summaryrefslogtreecommitdiffstats
path: root/kud/tests/vIPSec/ipsec
blob: 9250b45e7500e613246eac2b2e6aaca52505c017 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
#!/bin/bash
# COPYRIGHT NOTICE STARTS HERE
#
# Copyright 2019 Intel Co., Ltd.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# COPYRIGHT NOTICE ENDS HERE

# This script prepares the runtime environment
# for running vIPSec shell scripts on Ubuntu 18.04

set -o nounset
set -o pipefail
set -o xtrace
set -o errexit

function setup_dependencies {
    apt-get update
    apt-get install -y curl gnupg2 pciutils make gcc libnuma-dev git linux-headers-`uname -r` module-init-tools libssl-dev
    echo "deb [trusted=yes] https://packagecloud.io/fdio/release/ubuntu bionic main" >> /etc/apt/sources.list.d/99fd.io.list
    curl -L https://packagecloud.io/fdio/master/gpgkey | apt-key add -
}

function install_vpp {
    apt-get update
    apt-get install -y vpp vpp-plugin-core vpp-plugin-dpdk
}

function install_dpdk {
    cd /opt
    git clone http://dpdk.org/git/dpdk
    cd /opt/dpdk
    export RTE_TARGET=x86_64-native-linux-gcc/ && export DESTDIR=/opt/dpdk && export RTE_SDK=/opt/dpdk &&  make install T=x86_64-native-linux-gcc
    modprobe uio
    insmod x86_64-native-linux-gcc/kmod/igb_uio.ko
}

function ipsec_settings {
# Create vpp configuration file
    cat > /opt/config/vpp.config << EOF
    unix {
            exec /opt/config/ipsec.conf
            nodaemon
            cli-listen /run/vpp/cli.sock
            log /tmp/vpp.log
         }

    cpu {
           main-core 0
           corelist-workers 1
        }

    dpdk {
            socket-mem 512
            log-level debug
            no-tx-checksum-offload
            dev default{
                    num-tx-desc 512
                    num-rx-desc 512
            }
            dev interfaceABus
            {
                    workers 0
            }
            dev interfaceBBus
            {
                    workers 0
            }
            vdev crypto_aesni_mb0

            no-multi-seg

            #enable_cryptodev

         }
EOF

# Check if sriov and qat are enabled, bind the pci devices with igb_uio driver
    if [ "$sriov_enabled" = true ]; then
        export interfaceABus=$(lspci -D -nn | grep -m1 '8086:154c' | cut -d ' ' -f 1)
        export interfaceBBus=$(lspci -D -nn | grep -m2 '8086:154c' | cut -d ' ' -f 1 | tail -n1)
    else
        export interfaceABus=$(ls -la /sys/class/net | grep 'eth1' | cut -d '/' -f 5)
        export interfaceBBus=$(ls -la /sys/class/net | grep 'eth3' | cut -d '/' -f 5)
    fi
    sed -i -e "s/interfaceABus/${interfaceABus}/g" -e "s/interfaceBBus/${interfaceBBus}/g" /opt/config/vpp.config
    python /opt/dpdk/usertools/dpdk-devbind.py -b igb_uio $interfaceABus $interfaceBBus
    export interfaceA=$(vppctl sh int | awk '$2 == "1"' | cut -d ' ' -f 1)
    export interfaceB=$(vppctl sh int | awk '$2 == "2"' | cut -d ' ' -f 1)

    if [ "$qat_enabled" = true ]; then
        export qatABus=$(lspci -D -nn | grep -m1 '8086:37c9' | cut -d ' ' -f 1)
        export qatBBus=$(lspci -D -nn | grep -m2 '8086:37c9' | cut -d ' ' -f 1 | tail -n1)
        python /opt/dpdk/usertools/dpdk-devbind.py -b igb_uio $qatABus $qatBBus
        sed -i "/#enable_cryptodev/a\n              dev $qatABus\n              dev $qatBBus\n" /opt/config/vpp.config
        sed -i "/vdev crypto_aesni_mb0/d" /opt/config/vpp.config
    fi

# Create the sample ipsec configuration file
    cat > /opt/config/ipsec.conf << EOF
    set interface state VirtualFunctionEthernet0/5/0 up
    set interface state VirtualFunctionEthernet0/6/0 up

    set interface ip address VirtualFunctionEthernet0/5/0 input_interface_ip/24
    set interface ip address VirtualFunctionEthernet0/6/0 output_interface_ip/24

    set int promiscuous on VirtualFunctionEthernet0/5/0
    set int promiscuous on VirtualFunctionEthernet0/6/0

    set ip arp VirtualFunctionEthernet0/6/0 remote_tunnel_ip fa:16:3e:a6:e4:c7
    set ip arp VirtualFunctionEthernet0/5/0 input_interface_ip fa:16:3e:f1:65:dc

    ip route add count 1 packet_dst/32 via route_interface VirtualFunctionEthernet0/6/0

    ipsec spd add 1
    set interface ipsec spd VirtualFunctionEthernet0/6/0 1
    ipsec sa add 1 spi 1921681003 esp tunnel-src output_interface_ip tunnel-dst remote_tunnel_ip crypto-key 2b7e151628aed2a6abf7158809cf4f3d crypto-alg aes-cbc-128 integ-key 6867666568676665686766656867666568676669 integ-alg sha1-96
    ipsec policy add spd 1 traffic_direction priority 100 action protect sa 1 local-ip-range packet_src-packet_src remote-ip-range packet_dst-packet_dst
    ipsec policy add spd 1 traffic_direction priority 90 protocol 50 action bypass local-ip-range packet_src-255.255.255.255 remote-ip-range remote_tunnel_ip-remote_tunnel_ip
EOF

# Replace all ip and interfaces inside the ipsec configuration file
    sed -i -e "s/input_interface_ip/${input_interface_ip}/g" -e "s/output_interface_ip/${output_interface_ip}/g" -e "s/remote_tunnel_ip/${remote_tunnel_ip}/g" -e "s/route_interface/${route_interface}/g" -e "s#VirtualFunctionEthernet0/5/0#${interfaceA}#g" -e "s#VirtualFunctionEthernet0/6/0#${interfaceB}/g" -e "s/packet_src/${packet_src}/g" -e "s/packet_dst/${packet_dst}/g" -e "s/traffic_direction/${traffic_direction}/g" /opt/config/ipsec.conf
    vpp -c /opt/config/vpp.config
}


mkdir /opt/config
echo "$demo_artifacts_version"                >  /opt/config/demo_artifacts_version.txt
echo "$dcae_collector_ip"                     >  /opt/config/dcae_collector_ip.txt
echo "$dcae_collector_port"                   >  /opt/config/dcae_collector_port.txt
echo "$ipsec_private_net_gw"                  >  /opt/config/ipsec_private_net_gw_ip.txt
echo "$ipsec_private_net_cidr"                >  /opt/config/ipsec_private_net_cidr.txt
echo "$ipsec_private_network_name"            >  /opt/config/ipsec_private_network_name.txt
echo "$packet_src"                            >  /opt/config/packet_source_ip.txt
echo "$packet_dst"                            >  /opt/config/packet_destination_ip.txt
echo "$remote_tunnel_ip"                      >  /opt/config/remote_tunnel.txt
echo "$route_interface"                       >  /opt/config/route_interface.txt
echo "$traffic_direction"                     >  /opt/config/traffic_direction.txt
echo "$vipsecA_private_ip_0"                  >  /opt/config/vipsecA_private_ip0.txt
echo "$vipsecA_private_ip_2"                  >  /opt/config/vipsecA_private_ip2.txt
echo "$protected_clientA_network_name"        >  /opt/config/protected_clientA_network_name.txt
echo "$protected_clientA_net_gw"              >  /opt/config/protected_clientA_net_gw.txt
echo "$protected_clientA_net_cidr"            >  /opt/config/protected_clientA_net_cidr.txt

echo 'vm.nr_hugepages = 1024' >> /etc/sysctl.conf
sysctl -p

setup_dependencies
install_vpp
install_dpdk
ipsec_settings