summaryrefslogtreecommitdiff
path: root/smoketest/scripts/cli/test_vpn_ipsec.py
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2023-12-30 13:12:57 +0100
committerChristian Breunig <christian@breunig.cc>2023-12-30 13:15:35 +0100
commitc70195779b418a3e0c212baba3a1ace3c3af0c9f (patch)
tree4827d8cc470ae7eb2e582d4ae2796a95c728d2fe /smoketest/scripts/cli/test_vpn_ipsec.py
parentf9207ed4a0a5f80b23c91ffb2154a835bf7e741d (diff)
downloadvyos-1x-c70195779b418a3e0c212baba3a1ace3c3af0c9f.tar.gz
vyos-1x-c70195779b418a3e0c212baba3a1ace3c3af0c9f.zip
ipsec: T1210: extend remote-access smoketest with IP pool configuration
This extends commit f9207ed4a ("ipsec: T1210: add smoketest for remote-access (road-warrior) users") in a way that also the IPv4 pool and its DNS servers get validated. There is no separate IPv6 test, as both address families behave the same way when configuring these. (cherry picked from commit 1e46cd606d9d87226fe0400bf3a53bda360808d8)
Diffstat (limited to 'smoketest/scripts/cli/test_vpn_ipsec.py')
-rwxr-xr-xsmoketest/scripts/cli/test_vpn_ipsec.py19
1 files changed, 15 insertions, 4 deletions
diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py
index deefce935..6f811000f 100755
--- a/smoketest/scripts/cli/test_vpn_ipsec.py
+++ b/smoketest/scripts/cli/test_vpn_ipsec.py
@@ -549,7 +549,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
def test_07_ikev2_road_warrior(self):
- # Enable PKI
+ # This is a known to be good configuration for Microsoft Windows 10 and Apple iOS 17
self.setupPKI()
ike_group = 'IKE-RW'
@@ -564,6 +564,9 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
eap_lifetime = '3600'
local_id = 'ipsec.vyos.net'
+ name_servers = ['172.16.254.100', '172.16.254.101']
+ prefix = '172.16.250.0/28'
+
# IKE
self.cli_set(base_path + ['ike-group', ike_group, 'key-exchange', 'ikev2'])
self.cli_set(base_path + ['ike-group', ike_group, 'lifetime', ike_lifetime])
@@ -609,8 +612,9 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'local-address', local_address])
self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'pool', ip_pool_name])
- self.cli_set(base_path + ['remote-access', 'pool', ip_pool_name, 'name-server', '172.16.254.100'])
- self.cli_set(base_path + ['remote-access', 'pool', ip_pool_name, 'prefix', '172.16.250.0/28'])
+ for ns in name_servers:
+ self.cli_set(base_path + ['remote-access', 'pool', ip_pool_name, 'name-server', ns])
+ self.cli_set(base_path + ['remote-access', 'pool', ip_pool_name, 'prefix', prefix])
self.cli_commit()
@@ -649,11 +653,18 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
for line in swanctl_secrets_lines:
self.assertIn(line, swanctl_conf)
+ swanctl_pool_lines = [
+ f'{ip_pool_name}',
+ f'addrs = {prefix}',
+ f'dns = {",".join(name_servers)}',
+ ]
+ for line in swanctl_pool_lines:
+ self.assertIn(line, swanctl_conf)
+
# Check Root CA, Intermediate CA and Peer cert/key pair is present
self.assertTrue(os.path.exists(os.path.join(CA_PATH, f'{ca_name}_1.pem')))
self.assertTrue(os.path.exists(os.path.join(CERT_PATH, f'{peer_name}.pem')))
- # Disable PKI
self.tearDownPKI()
if __name__ == '__main__':