1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
|
# set various configuration parameters
# Use shell "." command to load these into the environment
set -u
# Where to find programs to test.
# These can be overridden by environment.
# Note: {WEST,EAST}PLUTO and {WEST,EAST,NORTH,SOUTH}WHACK
# allow more specific control
# Note: paths must be absolute because dopluto does a cd.
export PLUTO="${PLUTO:-`pwd`/../../programs/pluto/pluto}"
export WHACK="${WHACK:-`pwd`/../../programs/pluto/whack}"
if [ ! -x "$PLUTO" -a "$PLUTO" != "ipsec pluto" ] ; then
echo "ERROR: Where is Pluto? Not in \"$PLUTO\"; set \$PLUTO correctly." >&2
exit 1
fi
if [ ! -x "$WHACK" -a "$WHACK" != "ipsec whack" ] ; then
echo "ERROR: Where is whack? Not in \"$WHACK\"; set \$WHACK correctly." >&2
exit 1
fi
export LWDNSQOPTION=""
case "${USE_LWRES:-}" in
true)
LWDNSQ=${LWDNSQ:-`pwd`/../../programs/lwdnsq/lwdnsq}
if [ ! -x $LWDNSQ ] ; then
if [ -x `dirname "$PLUTO"`/lwdnsq ] ; then
LWDNSQ=`dirname "$PLUTO"`/lwdnsq
else
echo "ERROR: Where is lwdnsq? Not in \"$LWDNSQ\"; set \$LWDNSQ correctly." >&2
exit 1
fi
fi
LWDNSQOPTION="--lwdnsq $LWDNSQ"
;;
esac
export IKEPORT=8500
export DOMAIN=example
export ROUTER=127.95.7.254
export WESTIP=127.95.7.1
export EASTIP=127.95.7.2
export NORTHIP=127.95.7.3
export SOUTHIP=127.95.7.4
export WESTIF=lo:w
export EASTIF=lo:e
export NORTHIF=lo:n
export SOUTHIF=lo:s
export WESTSUBNET=127.95.7.8/30
export VICTORIA=127.95.7.10
export VANCOUVER=127.95.7.11
export VANISHED=127.95.7.8 # missing, naturally
export WESTSUBNET2=127.95.7.12/30
export WESTSUBNET3=127.95.7.16/30
export EASTSUBNETNET=127.95.7.20
export EASTSUBNET=$EASTSUBNETNET/30
export EASTHALFSUBNET=$EASTSUBNETNET/31 # includes Truro
export TRURO=127.95.7.21
export ANTIGONISH=127.95.7.22
export ATLANTIS=127.95.7.23 # missing, naturally
export EASTSUBNET2=127.95.7.24/30
export EASTSUBNET3=127.95.7.28/30
export NORTHSUBNET=127.95.7.32/30
export NORTHSUBNET2=127.95.7.36/30
export NORTHSUBNET3=127.95.7.40/30
export SOUTHSUBNET=127.95.7.44/30
export SOUTHSUBNET2=127.95.7.48/30
export SOUTHSUBNET3=127.95.7.52/30
# sometimes CMP=diff is useful
CMP=${CMP:-cmp}
DOPLUTO=dopluto
DOWHACK=dowhack
DFAIL=""
XFAIL=""
SFAIL=""
REFMISSING=""
CFAIL=""
WESTHOST="--host $WESTIP --ikeport $IKEPORT"
WESTNET="$WESTHOST --client $WESTSUBNET"
EASTHOST="--host $EASTIP --ikeport $IKEPORT"
EASTNET="$EASTHOST --client $EASTSUBNET"
ANYHOST="--host %any --ikeport $IKEPORT"
OPPO="--host %opportunistic --ikeport $IKEPORT"
OPPONARROW="$OPPO --client 127.0.0.0/8"
OPPOMISS="$OPPO --client 10.0.0.0/8"
GROUP="--host %group --ikeport $IKEPORT"
OPPOGROUP="--host %opportunisticgroup --ikeport $IKEPORT"
WHACKWEST="${WESTWHACK:-$WHACK} --ctlbase pluto/west/pluto.west"
WHACKEAST="${EASTWHACK:-$WHACK} --ctlbase pluto/east/pluto.east"
# run of the mill lifetimes
NORMALMARG=350
NORMALIKE=900
TIMES="--rekeymargin $NORMALMARG --ikelifetime $NORMALIKE --ipseclifetime 800"
# half size, to be shorter
SHORTMARG=175
SHORTIKE=450
SHORTIPSEC=400
SHORTTIMES="--rekeymargin $SHORTMARG --ikelifetime $SHORTIKE --ipseclifetime $SHORTIPSEC"
# really small so we're willing to sleep through a keying interval
TINYIPSECLIFETIME=40
TINYTIMES="--rekeymargin 17 --ikelifetime 45 --ipseclifetime $TINYIPSECLIFETIME"
TIMES0="$TIMES --keyingtries 0"
TIMES1="$TIMES --keyingtries 1"
TIMES2="$TIMES --keyingtries 2"
LIST="1 2 3 4 5"
# dumb boilerplate
TO="--updown silly --to --updown sally"
function whackwest() {
$WHACKWEST "$@"
}
function whackeast() {
$WHACKEAST "$@"
}
function perform() {
echo "$@"
"$@" || echo RC: $?
}
function me() {
perform whackwest "$@"
}
function him() {
perform whackeast "$@"
}
function both() {
perform whackwest "$@"
perform whackeast "$@"
}
function me_status() {
me --status | canonicize_status
}
function him_status() {
him --status | canonicize_status
}
function both_status() {
both --status | canonicize_status
}
# Grab the lifetime setting actually in states.
# Turn them into shell variable assignments suitable for eval ``.
function grab_lifetimes() {
( me --status ; him --status ) | sed -n -e \
'/STATE_/ {
s/.*MAIN/ISAKMP/
s/.*QUICK/IPsec/
s/_I[0-4]/_I!/
s/_R[0-4]/_R!/
s/!.*EVENT_SA_\([^ ]*\)/_\1!/
s/! in \([0-9]*\)s.*/=\1/
p
}'
}
# Check if lifetime is close to predicted time
# Can't be more, but might be a bit less.
# A bit is 3 seconds, for now.
# Must not print variable values unless we have an error condition.
function notcloseto() {
if expr '(' $1 ')' '>' '(' $2 ')' >/dev/null
then
echo bad $3: $1 '>' $2
return 0
elif expr '(' $1 ')' '<' '(' $2 ')' - 3 >/dev/null
then
echo bad $3: $1 '<' $2 - 3
return 0
else
echo good $3: close to $2
return 1
fi
}
function canonicize_status() {
sed -e 's/ in [1-9][0-9]*s/ in ???s/' \
-e 's/ esp\.[0-9a-f]*@/ esp.???@/g' \
-e 's/ ah\.[0-9a-f]*@/ ah.???@/g' \
-e 's/ comp\.[0-9a-f]*@/ comp.???@/g' \
-e '/^000 my FQDN =/s/@.*/@FQDN/'
}
|
