From e697ed1e7fd5c33f8082b2f4f96c42fc822ec9a5 Mon Sep 17 00:00:00 2001
From: khramshinr <khramshinr@gmail.com>
Date: Tue, 6 Feb 2024 17:35:27 +0700
Subject: vpn: T3843: l2tp configuration not cleared after delete vpn: T5926:
IPSEC does not apply after l2tp configuration was changed
added dependency between l2tp and ipsec conf
added test for apply config to swanctl
---
data/config-mode-dependencies/vyos-1x.json | 3 +++
smoketest/scripts/cli/test_vpn_l2tp.py | 41 ++++++++++++++++++++++++++++++
src/conf_mode/vpn_l2tp.py | 10 +++++---
3 files changed, 51 insertions(+), 3 deletions(-)
diff --git a/data/config-mode-dependencies/vyos-1x.json b/data/config-mode-dependencies/vyos-1x.json
index 4fd94d895..b62603e34 100644
--- a/data/config-mode-dependencies/vyos-1x.json
+++ b/data/config-mode-dependencies/vyos-1x.json
@@ -29,6 +29,9 @@
"openconnect": ["vpn_openconnect"],
"sstp": ["vpn_sstp"]
},
+ "vpn_l2tp": {
+ "ipsec": ["vpn_ipsec"]
+ },
"qos": {
"bonding": ["interfaces_bonding"],
"bridge": ["interfaces_bridge"],
diff --git a/smoketest/scripts/cli/test_vpn_l2tp.py b/smoketest/scripts/cli/test_vpn_l2tp.py
index 3d9d94f52..e253f0e49 100755
--- a/smoketest/scripts/cli/test_vpn_l2tp.py
+++ b/smoketest/scripts/cli/test_vpn_l2tp.py
@@ -54,6 +54,47 @@ class TestVPNL2TPServer(BasicAccelPPPTest.TestCase):
self.assertEqual(conf['modules']['auth_mschap_v2'], None)
+ def test_vpn_l2tp_dependence_ipsec_swanctl(self):
+ # Test config vpn for tasks T3843 and T5926
+
+ base_path = ['vpn', 'l2tp', 'remote-access']
+ # make precondition
+ self.cli_set(['interfaces', 'dummy', 'dum0', 'address', '203.0.113.1/32'])
+ self.cli_set(['vpn', 'ipsec', 'interface', 'dum0'])
+
+ self.cli_commit()
+ # check ipsec apply to swanctl
+ self.assertEqual('', cmd('echo vyos | sudo -S swanctl -L '))
+
+ self.cli_set(base_path + ['authentication', 'local-users', 'username', 'foo', 'password', 'bar'])
+ self.cli_set(base_path + ['authentication', 'mode', 'local'])
+ self.cli_set(base_path + ['authentication', 'protocols', 'chap'])
+ self.cli_set(base_path + ['client-ip-pool', 'first', 'range', '10.200.100.100-10.200.100.110'])
+ self.cli_set(base_path + ['description', 'VPN - REMOTE'])
+ self.cli_set(base_path + ['name-server', '1.1.1.1'])
+ self.cli_set(base_path + ['ipsec-settings', 'authentication', 'mode', 'pre-shared-secret'])
+ self.cli_set(base_path + ['ipsec-settings', 'authentication', 'pre-shared-secret', 'SeCret'])
+ self.cli_set(base_path + ['ipsec-settings', 'ike-lifetime', '8600'])
+ self.cli_set(base_path + ['ipsec-settings', 'lifetime', '3600'])
+ self.cli_set(base_path + ['outside-address', '203.0.113.1'])
+ self.cli_set(base_path + ['gateway-address', '203.0.113.1'])
+
+ self.cli_commit()
+
+ # check l2tp apply to swanctl
+ self.assertTrue('l2tp_remote_access:' in cmd('echo vyos | sudo -S swanctl -L '))
+
+ self.cli_delete(['vpn', 'l2tp'])
+ self.cli_commit()
+
+ # check l2tp apply to swanctl after delete config
+ self.assertEqual('', cmd('echo vyos | sudo -S swanctl -L '))
+
+ # need to correct tearDown test
+ self.basic_config()
+ self.cli_set(base_path + ['authentication', 'protocols', 'chap'])
+ self.cli_commit()
+
if __name__ == '__main__':
unittest.main(verbosity=2)
diff --git a/src/conf_mode/vpn_l2tp.py b/src/conf_mode/vpn_l2tp.py
index 36b3d2a30..4ca717814 100755
--- a/src/conf_mode/vpn_l2tp.py
+++ b/src/conf_mode/vpn_l2tp.py
@@ -19,6 +19,7 @@ import os
from sys import exit
from vyos.config import Config
+from vyos.configdep import call_dependents, set_dependents
from vyos.configdict import get_accel_dict
from vyos.template import render
from vyos.utils.process import call
@@ -42,6 +43,9 @@ def get_config(config=None):
else:
conf = Config()
base = ['vpn', 'l2tp', 'remote-access']
+
+ set_dependents('ipsec', conf)
+
if not conf.exists(base):
return None
@@ -94,10 +98,10 @@ def apply(l2tp):
for file in [l2tp_chap_secrets, l2tp_conf]:
if os.path.exists(file):
os.unlink(file)
+ else:
+ call('systemctl restart accel-ppp@l2tp.service')
- return None
-
- call('systemctl restart accel-ppp@l2tp.service')
+ call_dependents()
if __name__ == '__main__':
--
cgit v1.2.3