summaryrefslogtreecommitdiff
path: root/smoketest/scripts
diff options
context:
space:
mode:
authorsarthurdev <965089+sarthurdev@users.noreply.github.com>2021-06-14 13:04:04 +0200
committersarthurdev <965089+sarthurdev@users.noreply.github.com>2021-06-15 00:16:42 +0200
commit11b5636519b360074eb2877006f2d8d63d9f6610 (patch)
tree1ff04e1e0aba2167b746f2f1373544e3d38b055d /smoketest/scripts
parent78099bccc510c90ad7cfa5f56475ba024d5d53a7 (diff)
downloadvyos-1x-11b5636519b360074eb2877006f2d8d63d9f6610.tar.gz
vyos-1x-11b5636519b360074eb2877006f2d8d63d9f6610.zip
ipsec: T2816: T645: T3613: Migrated IPsec to swanctl, includes multiple selectors, and selectors with VTI.
Diffstat (limited to 'smoketest/scripts')
-rwxr-xr-xsmoketest/scripts/cli/test_vpn_ipsec.py109
1 files changed, 92 insertions, 17 deletions
diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py
index 627d73d5c..b27ed3ca5 100755
--- a/smoketest/scripts/cli/test_vpn_ipsec.py
+++ b/smoketest/scripts/cli/test_vpn_ipsec.py
@@ -23,16 +23,19 @@ from vyos.util import call, process_named_running, read_file
ethernet_path = ['interfaces', 'ethernet']
tunnel_path = ['interfaces', 'tunnel']
+vti_path = ['interfaces', 'vti']
nhrp_path = ['protocols', 'nhrp']
base_path = ['vpn', 'ipsec']
dhcp_waiting_file = '/tmp/ipsec_dhcp_waiting'
+swanctl_file = '/etc/swanctl/swanctl.conf'
class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
def tearDown(self):
self.cli_delete(base_path)
self.cli_delete(nhrp_path)
self.cli_delete(tunnel_path)
+ self.cli_delete(vti_path)
self.cli_delete(ethernet_path)
self.cli_commit()
@@ -77,6 +80,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
self.cli_set(base_path + ["ike-group", "MyIKEGroup", "proposal", "1", "dh-group", "2"])
self.cli_set(base_path + ["ike-group", "MyIKEGroup", "proposal", "1", "encryption", "aes128"])
self.cli_set(base_path + ["ike-group", "MyIKEGroup", "proposal", "1", "hash", "sha1"])
+ self.cli_set(base_path + ["ike-group", "MyIKEGroup", "key-exchange", "ikev2"])
# Site to site
self.cli_set(base_path + ["ipsec-interfaces", "interface", "eth0"])
@@ -85,33 +89,104 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "ike-group", "MyIKEGroup"])
self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "default-esp-group", "MyESPGroup"])
self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "local-address", "192.0.2.10"])
- self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "protocol", "gre"])
+ self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "protocol", "tcp"])
+ self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "local", "prefix", "172.16.10.0/24"])
+ self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "local", "prefix", "172.16.11.0/24"])
+ self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "local", "port", "443"])
+ self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "remote", "prefix", "172.17.10.0/24"])
+ self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "remote", "prefix", "172.17.11.0/24"])
+ self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "remote", "port", "443"])
self.cli_commit()
- ipsec_conf_lines = [
- 'authby = secret',
- 'ike = aes128-sha1-modp1024!',
- 'esp = aes128-sha1-modp1024!',
- 'left = 192.0.2.10',
- 'right = 203.0.113.45',
- 'type = tunnel'
+ swanctl_conf_lines = [
+ 'version = 2',
+ 'auth = psk',
+ 'proposals = aes128-sha1-modp1024',
+ 'esp_proposals = aes128-sha1-modp1024',
+ 'local_addrs = 192.0.2.10 # dhcp:no',
+ 'remote_addrs = 203.0.113.45',
+ 'mode = tunnel',
+ 'local_ts = 172.16.10.0/24[tcp/443],172.16.11.0/24[tcp/443]',
+ 'remote_ts = 172.17.10.0/24[tcp/443],172.17.11.0/24[tcp/443]'
+ ]
+
+ swanctl_secrets_lines = [
+ 'id-local = 192.0.2.10 # dhcp:no',
+ 'id-remote = 203.0.113.45',
+ 'secret = "MYSECRETKEY"'
]
- ipsec_secrets_lines = [
- '192.0.2.10 203.0.113.45 : PSK "MYSECRETKEY" # dhcp:no'
+ tmp_swanctl_conf = read_file(swanctl_file)
+
+ for line in swanctl_conf_lines:
+ self.assertIn(line, tmp_swanctl_conf)
+
+ for line in swanctl_secrets_lines:
+ self.assertIn(line, tmp_swanctl_conf)
+
+ # Check for running process
+ self.assertTrue(process_named_running('charon'))
+
+ def test_site_to_site_vti(self):
+ self.cli_delete(base_path)
+ self.cli_delete(vti_path)
+
+ # VTI interface
+ self.cli_set(vti_path + ["vti10", "address", "10.1.1.1/24"])
+
+ # IKE/ESP Groups
+ self.cli_set(base_path + ["esp-group", "MyESPGroup", "proposal", "1", "encryption", "aes128"])
+ self.cli_set(base_path + ["esp-group", "MyESPGroup", "proposal", "1", "hash", "sha1"])
+ self.cli_set(base_path + ["ike-group", "MyIKEGroup", "proposal", "1", "dh-group", "2"])
+ self.cli_set(base_path + ["ike-group", "MyIKEGroup", "proposal", "1", "encryption", "aes128"])
+ self.cli_set(base_path + ["ike-group", "MyIKEGroup", "proposal", "1", "hash", "sha1"])
+ self.cli_set(base_path + ["ike-group", "MyIKEGroup", "key-exchange", "ikev2"])
+
+ # Site to site
+ self.cli_set(base_path + ["ipsec-interfaces", "interface", "eth0"])
+ self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "authentication", "mode", "pre-shared-secret"])
+ self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "authentication", "pre-shared-secret", "MYSECRETKEY"])
+ self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "ike-group", "MyIKEGroup"])
+ self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "default-esp-group", "MyESPGroup"])
+ self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "local-address", "192.0.2.10"])
+ self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "local", "prefix", "172.16.10.0/24"])
+ self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "local", "prefix", "172.16.11.0/24"])
+ self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "remote", "prefix", "172.17.10.0/24"])
+ self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "remote", "prefix", "172.17.11.0/24"])
+ self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "vti", "bind", "vti10"])
+ self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "vti", "esp-group", "MyESPGroup"])
+
+ self.cli_commit()
+
+ swanctl_conf_lines = [
+ 'version = 2',
+ 'auth = psk',
+ 'proposals = aes128-sha1-modp1024',
+ 'esp_proposals = aes128-sha1-modp1024',
+ 'local_addrs = 192.0.2.10 # dhcp:no',
+ 'remote_addrs = 203.0.113.45',
+ 'mode = tunnel',
+ 'local_ts = 172.16.10.0/24,172.16.11.0/24',
+ 'remote_ts = 172.17.10.0/24,172.17.11.0/24',
+ 'mark_in = 9437194', # 0x900000 + (vti)10
+ 'mark_out = 9437194',
+ 'updown = "/etc/ipsec.d/vti-up-down vti10 no"'
]
- tmp_ipsec_conf = read_file('/etc/ipsec.conf')
+ swanctl_secrets_lines = [
+ 'id-local = 192.0.2.10 # dhcp:no',
+ 'id-remote = 203.0.113.45',
+ 'secret = "MYSECRETKEY"'
+ ]
- for line in ipsec_conf_lines:
- self.assertIn(line, tmp_ipsec_conf)
+ tmp_swanctl_conf = read_file(swanctl_file)
- call('sudo chmod 644 /etc/ipsec.secrets') # Needs to be readable
- tmp_ipsec_secrets = read_file('/etc/ipsec.secrets')
+ for line in swanctl_conf_lines:
+ self.assertIn(line, tmp_swanctl_conf)
- for line in ipsec_secrets_lines:
- self.assertIn(line, tmp_ipsec_secrets)
+ for line in swanctl_secrets_lines:
+ self.assertIn(line, tmp_swanctl_conf)
# Check for running process
self.assertTrue(process_named_running('charon'))