Author: Laxmanagouda Patil



             +----+  140.1.1.0/24  +----+  150.1.1.0/24   +----+
 Head Office | R1 |----------------| R2 |-----------------| R3 | Branch Office
             +----+ dp0s9    dp0s3 +----+ dp0s8     dp0s8 +----+
         dp0s3 /    <========= IPSEC VPN Tunnel ========>    \ dp0s3
              /                                               \
             / 10.1.1.0/24                                     \  172.16.1.0/24
            /                                                   \
         +------+                                              +------+
         | LAN1 |                                              | LAN2 |
         +------+                                              +------+

1 Test Cases

Test Cases

dan-ipsec_01 - Launch, Installation and validation of DANOS software on Ubuntu s/w (18.0.4) and KVM based hypervisor

Test Purpose:	The purpose of this test is to validate the installation of DANOS s/w on KVM based VMs
Test Setup:	As per the diagram Topology1: DANOS-IPSec
Prerequisites:	· VM launched on top of X86 server with below configuration o Ubuntu 18.04 LTS with 4GB RAM and 8GB harddisk o Supported NICs (4 Interfaces) · KVM Virt-Manager
Procedure:	Launch VM using DANOS image with above mentioned configuration Post VM booting and drops into shell, install DANOS using “ install image” For username/password prompt, type “ vyatta” Post step 3, reboot VM once again
Expected Results:	After step 4, DANOS VNF console should be accessible.

dan-ipsec_02 - Test case to bring up and validate site-to-site IPSec tunnel

Test Purpose:	The purpose of this test is to emulate Head-Office to Branch-office connectivity using two VMs connected behind the router
Test Setup:	As per diagram Topology1: DANOS-IPSec
Prerequisites:	3 VMs with DANOS image UP and Running
Procedure:	Configure the R1 and R3 with WAN/LAN IP address. Configure R2 with corresponding IP address. Check the direct connectivity b/n R1/R2 and R2/R3 Configure OSPF b/n R1/R2 and R3 for establishing layer-3 reachability from R1 to R3 via R2 On R1 and R3, configure IPSec parameters for ESP-group and IKE-group with “encryption” and “hash” protocol along with IKE version type to be used On R1 and R3, configure IPSec site-to-site configuration with local and remote peer IP, authentication mode/pre-shared-key, tunnel interface with local/remote prefix for the intended data traffic Verify the IPSec and IKE tunnel is UP using show commands Send end-to-end traffic, validate flows are getting encrypted/decrypted at tunnel source/destination end respectively
Expected Results:	After step 5, IPSec tunnel should be up b/n R1 and R3 After step 6, traffic should be encrypted/decrypted b/n R1 and R3

dan-ipsec_03 - Test case to validate IPSec tunnel is able to re-establish after reset

Test Purpose:	The purpose of this test is to verify connectivity b/n two VMs over tunnel
Test Setup:	As per diagram Topology1: DANOS-IPSec
Prerequisites:	3 VMs with DANOS image UP and Running
Procedure:	Bring up IPSec tunnel as mentioned in test case 2 Keep the traffic flowing from R1 to R3 Reset IPSec tunnel using below command o “reset vpn ipsec-peer” on router R3 Validate the tunnels status and traffic b/n peers
Expected Results:	After step 3, tunnel status on R1 and R3 should go down and come back After step4, traffic should be stopped, there should not be any encryption/decryption of traffic Once the tunnels gets re-established, traffic should start flowing again

dan-ipsec_04 - Validate IPSec tunnel is able to re-establish tunnel after lifetime expires

Test Purpose:	Test case to validate IPSec tunnel re-establishment after lifetime expiry
Test Setup:	As per diagram Topology1: DANOS-IPSec
Prerequisites:	3 VMs with DANOS image UP and Running
Procedure:	Bring up IPSec tunnel b/n R1 and R3. Configure IPSec lifetime on R3 for 60 seconds Start tunnel interested traffic from R1 to R3 Validate tunnel status and traffic after lifetime expires
Expected Results:	After step 3, tunnel should establish after lifetime expires Traffic should restart flowing b/n R1 and R3

dan-ipsec_05 - Validate IPSec tunnel is able to recreate tunnel after change in ESP encryption parameters

Test Purpose:	Test case to validate tunnel re-establishment after change in ESP parameters
Test Setup:	As per the diagram Topology1: DANOS-IPSec
Prerequisites:	3 VMs with DANOS image UP and Running IPSec tunnel UP and Running b/n R1 and R3 with ESP param set to “ aes128gcm128”
Procedure:	Start interested traffic from R3 towards R1 Change ESP parameter to “ aes256” on router R1 Run the reset vpn command on R1 Validate tunnels status and traffic
Expected Results:	After step 3, tunnel should be down b/n R1 and R3. Traffic should also be stopped

dan-ipsec_06 - Validate IPSec tunnel is able to recreate tunnel after change in IKE hash parameters

Test Purpose:	Test case to validate tunnel reestablishment after change in IKE HASH parameters
Test Setup:	As per diagram Topology1: DANOS-IPSec
Prerequisites:	3 VMs with DANOS image UP and Running IPSec tunnel UP and Running b/n R1 and R3 with ESP param set to “ sha1_160”
Procedure:	Start interested traffic from R3 towards R1 Change ESP parameter to “ sha2_512” on router R1 Run the reset vpn command on R1 Validate tunnels status and traffic
Expected Results:	After step 3, tunnel should be down b/n R1 and R3. Traffic should also be stopped

dan-ipsec_07 - Validate IPSec tunnel is able to reestablish tunnel after change in authentication key

Test Purpose:	Test case to validate tunnel reestablishment after change/revert in authentication key
Test Setup:	As per diagram Topology1: DANOS-IPSec
Prerequisites:	3 VMs with DANOS image UP and Running IPSec tunnel UP and Running b/n R1 and R3 with auth key param set to “hm_off1”
Procedure:	Start interested traffic from R3 towards R1 Change auth… key parameter to “ test123” on router R1 Run the reset vpn command on R1 Validate tunnels status and traffic Revert back the auth key to correct value matching on other end Validate tunnels status and traffic
Expected Results:	After step 3, tunnel should be down b/n R1 and R3. Traffic should also be stopped After step 6, tunnel should get reestablish b/n R1 and R3, traffic should start flowing again

dan-ipsec_08 - Validate IPSec tunnel is able to establish more than one tunnel with different configuration

Test Purpose:	Test case to validate more than one tunnel creation with different IPSec params
Test Setup:	As per diagram Topology1: DANOS-IPSec
Prerequisites:	3 VMs with DANOS image UP and Running One IPSec tunnel UP and Running b/n R1 and R3
Procedure:	Create another set of ESP/IKE configuration with same tunnel source and destination IP address Validate tunnels status and traffic on both tunnels Start the interested traffic for both the tunnels
Expected Results:	After step 2, new tunnel (tun-2) should be formed b/n R1 and R3. After step 3, traffic should flow for both tunnels

dan-ipsec_09 - Validate IPSec tunnel is able to establish with authentication using RSA key

Test Purpose:	Test case to validate IPSec tunnel establish when authentication mode is set to RSA key
Test Setup:	As per diagram Topology1: DANOS-IPSec
Prerequisites:	3 VMs with DANOS image UP and Running
Procedure:	Configure IPSec tunnel b/n R1 and R3 with “authentication preshared key“ set to “ RSA-KEY” Validate tunnels status and traffic on both tunnels Validate tunnel by sending interested traffic
Expected Results:	Tunnel should be formed when authentication key is set to RSA-KEY Traffic should flow across tunnel

dan-ipsec_10 - Validate IPSec tunnel is able to establish with authentication using X.509 certificate

Test Purpose:	Test case to validate IPSec tunnel establish when authentication mode is set to X.509 certificate
Test Setup:	As per diagram Topology1: DANOS-IPSec
Prerequisites:	3 VMs with DANOS image UP and Running
Procedure:	Configure IPSec tunnel b/n R1 and R3 with “authentication preshared key“ set to “ X.509 certificate” Validate tunnels status and traffic on both tunnels Validate tunnel by sending interested traffic
Expected Results:	Tunnel should be formed when authentication key is set to X.509 certificate Traffic should flow across tunnel

dan-ipsec_11 - Validate IPSec tunnel when local IP address is removed and reconfigured

Test Purpose:	Test case to validate IPSec tunnel when local IP address is removed and reconfigured
Test Setup:	As per diagram Topology1: DANOS-IPSec
Prerequisites:	3 VMs with DANOS image UP and Running IPSec tunnel UP and Running b/n R1 and R3
Procedure:	Remove the configured “local-IP” on R1 router Validate tunnels status and traffic on both tunnels Re-add the “local-IP” on R1 router Validate tunnel by sending interested traffic
Expected Results:	After step 2, tunnel status should be down with no traffic flow After step 3, tunnel should be UP and traffic should flow across tunnel

dan-ipsec_12 - Validate IPSec tunnel when remote IP address is removed and reconfigured

Test Purpose:	Test case to validate IPSec tunnel when remote IP address is removed and reconfigured
Test Setup:	As per diagram Topology1: DANOS-IPSec
Prerequisites:	3 VMs with DANOS image UP and Running IPSec tunnel UP and Running b/n R1 and R3
Procedure:	Remove the configured “remote-IP” on R1 router Validate tunnels status and traffic on both tunnels Re-add the “remote-IP” on R1 router Validate tunnel by sending interested traffic
Expected Results:	After step 2, tunnel status should be down with no traffic flow After step 3, tunnel should be UP and traffic should flow across tunnel