<feed xmlns='http://www.w3.org/2005/Atom'>
<title>vyos-1x.git/smoketest/scripts/cli/test_vpn_ipsec.py, branch rolling</title>
<subtitle>VyOS command definitions, scripts, and utilities (mirror of https://github.com/vyos/vyos-1x.git)
</subtitle>
<id>https://git.amelek.net/vyos/vyos-1x.git/atom?h=rolling</id>
<link rel='self' href='https://git.amelek.net/vyos/vyos-1x.git/atom?h=rolling'/>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/'/>
<updated>2026-06-20T14:22:09+00:00</updated>
<entry>
<title>T8097: strongswan: add ESN test</title>
<updated>2026-06-20T14:22:09+00:00</updated>
<author>
<name>Kyrylo Yatsenko</name>
<email>hedrok@gmail.com</email>
</author>
<published>2026-06-20T13:38:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=11d5ee39fa41f512e343ef6084675a0f372c9e92'/>
<id>urn:sha1:11d5ee39fa41f512e343ef6084675a0f372c9e92</id>
<content type='text'>
</content>
</entry>
<entry>
<title>T8097: strongswan: update test with ESN</title>
<updated>2026-06-20T12:29:17+00:00</updated>
<author>
<name>Kyrylo Yatsenko</name>
<email>hedrok@gmail.com</email>
</author>
<published>2026-06-20T12:29:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=bf9b9790fa570e4af1409050f82bf1d5577f106f'/>
<id>urn:sha1:bf9b9790fa570e4af1409050f82bf1d5577f106f</id>
<content type='text'>
By default now for each proposal two proposals are sent: with `-noesn`
and without. Update test accordingly.
</content>
</entry>
<entry>
<title>ipsec: T7555: Implement `ikev2-reauth` for site-to-site peers</title>
<updated>2026-05-20T09:22:21+00:00</updated>
<author>
<name>Oleksandr Kuchmystyi</name>
<email>o.kuchmystyi@vyos.io</email>
</author>
<published>2026-05-14T09:42:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=b6d24956bd4c7a5e4cb89c0b4331264a96667184'/>
<id>urn:sha1:b6d24956bd4c7a5e4cb89c0b4331264a96667184</id>
<content type='text'>
IKEv2 reauthentication was configurable via CLI but never translated
into `swanctl.conf`. Add `reauth_time` to the peer connection template,
driven by the `ikev2-reauth` flag on the ike-group and the per-peer
override (yes/no/inherit).
</content>
</entry>
<entry>
<title>T8410: Fix typos and mistakes for comments and messages</title>
<updated>2026-03-27T15:00:17+00:00</updated>
<author>
<name>Viacheslav Hletenko</name>
<email>v.gletenko@vyos.io</email>
</author>
<published>2026-03-27T14:43:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=139b0841f8242a5c6ebdafb37380c1fb78342aae'/>
<id>urn:sha1:139b0841f8242a5c6ebdafb37380c1fb78342aae</id>
<content type='text'>
Fix typos and mistakes
No functional changes
</content>
</entry>
<entry>
<title>T8136: IPSEC PPK Support</title>
<updated>2026-03-04T04:48:18+00:00</updated>
<author>
<name>Giga Murphy</name>
<email>giga1699@gmail.com</email>
</author>
<published>2026-01-02T01:04:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=673ec335b885ae1de8391dd8c48a5fe16b282db5'/>
<id>urn:sha1:673ec335b885ae1de8391dd8c48a5fe16b282db5</id>
<content type='text'>
</content>
</entry>
<entry>
<title>ipsec: T8022: Fix invalid automatic `dynamic` prefix assignment for transport mode tunnels</title>
<updated>2026-01-05T13:01:38+00:00</updated>
<author>
<name>Oleksandr Kuchmystyi</name>
<email>o.kuchmystyi@vyos.io</email>
</author>
<published>2025-12-04T12:32:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=875cdbe042aa3c178f033b5699763ebcaf5261cd'/>
<id>urn:sha1:875cdbe042aa3c178f033b5699763ebcaf5261cd</id>
<content type='text'>
When ESP was configured in transport mode for GRE-based site-to-site tunnels,
the default value `dynamic` was automatically injected into the configuration,
even though prefixes must not be set in transport mode. This led to error
"Local/remote prefix cannot be used with ESP transport mode" and commit failures.

This fix updates configuration logic to skip default prefix assignment
for site-to-site peers using ESP transport mode tunnels.
</content>
</entry>
<entry>
<title>T8027: vpn: adding config for swanctl "send-cert always"</title>
<updated>2025-11-22T02:22:43+00:00</updated>
<author>
<name>Chris Cowart</name>
<email>ccowart@timesinks.net</email>
</author>
<published>2025-11-16T06:39:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=090c4afe8dce25f772c24fc9bb6e3b96d23fcc2b'/>
<id>urn:sha1:090c4afe8dce25f772c24fc9bb6e3b96d23fcc2b</id>
<content type='text'>
This setting seems to be required for various Apple clients to
connect to the IKEv2 IPSec VPN.
</content>
</entry>
<entry>
<title>T7948: always call setUp() and tearDown() base class methods</title>
<updated>2025-10-21T19:03:16+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-10-20T16:52:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=4995a58f998d3bdd055e49e919945bc0aa939be4'/>
<id>urn:sha1:4995a58f998d3bdd055e49e919945bc0aa939be4</id>
<content type='text'>
While working on task T7664 (FRR 10.4 upgrade), I identified the need for
additional validation and safeguards around the FRR management daemon. The
most appropriate place for this logic is in the setUp() and tearDown() methods
of the smoketest base class, VyOSUnitTestSHIM.

However, during implementation, it became apparent that test cases do not
consistently invoke the base class's setup and teardown methods. This
inconsistency complicates the process of capturing the FRR mgmtd PID at the
start of a test and verifying that it remains unchanged by the end - a key step
in detecting crashes or unexpected terminations (e.g., SIGSEGV) of the FRR
management daemon during tests.
</content>
</entry>
<entry>
<title>smoketest: T7858: make failfast main argument dynamic</title>
<updated>2025-09-30T15:19:06+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-09-22T18:49:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=2c521f1356378904e3d3a744960de68e8c5b62dc'/>
<id>urn:sha1:2c521f1356378904e3d3a744960de68e8c5b62dc</id>
<content type='text'>
When smoketest debugging is enabled (by creating the file
/tmp/vyos.smoketest.debug), all available smoketests will fail fast instead
of running to completion. This helps reduce test time when something is
broken or undergoing refactoring, as it avoids waiting for the full test suite
to finish.
</content>
</entry>
<entry>
<title>ipsec: T7562: Add support for `disable-uniqreqids` option in IPsec configs</title>
<updated>2025-08-12T09:11:05+00:00</updated>
<author>
<name>Oleksandr Kuchmystyi</name>
<email>o.kuchmystyi@vyos.io</email>
</author>
<published>2025-07-31T10:41:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=c84c7cf16bf4a0222690f4ac2d93dafc88a7a0f7'/>
<id>urn:sha1:c84c7cf16bf4a0222690f4ac2d93dafc88a7a0f7</id>
<content type='text'>
This commit makes `set vpn ipsec disable-uniqreqids` work with the modern
StrongSwan backend by setting `unique=never` in swanctl.conf for connections.
This restores legacy behavior about multiple connections with the same identity.
</content>
</entry>
</feed>
