diff options
| -rwxr-xr-x | smoketest/scripts/cli/test_vpn_ipsec.py | 260 | 
1 files changed, 132 insertions, 128 deletions
| diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py index b27ed3ca5..fee4d6ade 100755 --- a/smoketest/scripts/cli/test_vpn_ipsec.py +++ b/smoketest/scripts/cli/test_vpn_ipsec.py @@ -30,7 +30,17 @@ base_path = ['vpn', 'ipsec']  dhcp_waiting_file = '/tmp/ipsec_dhcp_waiting'  swanctl_file = '/etc/swanctl/swanctl.conf' +peer_ip = '203.0.113.45' +interface = 'eth1' +vif = '100' +esp_group = 'MyESPGroup' +ike_group = 'MyIKEGroup' +secret = 'MYSECRETKEY' +  class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): +    def setUp(self): +        self.cli_set(base_path + ['ipsec-interfaces', 'interface', f'{interface}.{vif}']) +      def tearDown(self):          self.cli_delete(base_path)          self.cli_delete(nhrp_path) @@ -40,34 +50,31 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):          self.cli_commit()      def test_dhcp_fail_handling(self): -        self.cli_delete(ethernet_path) -        self.cli_delete(base_path) -          # Interface for dhcp-interface -        self.cli_set(ethernet_path + ['eth0', 'vif', '100', 'address', 'dhcp']) # Use VLAN to avoid getting IP from qemu dhcp server +        self.cli_set(ethernet_path + [interface, 'vif', vif, 'address', 'dhcp']) # Use VLAN to avoid getting IP from qemu dhcp server          # Set IKE/ESP Groups -        self.cli_set(base_path + ["esp-group", "MyESPGroup", "proposal", "1", "encryption", "aes128"]) -        self.cli_set(base_path + ["esp-group", "MyESPGroup", "proposal", "1", "hash", "sha1"]) -        self.cli_set(base_path + ["ike-group", "MyIKEGroup", "proposal", "1", "dh-group", "2"]) -        self.cli_set(base_path + ["ike-group", "MyIKEGroup", "proposal", "1", "encryption", "aes128"]) -        self.cli_set(base_path + ["ike-group", "MyIKEGroup", "proposal", "1", "hash", "sha1"]) +        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '1', 'encryption', 'aes128']) +        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '1', 'hash', 'sha1']) +        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'dh-group', '2']) +        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'encryption', 'aes128']) +        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'hash', 'sha1'])          # Site to site -        self.cli_set(base_path + ["ipsec-interfaces", "interface", "eth0.100"]) -        self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "authentication", "mode", "pre-shared-secret"]) -        self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "authentication", "pre-shared-secret", "MYSECRETKEY"]) -        self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "ike-group", "MyIKEGroup"]) -        self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "default-esp-group", "MyESPGroup"]) -        self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "dhcp-interface", "eth0.100"]) -        self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "protocol", "gre"]) +        peer_base_path = base_path + ['site-to-site', 'peer', peer_ip] +        self.cli_set(peer_base_path + ['authentication', 'mode', 'pre-shared-secret']) +        self.cli_set(peer_base_path + ['authentication', 'pre-shared-secret', secret]) +        self.cli_set(peer_base_path + ['ike-group', ike_group]) +        self.cli_set(peer_base_path + ['default-esp-group', esp_group]) +        self.cli_set(peer_base_path + ['dhcp-interface', f'{interface}.{vif}']) +        self.cli_set(peer_base_path + ['tunnel', '1', 'protocol', 'gre'])          self.cli_commit()          self.assertTrue(os.path.exists(dhcp_waiting_file))          dhcp_waiting = read_file(dhcp_waiting_file) -        self.assertIn('eth0.100', dhcp_waiting) # Ensure dhcp-failed interface was added for dhclient hook +        self.assertIn(f'{interface}.{vif}', dhcp_waiting) # Ensure dhcp-failed interface was added for dhclient hook          self.assertTrue(process_named_running('charon')) # Commit should've still succeeded and launched charon @@ -75,46 +82,46 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):          self.cli_delete(base_path)          # IKE/ESP Groups -        self.cli_set(base_path + ["esp-group", "MyESPGroup", "proposal", "1", "encryption", "aes128"]) -        self.cli_set(base_path + ["esp-group", "MyESPGroup", "proposal", "1", "hash", "sha1"]) -        self.cli_set(base_path + ["ike-group", "MyIKEGroup", "proposal", "1", "dh-group", "2"]) -        self.cli_set(base_path + ["ike-group", "MyIKEGroup", "proposal", "1", "encryption", "aes128"]) -        self.cli_set(base_path + ["ike-group", "MyIKEGroup", "proposal", "1", "hash", "sha1"]) -        self.cli_set(base_path + ["ike-group", "MyIKEGroup", "key-exchange", "ikev2"]) +        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '1', 'encryption', 'aes128']) +        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '1', 'hash', 'sha1']) +        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'dh-group', '2']) +        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'encryption', 'aes128']) +        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'hash', 'sha1']) +        self.cli_set(base_path + ['ike-group', ike_group, 'key-exchange', 'ikev2'])          # Site to site -        self.cli_set(base_path + ["ipsec-interfaces", "interface", "eth0"]) -        self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "authentication", "mode", "pre-shared-secret"]) -        self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "authentication", "pre-shared-secret", "MYSECRETKEY"]) -        self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "ike-group", "MyIKEGroup"]) -        self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "default-esp-group", "MyESPGroup"]) -        self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "local-address", "192.0.2.10"]) -        self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "protocol", "tcp"]) -        self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "local", "prefix", "172.16.10.0/24"]) -        self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "local", "prefix", "172.16.11.0/24"]) -        self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "local", "port", "443"]) -        self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "remote", "prefix", "172.17.10.0/24"]) -        self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "remote", "prefix", "172.17.11.0/24"]) -        self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "remote", "port", "443"]) +        peer_base_path = base_path + ['site-to-site', 'peer', peer_ip] +        self.cli_set(peer_base_path + ['authentication', 'mode', 'pre-shared-secret']) +        self.cli_set(peer_base_path + ['authentication', 'pre-shared-secret', secret]) +        self.cli_set(peer_base_path + ['ike-group', ike_group]) +        self.cli_set(peer_base_path + ['default-esp-group', esp_group]) +        self.cli_set(peer_base_path + ['local-address', '192.0.2.10']) +        self.cli_set(peer_base_path + ['tunnel', '1', 'protocol', 'tcp']) +        self.cli_set(peer_base_path + ['tunnel', '1', 'local', 'prefix', '172.16.10.0/24']) +        self.cli_set(peer_base_path + ['tunnel', '1', 'local', 'prefix', '172.16.11.0/24']) +        self.cli_set(peer_base_path + ['tunnel', '1', 'local', 'port', '443']) +        self.cli_set(peer_base_path + ['tunnel', '1', 'remote', 'prefix', '172.17.10.0/24']) +        self.cli_set(peer_base_path + ['tunnel', '1', 'remote', 'prefix', '172.17.11.0/24']) +        self.cli_set(peer_base_path + ['tunnel', '1', 'remote', 'port', '443'])          self.cli_commit()          swanctl_conf_lines = [ -            'version = 2', -            'auth = psk', -            'proposals = aes128-sha1-modp1024', -            'esp_proposals = aes128-sha1-modp1024', -            'local_addrs = 192.0.2.10 # dhcp:no', -            'remote_addrs = 203.0.113.45', -            'mode = tunnel', -            'local_ts = 172.16.10.0/24[tcp/443],172.16.11.0/24[tcp/443]', -            'remote_ts = 172.17.10.0/24[tcp/443],172.17.11.0/24[tcp/443]' +            f'version = 2', +            f'auth = psk', +            f'proposals = aes128-sha1-modp1024', +            f'esp_proposals = aes128-sha1-modp1024', +            f'local_addrs = 192.0.2.10 # dhcp:no', +            f'remote_addrs = {peer_ip}', +            f'mode = tunnel', +            f'local_ts = 172.16.10.0/24[tcp/443],172.16.11.0/24[tcp/443]', +            f'remote_ts = 172.17.10.0/24[tcp/443],172.17.11.0/24[tcp/443]'          ]          swanctl_secrets_lines = [ -            'id-local = 192.0.2.10 # dhcp:no', -            'id-remote = 203.0.113.45', -            'secret = "MYSECRETKEY"' +            f'id-local = 192.0.2.10 # dhcp:no', +            f'id-remote = {peer_ip}', +            f'secret = "{secret}"'          ]          tmp_swanctl_conf = read_file(swanctl_file) @@ -129,55 +136,54 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):          self.assertTrue(process_named_running('charon'))      def test_site_to_site_vti(self): -        self.cli_delete(base_path) -        self.cli_delete(vti_path) +        vti = 'vti10'          # VTI interface -        self.cli_set(vti_path + ["vti10", "address", "10.1.1.1/24"]) +        self.cli_set(vti_path + [vti, 'address', '10.1.1.1/24'])          # IKE/ESP Groups -        self.cli_set(base_path + ["esp-group", "MyESPGroup", "proposal", "1", "encryption", "aes128"]) -        self.cli_set(base_path + ["esp-group", "MyESPGroup", "proposal", "1", "hash", "sha1"]) -        self.cli_set(base_path + ["ike-group", "MyIKEGroup", "proposal", "1", "dh-group", "2"]) -        self.cli_set(base_path + ["ike-group", "MyIKEGroup", "proposal", "1", "encryption", "aes128"]) -        self.cli_set(base_path + ["ike-group", "MyIKEGroup", "proposal", "1", "hash", "sha1"]) -        self.cli_set(base_path + ["ike-group", "MyIKEGroup", "key-exchange", "ikev2"]) +        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '1', 'encryption', 'aes128']) +        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '1', 'hash', 'sha1']) +        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'dh-group', '2']) +        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'encryption', 'aes128']) +        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'hash', 'sha1']) +        self.cli_set(base_path + ['ike-group', ike_group, 'key-exchange', 'ikev2'])          # Site to site -        self.cli_set(base_path + ["ipsec-interfaces", "interface", "eth0"]) -        self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "authentication", "mode", "pre-shared-secret"]) -        self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "authentication", "pre-shared-secret", "MYSECRETKEY"]) -        self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "ike-group", "MyIKEGroup"]) -        self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "default-esp-group", "MyESPGroup"]) -        self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "local-address", "192.0.2.10"]) -        self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "local", "prefix", "172.16.10.0/24"]) -        self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "local", "prefix", "172.16.11.0/24"]) -        self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "remote", "prefix", "172.17.10.0/24"]) -        self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "tunnel", "1", "remote", "prefix", "172.17.11.0/24"]) -        self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "vti", "bind", "vti10"]) -        self.cli_set(base_path + ["site-to-site", "peer", "203.0.113.45", "vti", "esp-group", "MyESPGroup"]) +        peer_base_path = base_path + ['site-to-site', 'peer', peer_ip] +        self.cli_set(peer_base_path + ['authentication', 'mode', 'pre-shared-secret']) +        self.cli_set(peer_base_path + ['authentication', 'pre-shared-secret', secret]) +        self.cli_set(peer_base_path + ['ike-group', ike_group]) +        self.cli_set(peer_base_path + ['default-esp-group', esp_group]) +        self.cli_set(peer_base_path + ['local-address', '192.0.2.10']) +        self.cli_set(peer_base_path + ['tunnel', '1', 'local', 'prefix', '172.16.10.0/24']) +        self.cli_set(peer_base_path + ['tunnel', '1', 'local', 'prefix', '172.16.11.0/24']) +        self.cli_set(peer_base_path + ['tunnel', '1', 'remote', 'prefix', '172.17.10.0/24']) +        self.cli_set(peer_base_path + ['tunnel', '1', 'remote', 'prefix', '172.17.11.0/24']) +        self.cli_set(peer_base_path + ['vti', 'bind', vti]) +        self.cli_set(peer_base_path + ['vti', 'esp-group', esp_group])          self.cli_commit()          swanctl_conf_lines = [ -            'version = 2', -            'auth = psk', -            'proposals = aes128-sha1-modp1024', -            'esp_proposals = aes128-sha1-modp1024', -            'local_addrs = 192.0.2.10 # dhcp:no', -            'remote_addrs = 203.0.113.45', -            'mode = tunnel', -            'local_ts = 172.16.10.0/24,172.16.11.0/24', -            'remote_ts = 172.17.10.0/24,172.17.11.0/24', -            'mark_in = 9437194', # 0x900000 + (vti)10 -            'mark_out = 9437194', -            'updown = "/etc/ipsec.d/vti-up-down vti10 no"' +            f'version = 2', +            f'auth = psk', +            f'proposals = aes128-sha1-modp1024', +            f'esp_proposals = aes128-sha1-modp1024', +            f'local_addrs = 192.0.2.10 # dhcp:no', +            f'remote_addrs = {peer_ip}', +            f'mode = tunnel', +            f'local_ts = 172.16.10.0/24,172.16.11.0/24', +            f'remote_ts = 172.17.10.0/24,172.17.11.0/24', +            f'if_id_in = {vti.lstrip("vti")}', # will be 10 for vti10 +            f'if_id_out = {vti.lstrip("vti")}', +            f'updown = "/etc/ipsec.d/vti-up-down {vti} no"'          ]          swanctl_secrets_lines = [ -            'id-local = 192.0.2.10 # dhcp:no', -            'id-remote = 203.0.113.45', -            'secret = "MYSECRETKEY"' +            f'id-local = 192.0.2.10 # dhcp:no', +            f'id-remote = {peer_ip}', +            f'secret = "{secret}"'          ]          tmp_swanctl_conf = read_file(swanctl_file) @@ -192,62 +198,60 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):          self.assertTrue(process_named_running('charon'))      def test_dmvpn(self): -        self.cli_delete(base_path) -        self.cli_delete(nhrp_path) -        self.cli_delete(tunnel_path) +        tunnel_if = 'tun100' +        nhrp_secret = 'secret'          # Tunnel -        self.cli_set(tunnel_path + ["tun100", "address", "172.16.253.134/29"]) -        self.cli_set(tunnel_path + ["tun100", "encapsulation", "gre"]) -        self.cli_set(tunnel_path + ["tun100", "source-address", "192.0.2.1"]) -        self.cli_set(tunnel_path + ["tun100", "multicast", "enable"]) -        self.cli_set(tunnel_path + ["tun100", "parameters", "ip", "key", "1"]) +        self.cli_set(tunnel_path + [tunnel_if, 'address', '172.16.253.134/29']) +        self.cli_set(tunnel_path + [tunnel_if, 'encapsulation', 'gre']) +        self.cli_set(tunnel_path + [tunnel_if, 'source-address', '192.0.2.1']) +        self.cli_set(tunnel_path + [tunnel_if, 'multicast', 'enable']) +        self.cli_set(tunnel_path + [tunnel_if, 'parameters', 'ip', 'key', '1'])          # NHRP -        self.cli_set(nhrp_path + ["tunnel", "tun100", "cisco-authentication", "secret"]) -        self.cli_set(nhrp_path + ["tunnel", "tun100", "holding-time", "300"]) -        self.cli_set(nhrp_path + ["tunnel", "tun100", "multicast", "dynamic"]) -        self.cli_set(nhrp_path + ["tunnel", "tun100", "redirect"]) -        self.cli_set(nhrp_path + ["tunnel", "tun100", "shortcut"]) +        self.cli_set(nhrp_path + ['tunnel', tunnel_if, 'cisco-authentication', nhrp_secret]) +        self.cli_set(nhrp_path + ['tunnel', tunnel_if, 'holding-time', '300']) +        self.cli_set(nhrp_path + ['tunnel', tunnel_if, 'multicast', 'dynamic']) +        self.cli_set(nhrp_path + ['tunnel', tunnel_if, 'redirect']) +        self.cli_set(nhrp_path + ['tunnel', tunnel_if, 'shortcut'])          # IKE/ESP Groups -        self.cli_set(base_path + ["esp-group", "ESP-HUB", "compression", "disable"]) -        self.cli_set(base_path + ["esp-group", "ESP-HUB", "lifetime", "1800"]) -        self.cli_set(base_path + ["esp-group", "ESP-HUB", "mode", "transport"]) -        self.cli_set(base_path + ["esp-group", "ESP-HUB", "pfs", "dh-group2"]) -        self.cli_set(base_path + ["esp-group", "ESP-HUB", "proposal", "1", "encryption", "aes256"]) -        self.cli_set(base_path + ["esp-group", "ESP-HUB", "proposal", "1", "hash", "sha1"]) -        self.cli_set(base_path + ["esp-group", "ESP-HUB", "proposal", "2", "encryption", "3des"]) -        self.cli_set(base_path + ["esp-group", "ESP-HUB", "proposal", "2", "hash", "md5"]) -        self.cli_set(base_path + ["ike-group", "IKE-HUB", "ikev2-reauth", "no"]) -        self.cli_set(base_path + ["ike-group", "IKE-HUB", "key-exchange", "ikev1"]) -        self.cli_set(base_path + ["ike-group", "IKE-HUB", "lifetime", "3600"]) -        self.cli_set(base_path + ["ike-group", "IKE-HUB", "proposal", "1", "dh-group", "2"]) -        self.cli_set(base_path + ["ike-group", "IKE-HUB", "proposal", "1", "encryption", "aes256"]) -        self.cli_set(base_path + ["ike-group", "IKE-HUB", "proposal", "1", "hash", "sha1"]) -        self.cli_set(base_path + ["ike-group", "IKE-HUB", "proposal", "2", "dh-group", "2"]) -        self.cli_set(base_path + ["ike-group", "IKE-HUB", "proposal", "2", "encryption", "aes128"]) -        self.cli_set(base_path + ["ike-group", "IKE-HUB", "proposal", "2", "hash", "sha1"]) +        self.cli_set(base_path + ['esp-group', esp_group, 'compression', 'disable']) +        self.cli_set(base_path + ['esp-group', esp_group, 'lifetime', '1800']) +        self.cli_set(base_path + ['esp-group', esp_group, 'mode', 'transport']) +        self.cli_set(base_path + ['esp-group', esp_group, 'pfs', 'dh-group2']) +        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '1', 'encryption', 'aes256']) +        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '1', 'hash', 'sha1']) +        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '2', 'encryption', '3des']) +        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '2', 'hash', 'md5']) +        self.cli_set(base_path + ['ike-group', ike_group, 'ikev2-reauth', 'no']) +        self.cli_set(base_path + ['ike-group', ike_group, 'key-exchange', 'ikev1']) +        self.cli_set(base_path + ['ike-group', ike_group, 'lifetime', '3600']) +        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'dh-group', '2']) +        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'encryption', 'aes256']) +        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'hash', 'sha1']) +        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '2', 'dh-group', '2']) +        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '2', 'encryption', 'aes128']) +        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '2', 'hash', 'sha1'])          # Profile -        self.cli_set(base_path + ["ipsec-interfaces", "interface", "eth0"]) -        self.cli_set(base_path + ["profile", "NHRPVPN", "authentication", "mode", "pre-shared-secret"]) -        self.cli_set(base_path + ["profile", "NHRPVPN", "authentication", "pre-shared-secret", "secret"]) -        self.cli_set(base_path + ["profile", "NHRPVPN", "bind", "tunnel", "tun100"]) -        self.cli_set(base_path + ["profile", "NHRPVPN", "esp-group", "ESP-HUB"]) -        self.cli_set(base_path + ["profile", "NHRPVPN", "ike-group", "IKE-HUB"]) +        self.cli_set(base_path + ['profile', 'NHRPVPN', 'authentication', 'mode', 'pre-shared-secret']) +        self.cli_set(base_path + ['profile', 'NHRPVPN', 'authentication', 'pre-shared-secret', nhrp_secret]) +        self.cli_set(base_path + ['profile', 'NHRPVPN', 'bind', 'tunnel', tunnel_if]) +        self.cli_set(base_path + ['profile', 'NHRPVPN', 'esp-group', esp_group]) +        self.cli_set(base_path + ['profile', 'NHRPVPN', 'ike-group', ike_group])          self.cli_commit()          swanctl_lines = [ -            'proposals = aes256-sha1-modp1024,aes128-sha1-modp1024', -            'version = 1', -            'rekey_time = 3600s', -            'esp_proposals = aes256-sha1-modp1024,3des-md5-modp1024', -            'local_ts = dynamic[gre]', -            'remote_ts = dynamic[gre]', -            'mode = transport', -            'secret = secret' +            f'proposals = aes256-sha1-modp1024,aes128-sha1-modp1024', +            f'version = 1', +            f'rekey_time = 3600s', +            f'esp_proposals = aes256-sha1-modp1024,3des-md5-modp1024', +            f'local_ts = dynamic[gre]', +            f'remote_ts = dynamic[gre]', +            f'mode = transport', +            f'secret = {nhrp_secret}'          ]          tmp_swanctl_conf = read_file('/etc/swanctl/swanctl.conf') | 
