3XuHtg2xKTryijBj2H0jeA7HuE1UGwmvZWN1gL5vSrk1OFrT38DmaKa/+ +mtiPqjTJrDGg+OgOz1iHsPsp/4Xx+SCTSy2Ucllfront02sVduDXEGV34Snk6vYV +sRn1BZSlFBO6F2k23/j1i7FDn0N6Zj0hFvCysoIcfSYasmwN2p5vRqn7xC9JceMK +3V+v0w0pZoAUBAspAjh7R1rWe08IRAt4Tzff401EGAa5+TQqoZPd4BeqvFr0AQhQ +mdVw97FB2pQyNxSlcVvxY3NFYHwSCHcEMroWwQIDAQABAoIBADH51hjN2zk9HVgl +QmcTAWzcUie5cLMhrP+M9mtC8O3jcCwwFY6OwfnbMU8DHy0GMqHg5lB8b99UUVPw +HLAzjDw/ESkc6pgZs4EEhJTsxJLsvTnePgHssEgyXnXf7gRVEqJkPohfy+Zy0UCH +eIUQXiMlOQ7xg7iDMhwNa+UdWSt539DztSKilQn2xdPZjFnMT0/prvl4NA/8Zn54 +/SdWDq5yRdLWb6EK1V7yJ3687GXR1jzGtgy7TXuncUJVTYgX7RdP1Tn6gWD8YAQ/ +RfT0DdWYm4WHSgSb9/NW8lBZH2yy3hg+lNgofXEvTfBkO5QyW31LIr0tCV6zhJIc +Y9MxaKUCgYEA9sktaXfhPLe0ECjdeQEOq5EKuDrCviSKCOuAV4BDSOsdw6+5LWfY +Vb/oke8N70lL3RCblcj1pOKWUi2O/SpEJdDRduiw2gM9cXt3/bChSTHC4TsIxxN/ +Db9OGg72kZ4sRY5Au+zyAAQYBwXhFWux194Jk5qK0JblNG9J5QMqZDcCgYEA5+5h +BgHUMEO+pdME5lAiSc5PcNTejpA6j+OikCh4/HFXy3C/dLx+Cs1+egw64c8iVaIv +NEo7n7E9I0e3XqanPRXhMnBRrP+39OVsWPmZ18Li2Hi84KwJyi8Y11l3XJOqaYpF +wMVUuZpxR0dfG5k/5GwT/tEkmQBglOgG3m2zUMcCgYEA4m3Vd9ahV5dp5AXKpzKc +JjiPMFfhxJo7+FEz0ZUCp03qYljBu/Jy4MKS/grrqyiCLdQGHNlk4SNxLvdUId78 +5gGBnuuDEJU2dAAIKUE9yq2YlBUZSacOxStI2snt28/X6P3LUWHm7LLU5OS1D3Vf +mKPF/6MlSJuas5CEqVZNN+MCgYBH9Qh7IaQgmVQUBKVXg3Mv7OduvUyTdKIGtHxi +N3xZ7hxsDP4JjNWaKmlcGmFGX8pqQRheI83d3NJ4GK8GmbP3Wst0p65fezMqsudr +r30QmPFicgs/tYCQDw6o+aPzwAi2F+VOSqrfrtAIaldSq7hL+VA21dKB+cD9UgOX +jPd+TwKBgQCbKeg2QNS2qhPIG9eaqJDROuxmxb/07d7OBctgMgxVvKhqW9hW42Sy +gJ59fyz5QjFBaSfcOdf4gkKyEawVo45/q6ymIQU37R4vF4CW9Z3CfaIbwJp7LcHV +zH07so/HNsZua6GWCSCLJU5MeCRiZzk2RFiS9KIaLP4gZndv4lXOiQ== +-----END RSA PRIVATE KEY----- diff --git a/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo_0.1.bb b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo_0.1.bb new file mode 100644 index 00000000..f29c375a --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-connectivity/ipsec-demo/ipsec-demo_0.1.bb @@ -0,0 +1,23 @@ +SUMMARY = "Scripts and configuration files for ipsec demo" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +RDEPENDS_${PN} = "ipsec-tools bash" + +inherit allarch + +SRC_URI = "file://test_setkey" + +S = "${WORKDIR}" + +do_configure[noexec] = "1" +do_compile[noexec] = "1" + +do_install(){ + install -d ${D}${datadir} + cp -a ${WORKDIR}/test_setkey ${D}${datadir}/ + chown -R root:root ${D}${datadir}/test_setkey +} + +FILES_${PN} = "${datadir}/*" +COMPATIBLE_MACHINE = "(qoriq)" diff --git a/dynamic-layers/networking-layer/recipes-kernel/asf/asf_git.bb b/dynamic-layers/networking-layer/recipes-kernel/asf/asf_git.bb new file mode 100644 index 00000000..34308e2d --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-kernel/asf/asf_git.bb @@ -0,0 +1,37 @@ +DESCRIPTION = "Non-DPAA software Application Specific Fast-path" +SECTION = "asf" +LICENSE = "GPLv2 & GPLv2+ & BSD" +LIC_FILES_CHKSUM = "file://COPYING;md5=b5881ecf398da8a03a3f4c501e29d287" + +SRC_URI = "git://git.freescale.com/ppc/sdk/asf.git;branch=sdk-v1.9.x" +SRCREV = "9580a629d3aec3ab3c5e152c6693846b96787906" + +RDEPENDS_${PN} += "ipsec-tools" + +inherit module qoriq_build_64bit_kernel + +S = "${WORKDIR}/git/asfmodule" + +EXTRA_OEMAKE = "CROSS_COMPILE=${TARGET_PREFIX}" +export KERNEL_PATH = "${STAGING_KERNEL_DIR}" + +INHIBIT_PACKAGE_STRIP = "1" + +do_configure[depends] += "virtual/kernel:do_shared_workdir" +do_configure_prepend () { + find ${S} -name Makefile -exec \ + sed -i 's,$(KERNEL_PATH)/.config,$(KBUILD_OUTPUT)/.config,' {} \; +} + +do_install(){ + install -d ${D}/${libexecdir} + install -d ${D}/lib/modules/${KERNEL_VERSION}/asf + cp -rf ${S}/bin/full ${D}/lib/modules/${KERNEL_VERSION}/asf + cp -rf ${S}/bin/min ${D}/lib/modules/${KERNEL_VERSION}/asf + cp -rf ${S}/../scripts ${D}/${libexecdir}/ + find ${D}/lib -depth -type d -exec rmdir --ignore-fail-on-non-empty {} \; +} + +FILES_${PN} += "${libexecdir}" + +COMPATIBLE_MACHINE = "(qoriq)" diff --git a/dynamic-layers/openembedded-layer/recipes-dpaa/fmc/fmc_git.bb b/dynamic-layers/openembedded-layer/recipes-dpaa/fmc/fmc_git.bb new file mode 100644 index 00000000..d54b8454 --- /dev/null +++ b/dynamic-layers/openembedded-layer/recipes-dpaa/fmc/fmc_git.bb @@ -0,0 +1,52 @@ +DESCRIPTION = "Frame Manager Configuration tool" +SECTION = "fmc" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://COPYING;md5=a504ab5a8ff235e67c7301214749346c" + +PR = "r2" + +SRC_URI = "git://git.freescale.com/ppc/sdk/fmc.git;branch=sdk-v1.9.x" +SRCREV = "a079d2c844edd85dff85a317a63198e7988bcd09" + +DEPENDS = "libxml2 fmlib tclap" + +PACKAGE_ARCH = "${MACHINE_ARCH}" +COMPATIBLE_HOST_qoriq-ppc = ".*" +COMPATIBLE_HOST ?= "(none)" + +S = "${WORKDIR}/git" + +EXTRA_OEMAKE = 'FMD_USPACE_HEADER_PATH="${STAGING_INCDIR}/fmd" \ + FMD_USPACE_LIB_PATH="${STAGING_LIBDIR}" LIBXML2_HEADER_PATH="${STAGING_INCDIR}/libxml2" \ + TCLAP_HEADER_PATH="${STAGING_INCDIR}" ' +EXTRA_OEMAKE_virtclass-native = 'FMCHOSTMODE=1 FMD_USPACE_HEADER_PATH="${STAGING_INCDIR}/fmd" \ + FMD_USPACE_LIB_PATH="${STAGING_LIBDIR}" LIBXML2_HEADER_PATH="${STAGING_INCDIR}/libxml2" \ + TCLAP_HEADER_PATH="${STAGING_INCDIR}" ' + +PARALLEL_MAKE = "" + +EXTRA_OEMAKE_PLATFORM ?= "" +EXTRA_OEMAKE_PLATFORM_b4 = "b4860qds" +EXTRA_OEMAKE_PLATFORM_t2 = "b4860qds" +EXTRA_OEMAKE_PLATFORM_t4 = "b4860qds" +EXTRA_OEMAKE_PLATFORM_t1 = "t1040qds" + +do_compile () { + oe_runmake MACHINE=${EXTRA_OEMAKE_PLATFORM} -C source +} + +do_install () { + install -d ${D}/${bindir} + install -m 755 ${S}/source/fmc ${D}/${bindir}/fmc + + install -d ${D}/etc/fmc/config + install -m 644 ${S}/etc/fmc/config/hxs_pdl_v3.xml ${D}/etc/fmc/config + + install -d ${D}/${includedir}/fmc + install ${S}/source/fmc.h ${D}/${includedir}/fmc + + install -d ${D}/${libdir} + install ${S}/source/libfmc.a ${D}/${libdir} +} + +BBCLASSEXTEND = "native" diff --git a/dynamic-layers/openembedded-layer/recipes-dpaa/usdpaa-apps/usdpaa-apps/fix-the-inline-function-definition-with-gcc-5.x.patch b/dynamic-layers/openembedded-layer/recipes-dpaa/usdpaa-apps/usdpaa-apps/fix-the-inline-function-definition-with-gcc-5.x.patch new file mode 100644 index 00000000..9f3d22cc --- /dev/null +++ b/dynamic-layers/openembedded-layer/recipes-dpaa/usdpaa-apps/usdpaa-apps/fix-the-inline-function-definition-with-gcc-5.x.patch @@ -0,0 +1,80 @@ +From 2b308217d2811e5d1420d7ce6e18f77a992f52e9 Mon Sep 17 00:00:00 2001 +From: Ting Liu <ting.liu@freescale.com> +Date: Tue, 22 Dec 2015 13:16:33 +0800 +Subject: [PATCH] fix the inline function definition with gcc 5.x + +There are different semantics for inline functions for gcc-5.x compared to +previous gcc. Fix the following build error: +| dpa_classif_demo.c:(.text+0xeae): undefined reference to `crc64_hash_function' +| simple_crypto.c:(.text+0x5b8e): undefined reference to `get_num_of_buffers' +| simple_crypto.c:(.text+0x5b9a): undefined reference to `get_test_mode' +| simple_crypto.c:(.text+0x5baa): undefined reference to `get_num_of_cpus' +| simple_crypto.c:(.text+0x5bb2): undefined reference to `requires_authentication' +| simple_crypto.c:(.text+0x5bbe): undefined reference to `get_thread_barrier' + +Upstream-Status: Pending + +Signed-off-by: Ting Liu <ting.liu@freescale.com> +--- + lib/hash_table/fman_crc64_hash_func.h | 2 +- + src/simple_crypto/include/simple_crypto.h | 10 +++++----- + src/simple_proto/include/simple_proto.h | 10 +++++----- + 3 files changed, 11 insertions(+), 11 deletions(-) + +diff --git a/lib/hash_table/fman_crc64_hash_func.h b/lib/hash_table/fman_crc64_hash_func.h +index 5095203..bdcf12b 100644 +--- a/lib/hash_table/fman_crc64_hash_func.h ++++ b/lib/hash_table/fman_crc64_hash_func.h +@@ -36,7 +36,7 @@ + #include <fsl_fman.h> + + /* Hash function used by the hash table based on FMan CRC64 */ +-inline uint32_t crc64_hash_function(uint8_t *key, uint32_t size) ++static inline uint32_t crc64_hash_function(uint8_t *key, uint32_t size) + { + uint64_t hashval = 0; + hashval = fman_crc64_init(); +diff --git a/src/simple_crypto/include/simple_crypto.h b/src/simple_crypto/include/simple_crypto.h +index bae3460..46ea176 100644 +--- a/src/simple_crypto/include/simple_crypto.h ++++ b/src/simple_crypto/include/simple_crypto.h +@@ -123,10 +123,10 @@ static int validate_test_set(struct test_param crypto_info); + void set_crypto_cbs(struct test_cb *crypto_cb, struct test_param crypto_info); + inline int get_num_of_iterations(void *stuff); + void set_num_of_iterations(void *stuff, unsigned int itr_num); +-inline int get_num_of_buffers(void *stuff); +-inline enum test_mode get_test_mode(void *stuff); +-inline uint8_t requires_authentication(void *); +-inline long get_num_of_cpus(void); +-inline pthread_barrier_t *get_thread_barrier(void); ++static inline int get_num_of_buffers(void *stuff); ++static inline enum test_mode get_test_mode(void *stuff); ++static inline uint8_t requires_authentication(void *); ++static inline long get_num_of_cpus(void); ++static inline pthread_barrier_t *get_thread_barrier(void); + + #endif /* __SIMPLE_CRYPTO_H */ +diff --git a/src/simple_proto/include/simple_proto.h b/src/simple_proto/include/simple_proto.h +index d413e70..ce0e842 100644 +--- a/src/simple_proto/include/simple_proto.h ++++ b/src/simple_proto/include/simple_proto.h +@@ -83,11 +83,11 @@ struct protocol_info *(*register_protocol[])(void) = { + static void set_crypto_cbs(struct test_cb *crypto_cb); + int get_num_of_iterations(void *params); + void set_num_of_iterations(void *params, unsigned int itr_num); +-inline int get_num_of_buffers(void *params); +-inline enum test_mode get_test_mode(void *params); +-inline uint8_t requires_authentication(void *); +-inline long get_num_of_cpus(void); +-inline pthread_barrier_t *get_thread_barrier(void); ++static inline int get_num_of_buffers(void *params); ++static inline enum test_mode get_test_mode(void *params); ++static inline uint8_t requires_authentication(void *); ++static inline long get_num_of_cpus(void); ++static inline pthread_barrier_t *get_thread_barrier(void); + int register_modules(void); + void unregister_modules(void); + +-- +1.9.2 + diff --git a/dynamic-layers/openembedded-layer/recipes-dpaa/usdpaa-apps/usdpaa-apps/xfrm_km.c-use-in6_-macros-from-glibc-instead-of-kern.patch b/dynamic-layers/openembedded-layer/recipes-dpaa/usdpaa-apps/usdpaa-apps/xfrm_km.c-use-in6_-macros-from-glibc-instead-of-kern.patch new file mode 100644 index 00000000..c6d35f00 --- /dev/null +++ b/dynamic-layers/openembedded-layer/recipes-dpaa/usdpaa-apps/usdpaa-apps/xfrm_km.c-use-in6_-macros-from-glibc-instead-of-kern.patch @@ -0,0 +1,49 @@ +From 1e1e8d74db98faed57a5a62788e1226801661e0e Mon Sep 17 00:00:00 2001 +From: Ting Liu <ting.liu@freescale.com> +Date: Tue, 22 Dec 2015 23:37:49 +0800 +Subject: [PATCH] xfrm_km.c: use in6_* macros from glibc instead of kernel + +Both glibc and the kernel have in6_* macros definition. Use the one from glibc. +Kernel headers will check for previous libc definitions by including +include/linux/libc-compat.h. + +Fix the below build error: +| [CC] xfrm_km.c (bin:srio_ipsec_offload) +| In file included from .../tmp/sysroots/b4860qds-64b/usr/include/linux/xfrm.h:4:0, +| from src/srio_ipsec_offload/xfrm_km.c:46: +| .../usr/include/netinet/in.h:99:5: error: expected identifier before numeric constant +| IPPROTO_HOPOPTS = 0, /* IPv6 Hop-by-Hop options. */ +| ^ +| In file included from .../tmp/sysroots/b4860qds-64b/usr/include/netinet/ip.h:24:0, +| from src/srio_ipsec_offload/xfrm_km.c:52: +| .../tmp/sysroots/b4860qds-64b/usr/include/netinet/in.h:209:8: error: redefinition of 'struct in6_addr' +| struct in6_addr +| ^ +| In file included from .../tmp/sysroots/b4860qds-64b/usr/include/linux/xfrm.h:4:0, +| from src/srio_ipsec_offload/xfrm_km.c:46: +| .../tmp/sysroots/b4860qds-64b/usr/include/linux/in6.h:32:8: note: originally defined here +| struct in6_addr { +| ^ + +Upstream-Status: Pending + +Signed-off-by: Ting Liu <ting.liu@freescale.com> +--- + src/srio_ipsec_offload/xfrm_km.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/srio_ipsec_offload/xfrm_km.c b/src/srio_ipsec_offload/xfrm_km.c +index df23fd1..d69aafa 100644 +--- a/src/srio_ipsec_offload/xfrm_km.c ++++ b/src/srio_ipsec_offload/xfrm_km.c +@@ -42,6 +42,7 @@ + #include <linux/types.h> + #include <sys/socket.h> + #include <sys/ioctl.h> ++#include <netinet/in.h> + #include <linux/netlink.h> + #include <linux/xfrm.h> + #include <sched.h> +-- +1.9.2 + diff --git a/dynamic-layers/openembedded-layer/recipes-dpaa/usdpaa-apps/usdpaa-apps_git.bb b/dynamic-layers/openembedded-layer/recipes-dpaa/usdpaa-apps/usdpaa-apps_git.bb new file mode 100644 index 00000000..1a19d1e8 --- /dev/null +++ b/dynamic-layers/openembedded-layer/recipes-dpaa/usdpaa-apps/usdpaa-apps_git.bb @@ -0,0 +1,68 @@ +DESCRIPTION = "User-Space Data-Path Acceleration Architecture Demo Applications" +LICENSE = "BSD & GPLv2" +LIC_FILES_CHKSUM = "file://Makefile;endline=30;md5=d2a5d894118910d49993347f3f6e0f1e" + +inherit pkgconfig + +PACKAGE_ARCH = "${MACHINE_ARCH}" + +DEPENDS = "libxml2 libedit ncurses readline fmc usdpaa dpa-offload libnl" +DEPENDS_append_b4860qds = " ipc-ust" +DEPENDS_append_b4420qds = " ipc-ust" + +RDEPENDS_${PN} = "libgcc bash" +RDEPENDS_${PN}_append_b4860qds = " ipc-ust" +RDEPENDS_${PN}_append_b4420qds = " ipc-ust" + +SRC_URI = "git://git.freescale.com/ppc/sdk/usdpaa/usdpaa-apps.git;branch=sdk-v1.9.x \ + file://fix-the-inline-function-definition-with-gcc-5.x.patch \ + file://xfrm_km.c-use-in6_-macros-from-glibc-instead-of-kern.patch \ +" +SRCREV = "1d9418af04990289bec72cd43a9385690523fcdb" + +S = "${WORKDIR}/git" + +EXTRA_OEMAKE = 'CC="${CC}" LD="${LD}" AR="${AR}"' +export ARCH="${TARGET_ARCH}" + +SOC ?= "P4080" +SOC_b4 = "B4860" +SOC_t1 = "T1040" +SOC_t2 = "T2080" +SOC_t4 = "T4240" +SOC_p1023rdb = "P1023" + +FMAN_VARIANT ?= "P4080" +FMAN_VARIANT_b4 = "FMAN_V3H" +FMAN_VARIANT_t1 = "FMAN_V3L" +FMAN_VARIANT_t2 = "FMAN_V3H" +FMAN_VARIANT_t4 = "FMAN_V3H" +FMAN_VARIANT_p1023rdb = "P1023" + +do_compile_prepend () { + export SOC=${SOC} + export FMC_EXTRA_CFLAGS="-I ${STAGING_INCDIR}/fmc" + export FMLIB_EXTRA_CFLAGS="-I ${STAGING_INCDIR}/fmd \ + -I ${STAGING_INCDIR}/fmd/Peripherals \ + -I ${STAGING_INCDIR}/fmd/integrations \ + -D${FMAN_VARIANT}" + export USDPAA_EXTRA_CFLAGS="-I ${STAGING_INCDIR}/usdpaa" + export DPAOFFLOAD_EXTRA_CFLAGS="-I ${STAGING_INCDIR}/dpa-offload" + export LIBNL_EXTRA_CFLAGS="-I ${STAGING_INCDIR}/libnl3" + export LIBNL_EXTRA_LDFLAGS="-lnl-3 -lnl-route-3" + export LIBXML2_CFLAGS="`pkg-config --cflags libxml-2.0`" + export LIBXML2_LDFLAGS="`pkg-config --libs --static libxml-2.0`" + export LIBEDIT_CFLAGS="`pkg-config --cflags libedit`" + export LIBEDIT_LDFLAGS="`pkg-config --libs --static libedit`" +} + +do_install () { + export SOC=${SOC} + oe_runmake install DESTDIR=${D} +} + +PARALLEL_MAKE_pn-${PN} = "" +FILES_${PN} += "/root/SOURCE_THIS /usr/etc/" + +COMPATIBLE_HOST_qoriq-ppc = ".*" +COMPATIBLE_HOST ?= "(none)" diff --git a/dynamic-layers/openembedded-layer/recipes-support/web-sysmon/web-sysmon_git.bb b/dynamic-layers/openembedded-layer/recipes-support/web-sysmon/web-sysmon_git.bb new file mode 100644 index 00000000..36a0c209 --- /dev/null +++ b/dynamic-layers/openembedded-layer/recipes-support/web-sysmon/web-sysmon_git.bb @@ -0,0 +1,35 @@ +DESCRIPTION = "Web System Monitor Files" +SECTION = "web-sysmon" +LICENSE = "GPLv2" +LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e" + +RDEPENDS_${PN} = "\ + bc \ + cairo \ + coreutils \ + cronie \ + liberation-fonts \ + lighttpd \ + lighttpd-module-cgi \ + lmsensors-sensors \ + make \ + rrdtool \ +" + +SRC_URI = "git://git.freescale.com/ppc/sdk/web-sysmon-dev.git;nobranch=1" +SRCREV = "8d0c6eca1113832fabe917fd0cb25abe2d4d7157" + +inherit update-rc.d + +S = "${WORKDIR}/git" + +EXTRA_OEMAKE += "D=${D}" +do_install () { + oe_runmake install +} + +FILES_${PN} += "/" + +INITSCRIPT_NAME = "web-sysmon.sh" +INITSCRIPT_PARAMS = "defaults 99 20" +COMPATIBLE_MACHINE = "(qoriq-ppc)" |