diff options
author | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2021-06-14 13:04:04 +0200 |
---|---|---|
committer | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2021-06-15 00:16:42 +0200 |
commit | 11b5636519b360074eb2877006f2d8d63d9f6610 (patch) | |
tree | 1ff04e1e0aba2167b746f2f1373544e3d38b055d /smoketest/scripts | |
parent | 78099bccc510c90ad7cfa5f56475ba024d5d53a7 (diff) | |
download | vyos-1x-11b5636519b360074eb2877006f2d8d63d9f6610.tar.gz vyos-1x-11b5636519b360074eb2877006f2d8d63d9f6610.zip |
ipsec: T2816: T645: T3613: Migrated IPsec to swanctl, includes multiple selectors, and selectors with VTI.
Diffstat (limited to 'smoketest/scripts')
-rwxr-xr-x | smoketest/scripts/cli/test_vpn_ipsec.py | 109 |
1 files changed, 92 insertions, 17 deletions
diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py index 627d73d5c..b27ed3ca5 100755 --- a/smoketest/scripts/cli/test_vpn_ipsec.py +++ b/smoketest/scripts/cli/test_vpn_ipsec.py @@ -23,16 +23,19 @@ from vyos.util import call, process_named_running, read_file ethernet_path = ['interfaces', 'ethernet'] tunnel_path = ['interfaces', 'tunnel'] +vti_path = ['interfaces', 'vti'] nhrp_path = ['protocols', 'nhrp'] base_path = ['vpn', 'ipsec'] dhcp_waiting_file = '/tmp/ipsec_dhcp_waiting' +swanctl_file = '/etc/swanctl/swanctl.conf' class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): def tearDown(self): self.cli_delete(base_path) self.cli_delete(nhrp_path) self.cli_delete(tunnel_path) + self.cli_delete(vti_path) self.cli_delete(ethernet_path) self.cli_commit() @@ -77,6 +80,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): self.cli_set(base_path + ["ike-group", "MyIKEGroup", "proposal", "1", "dh-group", "2"]) self.cli_set(base_path + ["ike-group", "MyIKEGroup", "proposal", "1", "encryption", "aes128"]) self.cli_set(base_path + ["ike-group", "MyIKEGroup", "proposal", "1", "hash", "sha1"]) + self.cli_set(base_path + ["ike-group", "MyIKEGroup", "key-exchange", "ikev2"]) # Site to site self.cli_set(base_path + ["ipsec-interfaces", "interface", "eth0"]) @@ -85,33 +89,104 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "ike-group", "MyIKEGroup"]) self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "default-esp-group", "MyESPGroup"]) self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "local-address", "192.0.2.10"]) - self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "protocol", "gre"]) + self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "protocol", "tcp"]) + self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "local", "prefix", "172.16.10.0/24"]) + self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "local", "prefix", "172.16.11.0/24"]) + self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "local", "port", "443"]) + self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "remote", "prefix", "172.17.10.0/24"]) + self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "remote", "prefix", "172.17.11.0/24"]) + self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "remote", "port", "443"]) self.cli_commit() - ipsec_conf_lines = [ - 'authby = secret', - 'ike = aes128-sha1-modp1024!', - 'esp = aes128-sha1-modp1024!', - 'left = 192.0.2.10', - 'right = 203.0.113.45', - 'type = tunnel' + swanctl_conf_lines = [ + 'version = 2', + 'auth = psk', + 'proposals = aes128-sha1-modp1024', + 'esp_proposals = aes128-sha1-modp1024', + 'local_addrs = 192.0.2.10 # dhcp:no', + 'remote_addrs = 203.0.113.45', + 'mode = tunnel', + 'local_ts = 172.16.10.0/24[tcp/443],172.16.11.0/24[tcp/443]', + 'remote_ts = 172.17.10.0/24[tcp/443],172.17.11.0/24[tcp/443]' + ] + + swanctl_secrets_lines = [ + 'id-local = 192.0.2.10 # dhcp:no', + 'id-remote = 203.0.113.45', + 'secret = "MYSECRETKEY"' ] - ipsec_secrets_lines = [ - '192.0.2.10 203.0.113.45 : PSK "MYSECRETKEY" # dhcp:no' + tmp_swanctl_conf = read_file(swanctl_file) + + for line in swanctl_conf_lines: + self.assertIn(line, tmp_swanctl_conf) + + for line in swanctl_secrets_lines: + self.assertIn(line, tmp_swanctl_conf) + + # Check for running process + self.assertTrue(process_named_running('charon')) + + def test_site_to_site_vti(self): + self.cli_delete(base_path) + self.cli_delete(vti_path) + + # VTI interface + self.cli_set(vti_path + ["vti10", "address", "10.1.1.1/24"]) + + # IKE/ESP Groups + self.cli_set(base_path + ["esp-group", "MyESPGroup", "proposal", "1", "encryption", "aes128"]) + self.cli_set(base_path + ["esp-group", "MyESPGroup", "proposal", "1", "hash", "sha1"]) + self.cli_set(base_path + ["ike-group", "MyIKEGroup", "proposal", "1", "dh-group", "2"]) + self.cli_set(base_path + ["ike-group", "MyIKEGroup", "proposal", "1", "encryption", "aes128"]) + self.cli_set(base_path + ["ike-group", "MyIKEGroup", "proposal", "1", "hash", "sha1"]) + self.cli_set(base_path + ["ike-group", "MyIKEGroup", "key-exchange", "ikev2"]) + + # Site to site + self.cli_set(base_path + ["ipsec-interfaces", "interface", "eth0"]) + self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "authentication", "mode", "pre-shared-secret"]) + self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "authentication", "pre-shared-secret", "MYSECRETKEY"]) + self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "ike-group", "MyIKEGroup"]) + self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "default-esp-group", "MyESPGroup"]) + self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "local-address", "192.0.2.10"]) + self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "local", "prefix", "172.16.10.0/24"]) + self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "local", "prefix", "172.16.11.0/24"]) + self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "remote", "prefix", "172.17.10.0/24"]) + self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "remote", "prefix", "172.17.11.0/24"]) + self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "vti", "bind", "vti10"]) + self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "vti", "esp-group", "MyESPGroup"]) + + self.cli_commit() + + swanctl_conf_lines = [ + 'version = 2', + 'auth = psk', + 'proposals = aes128-sha1-modp1024', + 'esp_proposals = aes128-sha1-modp1024', + 'local_addrs = 192.0.2.10 # dhcp:no', + 'remote_addrs = 203.0.113.45', + 'mode = tunnel', + 'local_ts = 172.16.10.0/24,172.16.11.0/24', + 'remote_ts = 172.17.10.0/24,172.17.11.0/24', + 'mark_in = 9437194', # 0x900000 + (vti)10 + 'mark_out = 9437194', + 'updown = "/etc/ipsec.d/vti-up-down vti10 no"' ] - tmp_ipsec_conf = read_file('/etc/ipsec.conf') + swanctl_secrets_lines = [ + 'id-local = 192.0.2.10 # dhcp:no', + 'id-remote = 203.0.113.45', + 'secret = "MYSECRETKEY"' + ] - for line in ipsec_conf_lines: - self.assertIn(line, tmp_ipsec_conf) + tmp_swanctl_conf = read_file(swanctl_file) - call('sudo chmod 644 /etc/ipsec.secrets') # Needs to be readable - tmp_ipsec_secrets = read_file('/etc/ipsec.secrets') + for line in swanctl_conf_lines: + self.assertIn(line, tmp_swanctl_conf) - for line in ipsec_secrets_lines: - self.assertIn(line, tmp_ipsec_secrets) + for line in swanctl_secrets_lines: + self.assertIn(line, tmp_swanctl_conf) # Check for running process self.assertTrue(process_named_running('charon')) |