IKEv2 Interop testing with OpenBSD
IPSec standards are produced and maintained by IEFT which are implemented by many software including Libreswan. IKED is one such native implementation of IPSec v2 on OpenBSD. My project’s goal is to perform Interop tests where one end is Libreswan on Linux(Fedora) and the other is the native IKE daemon on OpenBSD.
- Perform a Non-interactive OpenBSD installation
OpenBSD’s autoinstall allows unattended installation by automatically responding to installer questions with answers from a response file(auto_install.conf). But this introduces additional complexities into the testing system. So I have come with a Python’s pexpect script which adds install.conf file(which consists of answers to default questions) into the OpenBSD iso and perform’s the installation by taking the values from that file.
- Mounting directory over NFS
With OpenBSD running as Virtual Machine, to mount the testing directory via QEMU we need to use the 9p File System. But, qemu's 9p is not the same as plan 9's 9p(only software that can be used to mount 9p FS on OpenBSD) since plan 9's 9p is 9p2000 which transports a subset of plan 9 system calls over the network while qemu's 9p is 9p2000.L transports a subset of Linux system calls over the network. So we have to serve files over NFS to mount the testing directory on OpenBSD.
- Cloning them as obsde (OpenBSD East) and obsdw (OpenBSD West)
Initially, we create a base image called OpenBSD-base and then clone it as OpenBSD East(openbsde) and OpenBSD(openbsdw).
- Adding additional tests
Writing of additional tests to perform interoperability tests between Libreswan on one end and OpenBSD’s IKED daemon on the other end.
OpenBSD’s documentation is very incomprehensible(can’t blame though) on how to automatically perform non-interactive installation. Further, I wasn’t able to find any resources on how to mount a 9P File System on an OpenBSD VM, and there exists only one project called Plan9port which kinda supports 9PFS but not which is supported by QEMU.
- Adding additional tests to the testing system which involve shared certificate and more complex operations.
- Installing Libreswan on OpenBSD and performing tests between Libreswan on OpenBSD with Libreswan on Linux(Fedora).
- Adding a dedicated test network subnet to the test networks to exclusively serve NFS mount for OpenBSD systems (suggested).
Code Status: Development completed(to fix some minor issues) and to be released in the upcoming version.
Repository Link - https://github.com/ravitejacms/libreswan
This project work was sponsored by Google as part of the Google Summer of Code 2020 Program. The implementation for this project is done by Ravi Teja(firstname.lastname@example.org) under the guidance of Paul Wouters, Tuomo Soini, and Andrew Cagney.
This project is Licensed under GNU General Public License v2.0.