diff options
author | Christian Breunig <christian@breunig.cc> | 2023-12-30 13:12:57 +0100 |
---|---|---|
committer | Christian Breunig <christian@breunig.cc> | 2023-12-30 13:15:35 +0100 |
commit | c70195779b418a3e0c212baba3a1ace3c3af0c9f (patch) | |
tree | 4827d8cc470ae7eb2e582d4ae2796a95c728d2fe /smoketest/scripts/cli/test_vpn_ipsec.py | |
parent | f9207ed4a0a5f80b23c91ffb2154a835bf7e741d (diff) | |
download | vyos-1x-c70195779b418a3e0c212baba3a1ace3c3af0c9f.tar.gz vyos-1x-c70195779b418a3e0c212baba3a1ace3c3af0c9f.zip |
ipsec: T1210: extend remote-access smoketest with IP pool configuration
This extends commit f9207ed4a ("ipsec: T1210: add smoketest for remote-access
(road-warrior) users") in a way that also the IPv4 pool and its DNS servers get
validated. There is no separate IPv6 test, as both address families behave
the same way when configuring these.
(cherry picked from commit 1e46cd606d9d87226fe0400bf3a53bda360808d8)
Diffstat (limited to 'smoketest/scripts/cli/test_vpn_ipsec.py')
-rwxr-xr-x | smoketest/scripts/cli/test_vpn_ipsec.py | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py index deefce935..6f811000f 100755 --- a/smoketest/scripts/cli/test_vpn_ipsec.py +++ b/smoketest/scripts/cli/test_vpn_ipsec.py @@ -549,7 +549,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): def test_07_ikev2_road_warrior(self): - # Enable PKI + # This is a known to be good configuration for Microsoft Windows 10 and Apple iOS 17 self.setupPKI() ike_group = 'IKE-RW' @@ -564,6 +564,9 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): eap_lifetime = '3600' local_id = 'ipsec.vyos.net' + name_servers = ['172.16.254.100', '172.16.254.101'] + prefix = '172.16.250.0/28' + # IKE self.cli_set(base_path + ['ike-group', ike_group, 'key-exchange', 'ikev2']) self.cli_set(base_path + ['ike-group', ike_group, 'lifetime', ike_lifetime]) @@ -609,8 +612,9 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'local-address', local_address]) self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'pool', ip_pool_name]) - self.cli_set(base_path + ['remote-access', 'pool', ip_pool_name, 'name-server', '172.16.254.100']) - self.cli_set(base_path + ['remote-access', 'pool', ip_pool_name, 'prefix', '172.16.250.0/28']) + for ns in name_servers: + self.cli_set(base_path + ['remote-access', 'pool', ip_pool_name, 'name-server', ns]) + self.cli_set(base_path + ['remote-access', 'pool', ip_pool_name, 'prefix', prefix]) self.cli_commit() @@ -649,11 +653,18 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): for line in swanctl_secrets_lines: self.assertIn(line, swanctl_conf) + swanctl_pool_lines = [ + f'{ip_pool_name}', + f'addrs = {prefix}', + f'dns = {",".join(name_servers)}', + ] + for line in swanctl_pool_lines: + self.assertIn(line, swanctl_conf) + # Check Root CA, Intermediate CA and Peer cert/key pair is present self.assertTrue(os.path.exists(os.path.join(CA_PATH, f'{ca_name}_1.pem'))) self.assertTrue(os.path.exists(os.path.join(CERT_PATH, f'{peer_name}.pem'))) - # Disable PKI self.tearDownPKI() if __name__ == '__main__': |