summaryrefslogtreecommitdiff
path: root/smoketest/scripts/cli/test_vpn_ipsec.py
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2021-09-18 15:18:21 +0200
committerChristian Poessinger <christian@poessinger.com>2021-09-18 15:18:21 +0200
commit6f3130ea5c8c3043e4a5377c972b96233f22a5fc (patch)
treeee380c8eb98dd8907ea36799a50d4eec27ea136f /smoketest/scripts/cli/test_vpn_ipsec.py
parentdda9f655f94968b07043887a03e3bba176eb94d5 (diff)
downloadvyos-1x-6f3130ea5c8c3043e4a5377c972b96233f22a5fc.tar.gz
vyos-1x-6f3130ea5c8c3043e4a5377c972b96233f22a5fc.zip
ipsec: vti: T3831: avoid usinf xfrm if_id 0 - implement shift by one
The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. This means that a vti0 named interface will pull in all traffic and others will stop working. Thus we simply shift the key by one to also support a vti0 interface.
Diffstat (limited to 'smoketest/scripts/cli/test_vpn_ipsec.py')
-rwxr-xr-xsmoketest/scripts/cli/test_vpn_ipsec.py22
1 files changed, 17 insertions, 5 deletions
diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py
index f33268083..71a9d5137 100755
--- a/smoketest/scripts/cli/test_vpn_ipsec.py
+++ b/smoketest/scripts/cli/test_vpn_ipsec.py
@@ -128,7 +128,6 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
self.cli_delete(base_path)
self.cli_delete(nhrp_path)
self.cli_delete(tunnel_path)
- self.cli_delete(vti_path)
self.cli_delete(ethernet_path)
self.cli_commit()
@@ -228,6 +227,11 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
self.cli_commit()
swanctl_conf = read_file(swanctl_file)
+ if_id = vti.lstrip('vti')
+ # The key defaults to 0 and will match any policies which similarly do
+ # not have a lookup key configuration - thus we shift the key by one
+ # to also support a vti0 interface
+ if_id = str(int(if_id) +1)
swanctl_conf_lines = [
f'version = 2',
f'auth = psk',
@@ -238,8 +242,8 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
f'mode = tunnel',
f'local_ts = 172.16.10.0/24,172.16.11.0/24',
f'remote_ts = 172.17.10.0/24,172.17.11.0/24',
- f'if_id_in = {vti.lstrip("vti")}', # will be 10 for vti10
- f'if_id_out = {vti.lstrip("vti")}',
+ f'if_id_in = {if_id}', # will be 11 for vti10 - shifted by one
+ f'if_id_out = {if_id}',
f'updown = "/etc/ipsec.d/vti-up-down {vti} no"'
]
for line in swanctl_conf_lines:
@@ -346,6 +350,11 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
swanctl_conf = read_file(swanctl_file)
tmp = peer_ip.replace('.', '-')
+ if_id = vti.lstrip('vti')
+ # The key defaults to 0 and will match any policies which similarly do
+ # not have a lookup key configuration - thus we shift the key by one
+ # to also support a vti0 interface
+ if_id = str(int(if_id) +1)
swanctl_lines = [
f'peer_{tmp}',
f'version = 0', # key-exchange not set - defaulting to 0 for ikev1 and ikev2
@@ -362,8 +371,8 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
f'local_ts = 0.0.0.0/0,::/0',
f'remote_ts = 0.0.0.0/0,::/0',
f'updown = "/etc/ipsec.d/vti-up-down {vti} no"',
- f'if_id_in = {vti.lstrip("vti")}', # will be 10 for vti10
- f'if_id_out = {vti.lstrip("vti")}',
+ f'if_id_in = {if_id}', # will be 11 for vti10
+ f'if_id_out = {if_id}',
f'ipcomp = no',
f'mode = tunnel',
f'start_action = start',
@@ -378,5 +387,8 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
for line in swanctl_secrets_lines:
self.assertIn(line, swanctl_conf)
+ # There is only one VTI test so no need to delete this globally in tearDown()
+ self.cli_delete(vti_path)
+
if __name__ == '__main__':
unittest.main(verbosity=2)