| blob | 1a25c1e6d9af74e107362ffe4d5e42ae7558d18b |
1 # This test sets up a host-to-host IPsec VPN between Alice and Bob, each on its
2 # own network and with Eve as the only route between each other. We check that
3 # Eve can eavesdrop the plaintext traffic between Alice and Bob, but once they
4 # enable the secure tunnel Eve's spying becomes ineffective.
6 { lib, pkgs, ... }:
8 let
10 # IPsec tunnel between Alice and Bob
11 tunnelConfig = {
12 services.libreswan.enable = true;
13 services.libreswan.connections.tunnel =
14 ''
15 leftid=@alice
16 left=fd::a
17 rightid=@bob
18 right=fd::b
19 authby=secret
20 auto=add
21 '';
22 environment.etc."ipsec.d/tunnel.secrets" =
23 { text = ''@alice @bob : PSK "j1JbIi9WY07rxwcNQ6nbyThKCf9DGxWOyokXIQcAQUnafsNTUJxfsxwk9WYK8fHj"'';
24 mode = "600";
25 };
26 };
28 # Common network setup
29 baseNetwork = {
30 # shared hosts file
31 extraHosts = lib.mkVMOverride ''
32 fd::a alice
33 fd::b bob
34 fd::e eve
35 '';
36 # remove all automatic addresses
37 useDHCP = false;
38 interfaces.eth1.ipv4.addresses = lib.mkVMOverride [];
39 interfaces.eth2.ipv4.addresses = lib.mkVMOverride [];
40 interfaces.eth1.ipv6.addresses = lib.mkVMOverride [];
41 interfaces.eth2.ipv6.addresses = lib.mkVMOverride [];
42 # open a port for testing
43 firewall.allowedUDPPorts = [ 1234 ];
44 };
46 # Adds an address and route from a to b via Eve
47 addRoute = a: b: {
48 interfaces.eth1.ipv6.addresses =
49 [ { address = a; prefixLength = 64; } ];
50 interfaces.eth1.ipv6.routes =
51 [ { address = b; prefixLength = 128; via = "fd::e"; } ];
52 };
54 in
56 {
57 name = "libreswan";
58 meta = with lib.maintainers; {
59 maintainers = [ rnhmjoj ];
60 };
62 # Our protagonist
63 nodes.alice = { ... }: {
64 virtualisation.vlans = [ 1 ];
65 networking = baseNetwork // addRoute "fd::a" "fd::b";
66 } // tunnelConfig;
68 # Her best friend
69 nodes.bob = { ... }: {
70 virtualisation.vlans = [ 2 ];
71 networking = baseNetwork // addRoute "fd::b" "fd::a";
72 } // tunnelConfig;
74 # The malicious network operator
75 nodes.eve = { ... }: {
76 virtualisation.vlans = [ 1 2 ];
77 networking = lib.mkMerge
78 [ baseNetwork
79 { interfaces.br0.ipv6.addresses =
80 [ { address = "fd::e"; prefixLength = 64; } ];
81 bridges.br0.interfaces = [ "eth1" "eth2" ];
82 }
83 ];
84 environment.systemPackages = [ pkgs.tcpdump ];
85 boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = true;
86 };
88 testScript =
89 ''
90 def alice_to_bob(msg: str):
91 """
92 Sends a message as Alice to Bob
93 """
94 bob.execute("nc -lu ::0 1234 >/tmp/msg &")
95 alice.sleep(1)
96 alice.succeed(f"echo '{msg}' | nc -uw 0 bob 1234")
97 bob.succeed(f"grep '{msg}' /tmp/msg")
100 def eavesdrop():
101 """
102 Starts eavesdropping on Alice and Bob
103 """
104 match = "src host alice and dst host bob"
105 eve.execute(f"tcpdump -i br0 -c 1 -Avv {match} >/tmp/log &")
108 start_all()
110 with subtest("Network is up"):
111 alice.wait_until_succeeds("ping -c1 bob")
112 alice.succeed("systemctl restart ipsec")
113 bob.succeed("systemctl restart ipsec")
115 with subtest("Eve can eavesdrop cleartext traffic"):
116 eavesdrop()
117 alice_to_bob("I secretly love turnip")
118 eve.sleep(1)
119 eve.succeed("grep turnip /tmp/log")
121 with subtest("Libreswan is ready"):
122 alice.wait_for_unit("ipsec")
123 bob.wait_for_unit("ipsec")
124 alice.succeed("ipsec checkconfig")
126 with subtest("Alice and Bob can start the tunnel"):
127 alice.execute("ipsec start tunnel >&2 &")
128 bob.succeed("ipsec start tunnel")
129 # apparently this is needed to "wake" the tunnel
130 bob.execute("ping -c1 alice")
132 with subtest("Eve no longer can eavesdrop"):
133 eavesdrop()
134 alice_to_bob("Just kidding, I actually like rhubarb")
135 eve.sleep(1)
136 eve.fail("grep rhubarb /tmp/log")
137 '';
138 }