#!/bin/sh

# A collection of whack sequences to test Pluto.
# Generally, we command the west Pluto to negotiate with east.
# Sometimes north and south come into play.

. CONFIG

WESTHOST="--host $WESTIP --ikeport $IKEPORT"
WESTNET="$WESTHOST --client $WESTSUBNET"

EASTHOST="--host $EASTIP --ikeport $IKEPORT"
EASTNET="$EASTHOST --client $EASTSUBNET"

ANYHOST="--host %any --ikeport $IKEPORT"
OPPO="--host %opportunistic --ikeport $IKEPORT"

WESTWHACK="../whack --ctlbase ./pluto.west"
EASTWHACK="../whack --ctlbase ./pluto.east"

TIMES="--rekeymargin 350 --ikelifetime 900 --ipseclifetime 800"
TIMES0="$TIMES --keyingtries 0"
TIMES1="$TIMES --keyingtries 1"
TIMES2="$TIMES --keyingtries 2"

LIST="1 2 3 4 5"

function perform() {
	echo "$@"
	"$@" || echo RC: $?
	}

function me() {
	perform $WESTWHACK "$@"
	}

function him() {
	perform $EASTWHACK "$@"
	}

function both() {
	perform $WESTWHACK "$@"
	perform $EASTWHACK "$@"
	}

for i
do
case "$i" in
listen)	both --listen
	;;
kall)	both --keyid 127.95.7.2 --pubkeyrsa 0sAQOeSJscIy2XZHfs+PODDqdgJR2FmdfRNqzURVL5q2fesMHmibMLPM5cTPx2HvYKBX3YyB+BdHoojmFNixV+RTrKyyN0Og4PYwhdw0FUApDvOg7KYe1CeLUeTAUzT5Pq7MdclRW5bYY84hXSfKgaPwPTwuiLKEnVdbhGgwxqwfQ6ow==
	both --keyid @east.example.com --pubkeyrsa 0sAQNWmttqbM8nIypsHEULynOagFyV1MQ+/1yF5sa32abxBb2fimah7NsHM9l/KpNo7RGtiP0L6triedsZ0xz1Maa4DPnZlrtexu5uIH+FH34SUr7Xe2RcHnLVOznHMzacgcjrOUvV/nA9OEGvm7vRsMAWm/VjNuNugogFreiYEpFMQQ==
	both --keyid 127.95.7.3 --pubkeyrsa 0sAQN4JFU9gRnG336z1n1cV2LA6ACi1TjXfv3pvl6DRqa6uqBFM9RO4oArPc6FsBkBwEmMr8cpeFn4mVaepVe63qnvmQbGXVcRwhx0a509M824HjnyM04Xpoh2UuP/Mhnkm1cynunRuyGqXaZhlj4s+GbcOxPXhopz94wer+Qs/qvGqw==
	both --keyid @north.example.com --pubkeyrsa 0sAQN4JFU9gRnG336z1n1cV2LA6ACi1TjXfv3pvl6DRqa6uqBFM9RO4oArPc6FsBkBwEmMr8cpeFn4mVaepVe63qnvmQbGXVcRwhx0a509M824HjnyM04Xpoh2UuP/Mhnkm1cynunRuyGqXaZhlj4s+GbcOxPXhopz94wer+Qs/qvGqw==
	both --keyid 127.95.7.4 --pubkeyrsa 0sAQOKe6+kbDtp4PB8NZshjCBw8z5wuGCAddokgSDATW47tNmQhUvzlnT1ia1ZsyiRFph1LJkz+A0bkbOhPr1vWUJHK6/s+Y8Rf7GSZC0Fi5Fr4DgpWwswzFaLl4baRfeu8z4k147dtSoG4K/6UfQ+IbqML5lwm92uRqONszbn/PDDPQ==
	both --keyid @south.example.com --pubkeyrsa 0sAQOKe6+kbDtp4PB8NZshjCBw8z5wuGCAddokgSDATW47tNmQhUvzlnT1ia1ZsyiRFph1LJkz+A0bkbOhPr1vWUJHK6/s+Y8Rf7GSZC0Fi5Fr4DgpWwswzFaLl4baRfeu8z4k147dtSoG4K/6UfQ+IbqML5lwm92uRqONszbn/PDDPQ==
	both --keyid 127.95.7.1 --pubkeyrsa 0sAQOOyFBeFFr9CWXgn1aOEvTr98HG4inSckTXlyYi5x85G+Q1+PZ/roqB3OtnRS2XbXFb3n92QjZMJ403wQUwMAt6uzXzXDle5VvFn7cVXq3ch0jqQUxIFcdIIFR2wtkxvAr20xSOHNF/ozmKVZLkrHLu4RvVCCbSNa5toqLXblkcOQ==
	both --keyid @west.example.com --pubkeyrsa 0sAQOFtqrs57eghHmYREoCu1iGn4kXd+a6yT7wCFUk54d9i08mR4h5uFKPhc9fq78XNqz1AhrBH3SRcWAfJ8DaeGvZ0ZvCrTQZn+RJzX1FQ4fjuGBO0eup2XUMsYDw01PFzQ9O4qlwly6niOcMTxvbWgGcl+3DYfRvHgxet8kNtfqzHQ==
	;;
shutdown)	both --shutdown
	;;
status)	both --status
	;;

# "isakmp": ISAKMP SA only; PSK or RSA

disakmp-psk) both --name isakmp-psk --psk $EASTHOST --to $WESTHOST $TIMES2 ;;
xisakmp-psk) me --name isakmp-psk --initiate ;;

disakmp-rsa) both --name isakmp-rsa --rsa $EASTHOST --to $WESTHOST $TIMES2 ;;
xisakmp-rsa) me --name isakmp-rsa --initiate ;;

# "ipsec": IPsec SA

dipsec-psk)	both --name ipsec-psk --delete --psk \
		--updown silly $EASTNET --to --updown sally $WESTNET \
		--authenticate --encrypt --pfs $TIMES2
	;;
xipsec-psk)
		me --name ipsec-psk --initiate
	;;

dipsec-rsa)	both --name ipsec-rsa --delete --rsa \
		--updown silly $EASTNET --to --updown sally $WESTNET \
		--authenticate --encrypt --pfs $TIMES2
	;;
xipsec-rsa)
		me --name ipsec-rsa --initiate
	;;

# like dipsec-rsa, except compression is specified
dipsec-rsa-c) both --name ipsec-rsa-c --delete --rsa \
		--updown silly $EASTNET --to --updown sally $WESTNET \
		--authenticate --encrypt --compress $TIMES2
	;;
xipsec-rsa-c)
		me --name ipsec-rsa-c --initiate
	;;

# Road Warrior:

dipsec-psk-rw)
	me --name ipsec-psk-rw --delete --psk \
		--updown sally $WESTNET \
		--to --updown silly $EASTNET \
		--encrypt $TIMES2
	him --name ipsec-psk-rw --delete --psk \
		--updown silly $ANYHOST \
			--client $WESTSUBNET \
		--to --updown sally $EASTNET --nexthop %direct \
		--encrypt $TIMES2
	;;
xipsec-psk-rw)
		me --name ipsec-psk-rw --initiate
	;;

dipsec-rsa-rw)
	me --name ipsec-rsa-rw --delete --rsa \
		--updown sally $WESTNET \
		--to --updown silly $EASTNET \
		--encrypt $TIMES2
	him --name ipsec-rsa-rw --delete --rsa \
		--updown silly $ANYHOST \
			--client $WESTSUBNET \
		--to --updown sally $EASTNET --nexthop %direct \
		--encrypt $TIMES2
	;;
xipsec-rsa-rw)
		me --name ipsec-rsa-rw --initiate
	;;

# Opportunism
# --pfs and --rsa required

dipsec-oppo)
	# self
	me --name ipsec-oppo-me --delete --rsa --pfs \
		--updown sally $WESTHOST --nexthop %direct \
		--to --updown silly $OPPO \
		--encrypt $TIMES2
	# clients
	me --name ipsec-oppo-mine --delete --rsa --pfs \
		--updown sally $WESTNET --nexthop %direct \
		--to --updown silly $OPPO \
		--encrypt $TIMES2
	# self
	him --name ipsec-oppo-me --delete --rsa --pfs \
		--updown silly $OPPO \
		--to --updown sally $EASTHOST --nexthop %direct \
		--encrypt $TIMES2
	# clients
	him --name ipsec-oppo-mine --delete --rsa --pfs \
		--updown silly $OPPO \
		--to --updown sally $EASTNET --nexthop %direct \
		--encrypt $TIMES2
	;;
xipsec-oppo)
	# host to host
	me --oppohere $WESTIP --oppothere $EASTIP

	# host to client
	me --oppohere $WESTIP --oppothere $TRURO

	# client to host
	me --oppohere $VANCOUVER --oppothere $EASTIP

	# client to client
	me --oppohere $VICTORIA --oppothere $ANTIGONISH

	# whack error: 0.0.0.0 or 0::0 isn't a valid client address "0.0.0.0"
	# me --oppohere 0.0.0.0 --oppothere $ANTIGONISH

	# whack error: 0.0.0.0 or 0::0 isn't a valid client address "0.0.0.0"
	# me --oppohere $VICTORIA --oppothere 0.0.0.0

	# 033 no suitable connection for opportunism between 127.95.7.22 and 127.95.7.10 with 127.95.7.1 as peer
	me --oppohere $ANTIGONISH --oppothere $VICTORIA

	# 033 Can't Opportunistically initiate for 127.95.7.10 to 127.95.7.23: no host 23.7.95.127.in-addr.arpa. for TXT record
	me --oppohere $VICTORIA --oppothere $ATLANTIS

	# Responder says: "ipsec-oppo-me" 127.95.7.1 0.0.0.0/32 #1: gateway 127.95.7.1 claims client 127.95.7.8, but DNS for client fails to confirm: no host 8.7.95.127.in-addr.arpa. for TXT record
	# Initiator slowly times out.
	# me --oppohere $VANISHED --oppothere $ANTIGONISH
	;;

# stipple: test opportunism by trying a bunch of targets

dstipple-serial|dstipple-parallel)
	# self
	me --name ipsec-oppo-me --delete --rsa --pfs \
		--updown sally $WESTHOST --nexthop %direct \
		--to --updown silly $OPPO \
		--encrypt $TIMES2
	;;
xstipple-serial)
	n=10
	a=192.139.70.1
	while expr $n > 0 >/dev/null
	do
		n=`expr $n - 1`
		me --oppohere $WESTIP --oppothere $a
		a=`ipnext $a`
	done
	;;
xstipple-parallel)
	n=10
	a=192.139.70.1
	while expr $n > 0 >/dev/null
	do
		n=`expr $n - 1`
		me --oppohere $WESTIP --oppothere $a &
		a=`ipnext $a`
	done
	wait
	;;
*)
	echo "$0: $i unknown"
	exit 1
	;;
esac
done
