From 7100a5797bce50678be6bb001d4d847b26ff9eca Mon Sep 17 00:00:00 2001
From: Lucas Christian <lucas@lucasec.com>
Date: Thu, 28 Dec 2023 22:08:36 -0800
Subject: T5871: ipsec remote access VPN: specify "cacerts" for client auth.

(cherry picked from commit ecc83562b4d756cc50910561a3f52ec260aeb478)
---
 smoketest/scripts/cli/test_vpn_ipsec.py | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'smoketest')

diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py
index 6d3a93877..145b5990e 100755
--- a/smoketest/scripts/cli/test_vpn_ipsec.py
+++ b/smoketest/scripts/cli/test_vpn_ipsec.py
@@ -757,6 +757,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
             f'id = "{local_id}"',
             f'auth = pubkey',
             f'certs = peer1.pem',
+            f'cacerts = MyVyOS-CA.pem',
             f'auth = eap-tls',
             f'eap_id = %any',
             f'esp_proposals = aes256-sha512,aes256-sha384,aes256-sha256,aes256-sha1,aes128gcm128-sha256',
@@ -840,6 +841,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
         with self.assertRaises(ConfigSessionError):
             self.cli_commit()
         self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'authentication', 'x509', 'ca-certificate', ca_name])
+        self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'authentication', 'x509', 'ca-certificate', int_ca_name])
 
         self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'esp-group', esp_group])
         self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'ike-group', ike_group])
@@ -867,6 +869,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
             f'id = "{local_id}"',
             f'auth = pubkey',
             f'certs = peer1.pem',
+            f'cacerts = MyVyOS-CA.pem,MyVyOS-IntCA.pem',
             f'esp_proposals = aes256-sha512,aes256-sha384,aes256-sha256,aes256-sha1,aes128gcm128-sha256',
             f'rekey_time = {eap_lifetime}s',
             f'rand_time = 540s',
@@ -894,6 +897,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
 
         # Check Root CA, Intermediate CA and Peer cert/key pair is present
         self.assertTrue(os.path.exists(os.path.join(CA_PATH, f'{ca_name}.pem')))
+        self.assertTrue(os.path.exists(os.path.join(CA_PATH, f'{int_ca_name}.pem')))
         self.assertTrue(os.path.exists(os.path.join(CERT_PATH, f'{peer_name}.pem')))
 
         self.tearDownPKI()
-- 
cgit v1.2.3