diff options
| author | Viacheslav Hletenko <v.gletenko@vyos.io> | 2026-03-04 12:01:50 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2026-03-04 12:01:50 +0200 |
| commit | 2a4d52b2b8c39f4f77b526ce80686247dd4d0f95 (patch) | |
| tree | edcf61a295a71c50d8ca20c22a8bec3378f5e86d /smoketest/scripts/cli | |
| parent | 3030e33b26c1a895179747f2444a0cd79d59f891 (diff) | |
| parent | 673ec335b885ae1de8391dd8c48a5fe16b282db5 (diff) | |
| download | vyos-1x-2a4d52b2b8c39f4f77b526ce80686247dd4d0f95.tar.gz vyos-1x-2a4d52b2b8c39f4f77b526ce80686247dd4d0f95.zip | |
Merge pull request #4930 from giga1699/T8136
ipsec: T8136: IPSEC PPK support
Diffstat (limited to 'smoketest/scripts/cli')
| -rwxr-xr-x | smoketest/scripts/cli/test_vpn_ipsec.py | 134 |
1 files changed, 134 insertions, 0 deletions
diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py index 9461cd183..a15532a96 100755 --- a/smoketest/scripts/cli/test_vpn_ipsec.py +++ b/smoketest/scripts/cli/test_vpn_ipsec.py @@ -47,6 +47,7 @@ vif = '100' esp_group = 'MyESPGroup' ike_group = 'MyIKEGroup' secret = 'MYSECRETKEY' +ppk_secret_hex = '55c2ebca1bada7ac0e4e1390a8dbb563cefea0c7bd59f4f2c86a627f5927fb90' PROCESS_NAME = 'charon-systemd' regex_uuid4 = '[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}' @@ -668,6 +669,139 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): for line in swanctl_conf_lines: self.assertIn(line, swanctl_conf) + def test_site_to_site_nist_800_77_cnsa_1_with_ppk(self): + # Setup IKE group + self.cli_set(base_path + ['ike-group', 'cnsa1-ike', 'key-exchange', 'ikev2']) + self.cli_set(base_path + ['ike-group', 'cnsa1-ike', 'lifetime', '86400']) + self.cli_set( + base_path + ['ike-group', 'cnsa1-ike', 'proposal', '10', 'dh-group', '20'] + ) + self.cli_set( + base_path + + ['ike-group', 'cnsa1-ike', 'proposal', '10', 'encryption', 'aes256gcm128'] + ) + self.cli_set( + base_path + ['ike-group', 'cnsa1-ike', 'proposal', '10', 'hash', 'sha384'] + ) + self.cli_set( + base_path + ['ike-group', 'cnsa1-ike', 'proposal', '10', 'prf', 'prfsha384'] + ) + + # Setup ESP group + self.cli_set(base_path + ['esp-group', 'cnsa1-esp', 'lifetime', '28800']) + self.cli_set(base_path + ['esp-group', 'cnsa1-esp', 'mode', 'tunnel']) + self.cli_set(base_path + ['esp-group', 'cnsa1-esp', 'pfs', 'dh-group20']) + self.cli_set( + base_path + + ['esp-group', 'cnsa1-esp', 'proposal', '10', 'encryption', 'aes256gcm128'] + ) + self.cli_set( + base_path + ['esp-group', 'cnsa1-esp', 'proposal', '10', 'hash', 'sha384'] + ) + + local_address = '192.0.2.10' + + # vpn ipsec auth psk <tag> id <x.x.x.x> + self.cli_set( + base_path + ['authentication', 'psk', connection_name, 'id', local_id] + ) + self.cli_set( + base_path + ['authentication', 'psk', connection_name, 'id', remote_id] + ) + self.cli_set( + base_path + ['authentication', 'psk', connection_name, 'id', local_address] + ) + self.cli_set( + base_path + ['authentication', 'psk', connection_name, 'id', peer_ip] + ) + self.cli_set( + base_path + ['authentication', 'psk', connection_name, 'secret', secret] + ) + + # vpn ipsec auth ppk <tag> id <name> + self.cli_set( + base_path + ['authentication', 'ppk', connection_name, 'id', 'ppk-test'] + ) + self.cli_set( + base_path + + ['authentication', 'ppk', connection_name, 'secret', ppk_secret_hex] + ) + self.cli_set( + base_path + ['authentication', 'ppk', connection_name, 'secret-type', 'hex'] + ) + + # Site to site + peer_base_path = base_path + ['site-to-site', 'peer', connection_name] + + self.cli_set(peer_base_path + ['authentication', 'mode', 'pre-shared-secret']) + + # Require use of valid PPK + self.cli_set(peer_base_path + ['authentication', 'ppk', 'id', 'ppk-test']) + self.cli_set(peer_base_path + ['authentication', 'ppk', 'required']) + + # Set childless IKE_INIT to prefer + self.cli_set(peer_base_path + ['childless', 'prefer']) + + self.cli_set(peer_base_path + ['default-esp-group', 'cnsa1-esp']) + self.cli_set(peer_base_path + ['ike-group', 'cnsa1-ike']) + self.cli_set(peer_base_path + ['local-address', local_address]) + + self.cli_set(peer_base_path + ['remote-address', peer_ip]) + self.cli_set( + peer_base_path + ['tunnel', '1', 'local', 'prefix', '172.16.10.0/24'] + ) + self.cli_set( + peer_base_path + ['tunnel', '1', 'remote', 'prefix', '172.17.10.0/24'] + ) + + self.cli_commit() + + # Verify strongSwan configuration + swanctl_conf = read_file(swanctl_file) + swanctl_conf_lines = [ + f'ppk_id = ppk-test', + f'ppk_required = yes', + f'childless = prefer', + f'version = 2', + f'auth = psk', + f'rekey_time = 86400s', + f'proposals = aes256gcm128-sha384-prfsha384-ecp384', + f'esp_proposals = aes256gcm128-sha384-ecp384', + f'life_time = 28800s', # default value + f'local_addrs = {local_address} # dhcp:no', + f'remote_addrs = {peer_ip}', + f'mode = tunnel', + f'{connection_name}-tunnel-1', + f'local_ts = 172.16.10.0/24', + f'remote_ts = 172.17.10.0/24', + f'mode = tunnel', + f'replay_window = 32', + ] + for line in swanctl_conf_lines: + self.assertIn(line, swanctl_conf) + + # if dpd is not specified it should not be enabled (see T6599) + swanctl_unexpected_lines = [ + 'dpd_timeout', + 'dpd_delay', + ] + + for unexpected_line in swanctl_unexpected_lines: + self.assertNotIn(unexpected_line, swanctl_conf) + + swanctl_secrets_lines = [ + f'id-{regex_uuid4} = "{local_id}"', + f'id-{regex_uuid4} = "{remote_id}"', + f'id-{regex_uuid4} = "{local_address}"', + f'id-{regex_uuid4} = "{peer_ip}"', + f'secret = "{secret}"', + f'ppk-{connection_name}', + f'id-{regex_uuid4} = "ppk-test"', + f'secret = 0x{ppk_secret_hex}', + ] + for line in swanctl_secrets_lines: + self.assertRegex(swanctl_conf, fr'{line}') + def test_dmvpn(self): ike_lifetime = '3600' |
