summaryrefslogtreecommitdiff
path: root/smoketest/scripts/cli/test_vpn_ipsec.py
AgeCommit message (Collapse)Author
2024-07-22T6599: ipsec: fix incorect default behavior for dead-peer-detectionLucas Christian
(cherry picked from commit 23a3419d512139650cfe3dc76759b370b0c0c3d6)
2024-07-22T6599: ipsec: support disabling rekey of CHILD_SA.Lucas Christian
Also adds support for life_bytes, life_packets, and DPD for remote-access connections. Changes behavior of remote-access esp-group lifetime setting to have parity with site-to-site connections. (cherry picked from commit fd5d7ff0b4fd69b248ecb29c6ec1f3cf844c41cf)
2024-04-21T6237: IPSec remote access VPN: ability to set EAP ID of clientsAlex W
2024-04-11T5871: ipsec remote access VPN: specify "cacerts" for client auth.Lucas Christian
2024-04-03T6199: drop unused Python importsChristian Breunig
found using "git ls-files *.py | xargs pylint | grep W0611"
2024-03-28Merge pull request #3202 from sarthurdev/T5606_1Daniil Baturin
ipsec: T5606: T5871: Use multi node for CA certificates
2024-03-28ipsec: T5606: T5871: Use multi node for CA certificatessarthurdev
This changes behaviour from fetching CA chain in PKI, to the user manually setting CA certificates. Prevents unwanted parent CAs existing in PKI from being auto-included as may not be desired/intended.
2024-03-11T5872: re-write exit hook to always regenerate configLucas Christian
2024-03-10T5872: ipsec remote access VPN: support dhcp-interface.Lucas Christian
2024-02-03ipsec: T5998: add replay-windows settingChristian Breunig
The replay_window for child SA will always be 32 (hence enabled). Add a CLI node to explicitly change this. * set vpn ipsec site-to-site peer <name> replay-window <0-2040>
2024-01-07smoketest: T5905: always delete pki in ipsec test startupChristian Breunig
2023-12-30T5870: ipsec remote access VPN: add x509 ("pubkey") authentication.Lucas Christian
2023-12-30ipsec: T1210: extend remote-access smoketest with IP pool configurationChristian Breunig
This extends commit 1a84c4d0e ("ipsec: T1210: add smoketest for remote-access (road-warrior) users") in a way that also the IPv4 pool and its DNS servers get validated. There is no separate IPv6 test, as both address families behave the same way when configuring these.
2023-12-30ipsec: T1210: add smoketest for remote-access (road-warrior) usersChristian Breunig
2023-09-24ipsec: T5606: Add support for whole CA chainssarthurdev
Also includes an update to smoketest to verify
2023-07-14T5195: vyos.util -> vyos.utils package refactoring (#2093)Christian Breunig
* T5195: move run, cmd, call, rc_cmd helper to vyos.utils.process * T5195: use read_file and write_file implementation from vyos.utils.file Changed code automatically using: find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import read_file$/from vyos.utils.file import read_file/g' {} + find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import write_file$/from vyos.utils.file import write_file/g' {} + * T5195: move chmod* helpers to vyos.utils.permission * T5195: use colon_separated_to_dict from vyos.utils.dict * T5195: move is_systemd_service_* to vyos.utils.process * T5195: fix boot issues with missing imports * T5195: move dict_search_* helpers to vyos.utils.dict * T5195: move network helpers to vyos.utils.network * T5195: move commit_* helpers to vyos.utils.commit * T5195: move user I/O helpers to vyos.utils.io
2023-05-29smoketest: adjust to new process_named_running() implementationChristian Breunig
After commit 9c677c81b ("vyos.util: extend process_named_running() signature with cmdline") we need an exact match for the process name. In the past we used a in b and now we test for a == b.
2023-03-23ipsec: T5003: Resolve issue with ipsec DHCP testsarthurdev
tearDown checks for existence of charon process, however this test does not create any connections by design.
2023-02-26smoketest: tunnel: T5034: adjust to new multicast CLI syntaxChristian Breunig
Commit 54c36e43 (tunnel: T5034: migrate "multicast enable" CLI node to enable-multicast) changed the syntax on the CLI. This commits changes the testcase to make use of the new syntax.
2023-01-30Merge pull request #1761 from sever-sever/T4916-currViacheslav Hletenko
T4916: Rewrite IPsec peer authentication and psk migration
2023-01-26T4916: Rewrite IPsec peer authentication and psk migrationViacheslav Hletenko
Rewrite strongswan IPsec authentication to reflect structure from swanctl.conf The most important change is that more than one local/remote ID in the same auth entry should be allowed replace: 'ipsec site-to-site peer <tag> authentication pre-shared-secret xxx' => 'ipsec authentication psk <tag> secret xxx' set vpn ipsec authentication psk <tag> id '192.0.2.1' set vpn ipsec authentication psk <tag> id '192.0.2.2' set vpn ipsec authentication psk <tag> secret 'xxx' set vpn ipsec site-to-site peer <tag> authentication local-id '192.0.2.1' set vpn ipsec site-to-site peer <tag> authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer <tag> authentication remote-id '192.0.2.2' Add template filter for Jinja2 'generate_uuid4'
2023-01-18ipsec: T4925: Added PRF into IKE groupaapostoliuk
Added the possibility to configure Pseudo-Random Functions (PRF) in IKE group set vpn ipsec ike-group <Ike-grp> proposal <number> prf <PRF>
2022-12-27strongSwan: T4593: add charon-systemd runtime dependencyChristian Poessinger
2022-12-27strongSwan: upgrade scripts to work with package version 5.9.8Christian Poessinger
2022-09-16ipsec: T4118: Change vpn ipsec syntax for IKE ESP and peerViacheslav Hletenko
Migration and Change boolean nodes "enable/disable" to disable-xxxx, enable-xxxx and just xxx for VPN IPsec configurations - IKE changes: - replace 'ipsec ike-group <tag> mobike disable' => 'ipsec ike-group <tag> disable-mobike' - replace 'ipsec ike-group <tag> ikev2-reauth yes|no' => 'ipsec ike-group <tag> ikev2-reauth' - ESP changes: - replace 'ipsec esp-group <tag> compression enable' => 'ipsec esp-group <tag> compression' - PEER changes: - replace: 'peer <tag> id xxx' => 'peer <tag> local-id xxx' - replace: 'peer <tag> force-encapsulation enable' => 'peer <tag> force-udp-encapsulation' - add option: 'peer <tag> remote-address x.x.x.x' Add 'peer <name> remote-address <name>' via migration script
2022-04-25smoketest: bugfix on proper inheritance levels for classmethodChristian Poessinger
2022-02-22Merge pull request #1230 from sever-sever/T1856Christian Poessinger
ipsec: T1856: Ability to set SA life bytes and packets
2022-02-20ipsec: T3948: Add CLI site-to-site peer connection-type noneViacheslav Hletenko
set vpn ipsec site-to-site peer 192.0.2.14 connection-type none
2022-02-20ipsec: T1856: Ability to set SA life bytes and packetsViacheslav Hletenko
set vpn ipsec esp-group grp-ESP life-bytes '100000' set vpn ipsec esp-group grp-ESP life-packets '2000000'
2022-02-19vpn: T4254: Add cisco_flexvpn and install_virtual_ip_on optionsViacheslav Hletenko
Ability to set Cisco FlexVPN vendor ID payload: charon.cisco_flexvpn charon.install_virtual_ip_on swanctl.connections.<conn>.vips = x.x.x.x, z.z.z.z set vpn ipsec options flexvpn set vpn ipsec options virtual-ip set vpn ipsec options interface tunX set vpn ipsec site-to-site peer x.x.x.x virtual-address x.x.x.x
2021-12-31smoketest: ipsec: T4126: verify configured priorityChristian Poessinger
2021-12-31smoketest: ipsec: make use of setUpClass()Christian Poessinger
2021-11-21smoketest: ipsec: T4010: fix dmvpn template profile rekey_timeChristian Poessinger
Commit d75403f78aef0 ("dmvpn: T4010: Fix template ipsec profile rekey_time") fixed an issue where the old IKE life_time config option was used. This no longer exists and us named rekey_time for IKE. This commit fixes the expected smoketest result.
2021-09-21smoketest: ipsec: T1441: adjust to latest VTI/XFRM interface changesChristian Poessinger
Commit d768aee9 ("ipsec: T1441: Clean up vti-up-down script for XFRM interfaces") removed a parameter from the updown scripts which is no longer necessary as XFRM interfaces are superior to VTI interfaces b/c they use dynamic endpoints by default.
2021-09-18smoketest: ipsec: only delete nhrp path where it is usedChristian Poessinger
2021-09-18ipsec: vti: T3831: avoid usinf xfrm if_id 0 - implement shift by oneChristian Poessinger
The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. This means that a vti0 named interface will pull in all traffic and others will stop working. Thus we simply shift the key by one to also support a vti0 interface.
2021-08-19smoketest: ipsec: T3764: extend testcases for IKE/ESP lifetimeChristian Poessinger
2021-07-17ipsec: T2816: migrate "ipsec interfaces" to "interface"Christian Poessinger
2021-07-03ipsec: T2816: rework IKE and ESP key assignmentChristian Poessinger
Commit 2d79a500 ("ipsec: T2816: add Jinja2 converter for ESP/IKE groups to string") added a Jinja2 helper function which can be used to transform VyOS CLI ESP and IKE key proposals into a strongSwan compatible string cipher. This commit changes the IPSec implementation to make use of this new Jinja2 filter fubction/Python helper. This is required base work for better automated tests (smoketests) but also for an IKEv2 road-warrior setup.
2021-07-02smoketest: ipam: add site2site x509 auth testcaseChristian Poessinger
2021-07-02smoketest: ipsec: place peer local-address into variableChristian Poessinger
2021-07-02smoketest: ipsec: IKE and ESP settings can be done one time in setUp()Christian Poessinger
2021-06-30smoketest: ipsec: add more re-usable variable definitions throughout the testChristian Poessinger
2021-06-26Revert "ipsec: T3643: move swanctl.conf to /run"Christian Poessinger
This reverts commit 95bbbb8bed92a60a320ff255c8b8656145f3c540.
2021-06-24ipsec: T3643: move swanctl.conf to /runChristian Poessinger
This is the completion of commit 50a742b5 ("IPSec: T3643: Fix path for swanctl.conf file") that moves the generated swanctl file from non-volatile to a volatile (tmpfs backed) storage like we do for all out configuration files. Thus it is ensured after a reboot or service deprecation there are no accidential leftovers from previous configurations stored on the system.
2021-06-15ipsec: T2816: T645: T3613: Migrated IPsec to swanctl, includes multiple ↵sarthurdev
selectors, and selectors with VTI.
2021-06-13smoketest: ipsec: T1501: Use VLAN in smoketest to avoid lease from QEMU ↵sarthurdev
built-in DHCP server
2021-06-12smoketest: ipsec: T1501: Add smoketest for failed dhcp-interface scenariosarthurdev
2021-06-07smoketest: ipsec: chmod +x testcaseChristian Poessinger
2021-05-28ipsec: T2816: IPSec python rework, includes DMVPN and VTI supportSimon