summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2021-06-30 20:39:14 +0200
committerChristian Poessinger <christian@poessinger.com>2021-06-30 20:39:14 +0200
commitf4dd2ea487d6dc11fdc73d4218bb23bd7b9ca2f9 (patch)
tree91fd9d7a00b553b538b6bcde5e4479d0efd5371d
parent1a4f40b6176f31bdd82fcba890cf1690d2bd2ff7 (diff)
downloadvyos-1x-f4dd2ea487d6dc11fdc73d4218bb23bd7b9ca2f9.tar.gz
vyos-1x-f4dd2ea487d6dc11fdc73d4218bb23bd7b9ca2f9.zip
smoketest: ipsec: add more re-usable variable definitions throughout the test
-rwxr-xr-xsmoketest/scripts/cli/test_vpn_ipsec.py260
1 files changed, 132 insertions, 128 deletions
diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py
index b27ed3ca5..fee4d6ade 100755
--- a/smoketest/scripts/cli/test_vpn_ipsec.py
+++ b/smoketest/scripts/cli/test_vpn_ipsec.py
@@ -30,7 +30,17 @@ base_path = ['vpn', 'ipsec']
dhcp_waiting_file = '/tmp/ipsec_dhcp_waiting'
swanctl_file = '/etc/swanctl/swanctl.conf'
+peer_ip = '203.0.113.45'
+interface = 'eth1'
+vif = '100'
+esp_group = 'MyESPGroup'
+ike_group = 'MyIKEGroup'
+secret = 'MYSECRETKEY'
+
class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
+ def setUp(self):
+ self.cli_set(base_path + ['ipsec-interfaces', 'interface', f'{interface}.{vif}'])
+
def tearDown(self):
self.cli_delete(base_path)
self.cli_delete(nhrp_path)
@@ -40,34 +50,31 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
self.cli_commit()
def test_dhcp_fail_handling(self):
- self.cli_delete(ethernet_path)
- self.cli_delete(base_path)
-
# Interface for dhcp-interface
- self.cli_set(ethernet_path + ['eth0', 'vif', '100', 'address', 'dhcp']) # Use VLAN to avoid getting IP from qemu dhcp server
+ self.cli_set(ethernet_path + [interface, 'vif', vif, 'address', 'dhcp']) # Use VLAN to avoid getting IP from qemu dhcp server
# Set IKE/ESP Groups
- self.cli_set(base_path + ["esp-group", "MyESPGroup", "proposal", "1", "encryption", "aes128"])
- self.cli_set(base_path + ["esp-group", "MyESPGroup", "proposal", "1", "hash", "sha1"])
- self.cli_set(base_path + ["ike-group", "MyIKEGroup", "proposal", "1", "dh-group", "2"])
- self.cli_set(base_path + ["ike-group", "MyIKEGroup", "proposal", "1", "encryption", "aes128"])
- self.cli_set(base_path + ["ike-group", "MyIKEGroup", "proposal", "1", "hash", "sha1"])
+ self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '1', 'encryption', 'aes128'])
+ self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '1', 'hash', 'sha1'])
+ self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'dh-group', '2'])
+ self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'encryption', 'aes128'])
+ self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'hash', 'sha1'])
# Site to site
- self.cli_set(base_path + ["ipsec-interfaces", "interface", "eth0.100"])
- self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "authentication", "mode", "pre-shared-secret"])
- self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "authentication", "pre-shared-secret", "MYSECRETKEY"])
- self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "ike-group", "MyIKEGroup"])
- self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "default-esp-group", "MyESPGroup"])
- self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "dhcp-interface", "eth0.100"])
- self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "protocol", "gre"])
+ peer_base_path = base_path + ['site-to-site', 'peer', peer_ip]
+ self.cli_set(peer_base_path + ['authentication', 'mode', 'pre-shared-secret'])
+ self.cli_set(peer_base_path + ['authentication', 'pre-shared-secret', secret])
+ self.cli_set(peer_base_path + ['ike-group', ike_group])
+ self.cli_set(peer_base_path + ['default-esp-group', esp_group])
+ self.cli_set(peer_base_path + ['dhcp-interface', f'{interface}.{vif}'])
+ self.cli_set(peer_base_path + ['tunnel', '1', 'protocol', 'gre'])
self.cli_commit()
self.assertTrue(os.path.exists(dhcp_waiting_file))
dhcp_waiting = read_file(dhcp_waiting_file)
- self.assertIn('eth0.100', dhcp_waiting) # Ensure dhcp-failed interface was added for dhclient hook
+ self.assertIn(f'{interface}.{vif}', dhcp_waiting) # Ensure dhcp-failed interface was added for dhclient hook
self.assertTrue(process_named_running('charon')) # Commit should've still succeeded and launched charon
@@ -75,46 +82,46 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
self.cli_delete(base_path)
# IKE/ESP Groups
- self.cli_set(base_path + ["esp-group", "MyESPGroup", "proposal", "1", "encryption", "aes128"])
- self.cli_set(base_path + ["esp-group", "MyESPGroup", "proposal", "1", "hash", "sha1"])
- self.cli_set(base_path + ["ike-group", "MyIKEGroup", "proposal", "1", "dh-group", "2"])
- self.cli_set(base_path + ["ike-group", "MyIKEGroup", "proposal", "1", "encryption", "aes128"])
- self.cli_set(base_path + ["ike-group", "MyIKEGroup", "proposal", "1", "hash", "sha1"])
- self.cli_set(base_path + ["ike-group", "MyIKEGroup", "key-exchange", "ikev2"])
+ self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '1', 'encryption', 'aes128'])
+ self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '1', 'hash', 'sha1'])
+ self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'dh-group', '2'])
+ self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'encryption', 'aes128'])
+ self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'hash', 'sha1'])
+ self.cli_set(base_path + ['ike-group', ike_group, 'key-exchange', 'ikev2'])
# Site to site
- self.cli_set(base_path + ["ipsec-interfaces", "interface", "eth0"])
- self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "authentication", "mode", "pre-shared-secret"])
- self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "authentication", "pre-shared-secret", "MYSECRETKEY"])
- self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "ike-group", "MyIKEGroup"])
- self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "default-esp-group", "MyESPGroup"])
- self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "local-address", "192.0.2.10"])
- self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "protocol", "tcp"])
- self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "local", "prefix", "172.16.10.0/24"])
- self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "local", "prefix", "172.16.11.0/24"])
- self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "local", "port", "443"])
- self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "remote", "prefix", "172.17.10.0/24"])
- self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "remote", "prefix", "172.17.11.0/24"])
- self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "remote", "port", "443"])
+ peer_base_path = base_path + ['site-to-site', 'peer', peer_ip]
+ self.cli_set(peer_base_path + ['authentication', 'mode', 'pre-shared-secret'])
+ self.cli_set(peer_base_path + ['authentication', 'pre-shared-secret', secret])
+ self.cli_set(peer_base_path + ['ike-group', ike_group])
+ self.cli_set(peer_base_path + ['default-esp-group', esp_group])
+ self.cli_set(peer_base_path + ['local-address', '192.0.2.10'])
+ self.cli_set(peer_base_path + ['tunnel', '1', 'protocol', 'tcp'])
+ self.cli_set(peer_base_path + ['tunnel', '1', 'local', 'prefix', '172.16.10.0/24'])
+ self.cli_set(peer_base_path + ['tunnel', '1', 'local', 'prefix', '172.16.11.0/24'])
+ self.cli_set(peer_base_path + ['tunnel', '1', 'local', 'port', '443'])
+ self.cli_set(peer_base_path + ['tunnel', '1', 'remote', 'prefix', '172.17.10.0/24'])
+ self.cli_set(peer_base_path + ['tunnel', '1', 'remote', 'prefix', '172.17.11.0/24'])
+ self.cli_set(peer_base_path + ['tunnel', '1', 'remote', 'port', '443'])
self.cli_commit()
swanctl_conf_lines = [
- 'version = 2',
- 'auth = psk',
- 'proposals = aes128-sha1-modp1024',
- 'esp_proposals = aes128-sha1-modp1024',
- 'local_addrs = 192.0.2.10 # dhcp:no',
- 'remote_addrs = 203.0.113.45',
- 'mode = tunnel',
- 'local_ts = 172.16.10.0/24[tcp/443],172.16.11.0/24[tcp/443]',
- 'remote_ts = 172.17.10.0/24[tcp/443],172.17.11.0/24[tcp/443]'
+ f'version = 2',
+ f'auth = psk',
+ f'proposals = aes128-sha1-modp1024',
+ f'esp_proposals = aes128-sha1-modp1024',
+ f'local_addrs = 192.0.2.10 # dhcp:no',
+ f'remote_addrs = {peer_ip}',
+ f'mode = tunnel',
+ f'local_ts = 172.16.10.0/24[tcp/443],172.16.11.0/24[tcp/443]',
+ f'remote_ts = 172.17.10.0/24[tcp/443],172.17.11.0/24[tcp/443]'
]
swanctl_secrets_lines = [
- 'id-local = 192.0.2.10 # dhcp:no',
- 'id-remote = 203.0.113.45',
- 'secret = "MYSECRETKEY"'
+ f'id-local = 192.0.2.10 # dhcp:no',
+ f'id-remote = {peer_ip}',
+ f'secret = "{secret}"'
]
tmp_swanctl_conf = read_file(swanctl_file)
@@ -129,55 +136,54 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
self.assertTrue(process_named_running('charon'))
def test_site_to_site_vti(self):
- self.cli_delete(base_path)
- self.cli_delete(vti_path)
+ vti = 'vti10'
# VTI interface
- self.cli_set(vti_path + ["vti10", "address", "10.1.1.1/24"])
+ self.cli_set(vti_path + [vti, 'address', '10.1.1.1/24'])
# IKE/ESP Groups
- self.cli_set(base_path + ["esp-group", "MyESPGroup", "proposal", "1", "encryption", "aes128"])
- self.cli_set(base_path + ["esp-group", "MyESPGroup", "proposal", "1", "hash", "sha1"])
- self.cli_set(base_path + ["ike-group", "MyIKEGroup", "proposal", "1", "dh-group", "2"])
- self.cli_set(base_path + ["ike-group", "MyIKEGroup", "proposal", "1", "encryption", "aes128"])
- self.cli_set(base_path + ["ike-group", "MyIKEGroup", "proposal", "1", "hash", "sha1"])
- self.cli_set(base_path + ["ike-group", "MyIKEGroup", "key-exchange", "ikev2"])
+ self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '1', 'encryption', 'aes128'])
+ self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '1', 'hash', 'sha1'])
+ self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'dh-group', '2'])
+ self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'encryption', 'aes128'])
+ self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'hash', 'sha1'])
+ self.cli_set(base_path + ['ike-group', ike_group, 'key-exchange', 'ikev2'])
# Site to site
- self.cli_set(base_path + ["ipsec-interfaces", "interface", "eth0"])
- self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "authentication", "mode", "pre-shared-secret"])
- self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "authentication", "pre-shared-secret", "MYSECRETKEY"])
- self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "ike-group", "MyIKEGroup"])
- self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "default-esp-group", "MyESPGroup"])
- self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "local-address", "192.0.2.10"])
- self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "local", "prefix", "172.16.10.0/24"])
- self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "local", "prefix", "172.16.11.0/24"])
- self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "remote", "prefix", "172.17.10.0/24"])
- self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "remote", "prefix", "172.17.11.0/24"])
- self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "vti", "bind", "vti10"])
- self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "vti", "esp-group", "MyESPGroup"])
+ peer_base_path = base_path + ['site-to-site', 'peer', peer_ip]
+ self.cli_set(peer_base_path + ['authentication', 'mode', 'pre-shared-secret'])
+ self.cli_set(peer_base_path + ['authentication', 'pre-shared-secret', secret])
+ self.cli_set(peer_base_path + ['ike-group', ike_group])
+ self.cli_set(peer_base_path + ['default-esp-group', esp_group])
+ self.cli_set(peer_base_path + ['local-address', '192.0.2.10'])
+ self.cli_set(peer_base_path + ['tunnel', '1', 'local', 'prefix', '172.16.10.0/24'])
+ self.cli_set(peer_base_path + ['tunnel', '1', 'local', 'prefix', '172.16.11.0/24'])
+ self.cli_set(peer_base_path + ['tunnel', '1', 'remote', 'prefix', '172.17.10.0/24'])
+ self.cli_set(peer_base_path + ['tunnel', '1', 'remote', 'prefix', '172.17.11.0/24'])
+ self.cli_set(peer_base_path + ['vti', 'bind', vti])
+ self.cli_set(peer_base_path + ['vti', 'esp-group', esp_group])
self.cli_commit()
swanctl_conf_lines = [
- 'version = 2',
- 'auth = psk',
- 'proposals = aes128-sha1-modp1024',
- 'esp_proposals = aes128-sha1-modp1024',
- 'local_addrs = 192.0.2.10 # dhcp:no',
- 'remote_addrs = 203.0.113.45',
- 'mode = tunnel',
- 'local_ts = 172.16.10.0/24,172.16.11.0/24',
- 'remote_ts = 172.17.10.0/24,172.17.11.0/24',
- 'mark_in = 9437194', # 0x900000 + (vti)10
- 'mark_out = 9437194',
- 'updown = "/etc/ipsec.d/vti-up-down vti10 no"'
+ f'version = 2',
+ f'auth = psk',
+ f'proposals = aes128-sha1-modp1024',
+ f'esp_proposals = aes128-sha1-modp1024',
+ f'local_addrs = 192.0.2.10 # dhcp:no',
+ f'remote_addrs = {peer_ip}',
+ f'mode = tunnel',
+ f'local_ts = 172.16.10.0/24,172.16.11.0/24',
+ f'remote_ts = 172.17.10.0/24,172.17.11.0/24',
+ f'if_id_in = {vti.lstrip("vti")}', # will be 10 for vti10
+ f'if_id_out = {vti.lstrip("vti")}',
+ f'updown = "/etc/ipsec.d/vti-up-down {vti} no"'
]
swanctl_secrets_lines = [
- 'id-local = 192.0.2.10 # dhcp:no',
- 'id-remote = 203.0.113.45',
- 'secret = "MYSECRETKEY"'
+ f'id-local = 192.0.2.10 # dhcp:no',
+ f'id-remote = {peer_ip}',
+ f'secret = "{secret}"'
]
tmp_swanctl_conf = read_file(swanctl_file)
@@ -192,62 +198,60 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
self.assertTrue(process_named_running('charon'))
def test_dmvpn(self):
- self.cli_delete(base_path)
- self.cli_delete(nhrp_path)
- self.cli_delete(tunnel_path)
+ tunnel_if = 'tun100'
+ nhrp_secret = 'secret'
# Tunnel
- self.cli_set(tunnel_path + ["tun100", "address", "172.16.253.134/29"])
- self.cli_set(tunnel_path + ["tun100", "encapsulation", "gre"])
- self.cli_set(tunnel_path + ["tun100", "source-address", "192.0.2.1"])
- self.cli_set(tunnel_path + ["tun100", "multicast", "enable"])
- self.cli_set(tunnel_path + ["tun100", "parameters", "ip", "key", "1"])
+ self.cli_set(tunnel_path + [tunnel_if, 'address', '172.16.253.134/29'])
+ self.cli_set(tunnel_path + [tunnel_if, 'encapsulation', 'gre'])
+ self.cli_set(tunnel_path + [tunnel_if, 'source-address', '192.0.2.1'])
+ self.cli_set(tunnel_path + [tunnel_if, 'multicast', 'enable'])
+ self.cli_set(tunnel_path + [tunnel_if, 'parameters', 'ip', 'key', '1'])
# NHRP
- self.cli_set(nhrp_path + ["tunnel", "tun100", "cisco-authentication", "secret"])
- self.cli_set(nhrp_path + ["tunnel", "tun100", "holding-time", "300"])
- self.cli_set(nhrp_path + ["tunnel", "tun100", "multicast", "dynamic"])
- self.cli_set(nhrp_path + ["tunnel", "tun100", "redirect"])
- self.cli_set(nhrp_path + ["tunnel", "tun100", "shortcut"])
+ self.cli_set(nhrp_path + ['tunnel', tunnel_if, 'cisco-authentication', nhrp_secret])
+ self.cli_set(nhrp_path + ['tunnel', tunnel_if, 'holding-time', '300'])
+ self.cli_set(nhrp_path + ['tunnel', tunnel_if, 'multicast', 'dynamic'])
+ self.cli_set(nhrp_path + ['tunnel', tunnel_if, 'redirect'])
+ self.cli_set(nhrp_path + ['tunnel', tunnel_if, 'shortcut'])
# IKE/ESP Groups
- self.cli_set(base_path + ["esp-group", "ESP-HUB", "compression", "disable"])
- self.cli_set(base_path + ["esp-group", "ESP-HUB", "lifetime", "1800"])
- self.cli_set(base_path + ["esp-group", "ESP-HUB", "mode", "transport"])
- self.cli_set(base_path + ["esp-group", "ESP-HUB", "pfs", "dh-group2"])
- self.cli_set(base_path + ["esp-group", "ESP-HUB", "proposal", "1", "encryption", "aes256"])
- self.cli_set(base_path + ["esp-group", "ESP-HUB", "proposal", "1", "hash", "sha1"])
- self.cli_set(base_path + ["esp-group", "ESP-HUB", "proposal", "2", "encryption", "3des"])
- self.cli_set(base_path + ["esp-group", "ESP-HUB", "proposal", "2", "hash", "md5"])
- self.cli_set(base_path + ["ike-group", "IKE-HUB", "ikev2-reauth", "no"])
- self.cli_set(base_path + ["ike-group", "IKE-HUB", "key-exchange", "ikev1"])
- self.cli_set(base_path + ["ike-group", "IKE-HUB", "lifetime", "3600"])
- self.cli_set(base_path + ["ike-group", "IKE-HUB", "proposal", "1", "dh-group", "2"])
- self.cli_set(base_path + ["ike-group", "IKE-HUB", "proposal", "1", "encryption", "aes256"])
- self.cli_set(base_path + ["ike-group", "IKE-HUB", "proposal", "1", "hash", "sha1"])
- self.cli_set(base_path + ["ike-group", "IKE-HUB", "proposal", "2", "dh-group", "2"])
- self.cli_set(base_path + ["ike-group", "IKE-HUB", "proposal", "2", "encryption", "aes128"])
- self.cli_set(base_path + ["ike-group", "IKE-HUB", "proposal", "2", "hash", "sha1"])
+ self.cli_set(base_path + ['esp-group', esp_group, 'compression', 'disable'])
+ self.cli_set(base_path + ['esp-group', esp_group, 'lifetime', '1800'])
+ self.cli_set(base_path + ['esp-group', esp_group, 'mode', 'transport'])
+ self.cli_set(base_path + ['esp-group', esp_group, 'pfs', 'dh-group2'])
+ self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '1', 'encryption', 'aes256'])
+ self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '1', 'hash', 'sha1'])
+ self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '2', 'encryption', '3des'])
+ self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '2', 'hash', 'md5'])
+ self.cli_set(base_path + ['ike-group', ike_group, 'ikev2-reauth', 'no'])
+ self.cli_set(base_path + ['ike-group', ike_group, 'key-exchange', 'ikev1'])
+ self.cli_set(base_path + ['ike-group', ike_group, 'lifetime', '3600'])
+ self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'dh-group', '2'])
+ self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'encryption', 'aes256'])
+ self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'hash', 'sha1'])
+ self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '2', 'dh-group', '2'])
+ self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '2', 'encryption', 'aes128'])
+ self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '2', 'hash', 'sha1'])
# Profile
- self.cli_set(base_path + ["ipsec-interfaces", "interface", "eth0"])
- self.cli_set(base_path + ["profile", "NHRPVPN", "authentication", "mode", "pre-shared-secret"])
- self.cli_set(base_path + ["profile", "NHRPVPN", "authentication", "pre-shared-secret", "secret"])
- self.cli_set(base_path + ["profile", "NHRPVPN", "bind", "tunnel", "tun100"])
- self.cli_set(base_path + ["profile", "NHRPVPN", "esp-group", "ESP-HUB"])
- self.cli_set(base_path + ["profile", "NHRPVPN", "ike-group", "IKE-HUB"])
+ self.cli_set(base_path + ['profile', 'NHRPVPN', 'authentication', 'mode', 'pre-shared-secret'])
+ self.cli_set(base_path + ['profile', 'NHRPVPN', 'authentication', 'pre-shared-secret', nhrp_secret])
+ self.cli_set(base_path + ['profile', 'NHRPVPN', 'bind', 'tunnel', tunnel_if])
+ self.cli_set(base_path + ['profile', 'NHRPVPN', 'esp-group', esp_group])
+ self.cli_set(base_path + ['profile', 'NHRPVPN', 'ike-group', ike_group])
self.cli_commit()
swanctl_lines = [
- 'proposals = aes256-sha1-modp1024,aes128-sha1-modp1024',
- 'version = 1',
- 'rekey_time = 3600s',
- 'esp_proposals = aes256-sha1-modp1024,3des-md5-modp1024',
- 'local_ts = dynamic[gre]',
- 'remote_ts = dynamic[gre]',
- 'mode = transport',
- 'secret = secret'
+ f'proposals = aes256-sha1-modp1024,aes128-sha1-modp1024',
+ f'version = 1',
+ f'rekey_time = 3600s',
+ f'esp_proposals = aes256-sha1-modp1024,3des-md5-modp1024',
+ f'local_ts = dynamic[gre]',
+ f'remote_ts = dynamic[gre]',
+ f'mode = transport',
+ f'secret = {nhrp_secret}'
]
tmp_swanctl_conf = read_file('/etc/swanctl/swanctl.conf')