From c0842cf00aca5a7d8b480878d26bda2a55492a15 Mon Sep 17 00:00:00 2001
From: Ariel <ariel.waizel@hpe.com>
Date: Mon, 6 Mar 2017 12:21:17 +0200
Subject: [PATCH] ipsec over vxlan tunnel support.

using ip xfrm and autogenerated simmetric keys between any two VTEPs

Change-Id: I94de7202c1616710882db3ded184ae0a56d9dad6
Signed-off-by: Ariel <ariel.waizel@hpe.com>
---
 ...w-integration-deploy-openstack-run-test.sh | 32 +++++++++++++++++++
 jjb/integration/integration-templates.yaml    |  8 +++++
 jjb/releng-defaults.yaml                      |  1 +
 3 files changed, 41 insertions(+)

diff --git a/jjb/integration/include-raw-integration-deploy-openstack-run-test.sh b/jjb/integration/include-raw-integration-deploy-openstack-run-test.sh
index a273ac5b3..703e8f6ae 100644
--- a/jjb/integration/include-raw-integration-deploy-openstack-run-test.sh
+++ b/jjb/integration/include-raw-integration-deploy-openstack-run-test.sh
@@ -669,6 +669,38 @@ do
     ${SSH} $ip "sudo ovs-vsctl --may-exist add-br $PUBLIC_BRIDGE -- set bridge $PUBLIC_BRIDGE other-config:disable-in-band=true other_config:hwaddr=f6:00:00:ff:01:0$((devstack_index++))"
 done
 
+# ipsec support
+if [ "${IPSEC_VXLAN_TUNNELS_ENABLED}" == "yes" ]; then
+    ALL_NODES=(${OPENSTACK_CONTROL_NODE_IP} ${COMPUTE_IPS[*]})
+    for ((inx_ip1=0; inx_ip1<$((${#ALL_NODES[@]} - 1)); inx_ip1++))
+    do
+        for ((inx_ip2=$((inx_ip1 + 1)); inx_ip2<${#ALL_NODES[@]}; inx_ip2++))
+        do
+            KEY1=0x$(dd if=/dev/urandom count=32 bs=1 2> /dev/null| xxd -p -c 64)
+            KEY2=0x$(dd if=/dev/urandom count=32 bs=1 2> /dev/null| xxd -p -c 64)
+            ID=0x$(dd if=/dev/urandom count=4 bs=1 2> /dev/null| xxd -p -c 8)
+            ip1=${ALL_NODES[$inx_ip1]}
+            ip2=${ALL_NODES[$inx_ip2]}
+            ${SSH} $ip1 "sudo ip xfrm state add src $ip1 dst $ip2 proto esp spi $ID reqid $ID mode transport auth sha256 $KEY1 enc aes $KEY2"
+            ${SSH} $ip1 "sudo ip xfrm state add src $ip2 dst $ip1 proto esp spi $ID reqid $ID mode transport auth sha256 $KEY1 enc aes $KEY2"
+            ${SSH} $ip1 "sudo ip xfrm policy add src $ip1 dst $ip2 proto udp dir out tmpl src $ip1 dst $ip2 proto esp reqid $ID mode transport"
+            ${SSH} $ip1 "sudo ip xfrm policy add src $ip2 dst $ip1 proto udp dir in tmpl src $ip2 dst $ip1 proto esp reqid $ID mode transport"
+
+            ${SSH} $ip2 "sudo ip xfrm state add src $ip2 dst $ip1 proto esp spi $ID reqid $ID mode transport auth sha256 $KEY1 enc aes $KEY2"
+            ${SSH} $ip2 "sudo ip xfrm state add src $ip1 dst $ip2 proto esp spi $ID reqid $ID mode transport auth sha256 $KEY1 enc aes $KEY2"
+            ${SSH} $ip2 "sudo ip xfrm policy add src $ip2 dst $ip1 proto udp dir out tmpl src $ip2 dst $ip1 proto esp reqid $ID mode transport"
+            ${SSH} $ip2 "sudo ip xfrm policy add src $ip1 dst $ip2 proto udp dir in tmpl src $ip1 dst $ip2 proto esp reqid $ID mode transport"
+        done
+    done
+
+    for ip in ${OPENSTACK_CONTROL_NODE_IP} ${COMPUTE_IPS[*]}
+    do
+        echo "ip xfrm configuration for node $ip:"
+        ${SSH} $ip "sudo ip xfrm policy list"
+        ${SSH} $ip "sudo ip xfrm state list"
+    done
+fi
+
 # Control Node - PUBLIC_BRIDGE will act as the external router
 GATEWAY_IP="10.10.10.250" # FIXME this should be a parameter, also shared with integration-test
 ${SSH} ${OPENSTACK_CONTROL_NODE_IP} "sudo ip link add link ${PUBLIC_BRIDGE} name  ${PUBLIC_BRIDGE}.167 type vlan id 167"
diff --git a/jjb/integration/integration-templates.yaml b/jjb/integration/integration-templates.yaml
index 9e36e097c..e8c00bb24 100644
--- a/jjb/integration/integration-templates.yaml
+++ b/jjb/integration/integration-templates.yaml
@@ -1034,6 +1034,10 @@
           name: ODL_ENABLE_L3_FWD
           default: '{odl-enable-l3}'
           description: 'Enable L3 FWD in ODL for createing br-ex'
+      - string:
+          name: IPSEC_VXLAN_TUNNELS_ENABLED
+          default: '{ipsec-vxlan-tunnels-enabled}'
+          description: 'Enable ipsec over vxlan support for all controllers and computes'
       - string:
           name: PUBLIC_BRIDGE
           default: '{public-bridge}'
@@ -1202,6 +1206,10 @@
           name: ODL_ENABLE_L3_FWD
           default: '{odl-enable-l3}'
           description: 'Enable L3 FWD in ODL for createing br-ex'
+      - string:
+          name: IPSEC_VXLAN_TUNNELS_ENABLED
+          default: '{ipsec-vxlan-tunnels-enabled}'
+          description: 'Enable ipsec over vxlan support for all controllers and computes'
       - string:
           name: PUBLIC_BRIDGE
           default: '{public-bridge}'
diff --git a/jjb/releng-defaults.yaml b/jjb/releng-defaults.yaml
index 843129a33..4367a42da 100644
--- a/jjb/releng-defaults.yaml
+++ b/jjb/releng-defaults.yaml
@@ -17,6 +17,7 @@
     devstack-lbaas-plugin-repo: 'https://github.com/openstack/neutron-lbaas'
     server-name: 'OpenDaylight'
     git-url: 'ssh://jenkins-$SILO@git.opendaylight.org:29418'
+    ipsec-vxlan-tunnels-enabled: 'no'
 
     public-bridge: 'br-physnet1'
     public-physical-network: 'physnet1'
-- 
2.36.6