IKEv2 Interop testing with OpenBSD

From Libreswan
Revision as of 12:54, 27 August 2020 by Ravi Teja (talk | contribs)
Jump to navigation Jump to search

Introduction

IPSec standards are produced and maintained by IEFT which are implemented by many software including Libreswan. IKED is one such native implementation of IPSec v2 on OpenBSD. My project’s goal is to perform Interop tests where one end is Libreswan on Linux(Fedora) and the other is the native IKE daemon on OpenBSD.


Implementation

  • Perform a Non-interactive OpenBSD installation

OpenBSD’s autoinstall allows unattended installation by automatically responding to installer questions with answers from a response file(auto_install.conf). But this introduces additional complexities into the testing system. So I have come with a Python’s pexpect script which adds install.conf file(which consists of answers to default questions) into the OpenBSD iso and perform’s the installation by taking the values from that file.

  • Mounting directory over NFS

With OpenBSD running as Virtual Machine, to mount the testing directory via QEMU we need to use the 9p File System. But, qemu's 9p is not the same as plan 9's 9p(only software that can be used to mount 9p FS on OpenBSD) since plan 9's 9p is 9p2000 which transports a subset of plan 9 system calls over the network while qemu's 9p is 9p2000.L transports a subset of Linux system calls over the network. So we have to serve files over NFS to mount the testing directory on OpenBSD.

  • Cloning them as obsde (OpenBSD East) and obsdw (OpenBSD West)

Initially, we create a base image called OpenBSD-base and then clone it as OpenBSD East(openbsde) and OpenBSD(openbsdw).

  • Adding additional tests

Writing of additional tests to perform interoperability tests between Libreswan on one end and OpenBSD’s IKED daemon on the other end.


Issues encountered

OpenBSD’s documentation is very incomprehensible(can’t blame though) on how to automatically perform non-interactive installation. Further, I wasn’t able to find any resources on how to mount a 9P File System on an OpenBSD VM, and there exists only one project called Plan9port which kinda supports 9PFS but not which is supported by QEMU.

Further Work

  • Adding additional tests to the testing system which involve shared certificate and more complex operations.
  • Installing Libreswan on OpenBSD and performing tests between Libreswan on OpenBSD with Libreswan on Linux(Fedora).
  • Adding a dedicated test network subnet to the test networks to exclusively serve NFS mount for OpenBSD systems (suggested).


Source code

Code Status: Development completed(to fix some minor issues) and to be released in the upcoming version.

Repository Link - https://github.com/ravitejacms/libreswan

This project work was sponsored by Google as part of the Google Summer of Code 2020 Program. The implementation for this project is done by Ravi Teja(hello@rtcms.dev) under the guidance of Paul Wouters, Tuomo Soini, and Andrew Cagney.


License

This project is Licensed under GNU General Public License v2.0.