summaryrefslogtreecommitdiff
path: root/smoketest/scripts/cli/test_vpn_ipsec.py
diff options
context:
space:
mode:
Diffstat (limited to 'smoketest/scripts/cli/test_vpn_ipsec.py')
-rwxr-xr-xsmoketest/scripts/cli/test_vpn_ipsec.py41
1 files changed, 30 insertions, 11 deletions
diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py
index a34387dc9..93569c4ec 100755
--- a/smoketest/scripts/cli/test_vpn_ipsec.py
+++ b/smoketest/scripts/cli/test_vpn_ipsec.py
@@ -126,9 +126,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
self.assertTrue(process_named_running('charon'))
self.cli_delete(base_path)
- self.cli_delete(nhrp_path)
self.cli_delete(tunnel_path)
- self.cli_delete(vti_path)
self.cli_delete(ethernet_path)
self.cli_commit()
@@ -182,8 +180,10 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
swanctl_conf_lines = [
f'version = 2',
f'auth = psk',
+ f'rekey_time = 28800s', # default value
f'proposals = aes128-sha1-modp1024',
f'esp_proposals = aes128-sha1-modp1024',
+ f'life_time = 3600s', # default value
f'local_addrs = {local_address} # dhcp:no',
f'remote_addrs = {peer_ip}',
f'mode = tunnel',
@@ -226,6 +226,11 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
self.cli_commit()
swanctl_conf = read_file(swanctl_file)
+ if_id = vti.lstrip('vti')
+ # The key defaults to 0 and will match any policies which similarly do
+ # not have a lookup key configuration - thus we shift the key by one
+ # to also support a vti0 interface
+ if_id = str(int(if_id) +1)
swanctl_conf_lines = [
f'version = 2',
f'auth = psk',
@@ -236,9 +241,9 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
f'mode = tunnel',
f'local_ts = 172.16.10.0/24,172.16.11.0/24',
f'remote_ts = 172.17.10.0/24,172.17.11.0/24',
- f'if_id_in = {vti.lstrip("vti")}', # will be 10 for vti10
- f'if_id_out = {vti.lstrip("vti")}',
- f'updown = "/etc/ipsec.d/vti-up-down {vti} no"'
+ f'if_id_in = {if_id}', # will be 11 for vti10 - shifted by one
+ f'if_id_out = {if_id}',
+ f'updown = "/etc/ipsec.d/vti-up-down {vti}"'
]
for line in swanctl_conf_lines:
self.assertIn(line, swanctl_conf)
@@ -255,6 +260,8 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
def test_04_dmvpn(self):
tunnel_if = 'tun100'
nhrp_secret = 'secret'
+ ike_lifetime = '3600'
+ esp_lifetime = '1800'
# Tunnel
self.cli_set(tunnel_path + [tunnel_if, 'address', '172.16.253.134/29'])
@@ -272,7 +279,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
# IKE/ESP Groups
self.cli_set(base_path + ['esp-group', esp_group, 'compression', 'disable'])
- self.cli_set(base_path + ['esp-group', esp_group, 'lifetime', '1800'])
+ self.cli_set(base_path + ['esp-group', esp_group, 'lifetime', esp_lifetime])
self.cli_set(base_path + ['esp-group', esp_group, 'mode', 'transport'])
self.cli_set(base_path + ['esp-group', esp_group, 'pfs', 'dh-group2'])
self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '2', 'encryption', 'aes256'])
@@ -282,7 +289,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
self.cli_set(base_path + ['ike-group', ike_group, 'ikev2-reauth', 'no'])
self.cli_set(base_path + ['ike-group', ike_group, 'key-exchange', 'ikev1'])
- self.cli_set(base_path + ['ike-group', ike_group, 'lifetime', '3600'])
+ self.cli_set(base_path + ['ike-group', ike_group, 'lifetime', ike_lifetime])
self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '2', 'dh-group', '2'])
self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '2', 'encryption', 'aes256'])
self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '2', 'hash', 'sha1'])
@@ -300,7 +307,8 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
swanctl_lines = [
f'proposals = aes128-sha1-modp1024,aes256-sha1-modp1024',
f'version = 1',
- f'rekey_time = 3600s',
+ f'life_time = {ike_lifetime}s',
+ f'rekey_time = {esp_lifetime}s',
f'esp_proposals = aes128-sha1-modp1024,aes256-sha1-modp1024,3des-md5-modp1024',
f'local_ts = dynamic[gre]',
f'remote_ts = dynamic[gre]',
@@ -310,6 +318,9 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
for line in swanctl_lines:
self.assertIn(line, swanctl_conf)
+ # There is only one NHRP test so no need to delete this globally in tearDown()
+ self.cli_delete(nhrp_path)
+
def test_05_x509_site2site(self):
# Enable PKI
peer_name = 'peer1'
@@ -341,6 +352,11 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
swanctl_conf = read_file(swanctl_file)
tmp = peer_ip.replace('.', '-')
+ if_id = vti.lstrip('vti')
+ # The key defaults to 0 and will match any policies which similarly do
+ # not have a lookup key configuration - thus we shift the key by one
+ # to also support a vti0 interface
+ if_id = str(int(if_id) +1)
swanctl_lines = [
f'peer_{tmp}',
f'version = 0', # key-exchange not set - defaulting to 0 for ikev1 and ikev2
@@ -356,9 +372,9 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
f'remote_addrs = {peer_ip}',
f'local_ts = 0.0.0.0/0,::/0',
f'remote_ts = 0.0.0.0/0,::/0',
- f'updown = "/etc/ipsec.d/vti-up-down {vti} no"',
- f'if_id_in = {vti.lstrip("vti")}', # will be 10 for vti10
- f'if_id_out = {vti.lstrip("vti")}',
+ f'updown = "/etc/ipsec.d/vti-up-down {vti}"',
+ f'if_id_in = {if_id}', # will be 11 for vti10
+ f'if_id_out = {if_id}',
f'ipcomp = no',
f'mode = tunnel',
f'start_action = start',
@@ -373,5 +389,8 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
for line in swanctl_secrets_lines:
self.assertIn(line, swanctl_conf)
+ # There is only one VTI test so no need to delete this globally in tearDown()
+ self.cli_delete(vti_path)
+
if __name__ == '__main__':
unittest.main(verbosity=2)
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-12 11:21:08 +0000