Skip to content

Add full IPsec tunnel connectivity test to E2E suite #14915

@dguido

Description

@dguido

Summary

The E2E VPN connectivity tests (PR #14914) currently validate IPsec certificates, service status, and port reachability, but don't establish an actual IPsec tunnel from the test namespace. This is a follow-up enhancement to add true tunnel connectivity testing.

Current IPsec Tests

  • ✅ Certificate chain validation
  • ✅ IPsec service running check
  • ✅ Port reachability (UDP 500, 4500)
  • ✅ DNS service responding
  • ❌ Actual IKEv2 tunnel establishment
  • ❌ Traffic through IPsec tunnel

Why This Is Complex

Running StrongSwan's charon daemon in a network namespace requires:

  1. Daemon setup: charon must run inside the namespace with proper plugin paths
  2. VICI socket: swanctl communicates with charon via VICI socket
  3. AppArmor handling: May need to adjust AppArmor profiles for charon in namespace
  4. Plugin loading: Many StrongSwan plugins with library dependencies
  5. Certificate paths: Must be accessible from namespace context

Proposed Implementation

# Start charon in namespace with custom paths
ip netns exec "${NAMESPACE}" /usr/lib/ipsec/charon \
    --use-syslog --debug-ike 2 &

# Load credentials
ip netns exec "${NAMESPACE}" swanctl --load-all --file swanctl.conf

# Initiate connection
ip netns exec "${NAMESPACE}" swanctl --initiate --child algovpn

# Verify ESTABLISHED state
ip netns exec "${NAMESPACE}" swanctl --list-sas | grep -q ESTABLISHED

# Test connectivity through tunnel
ip netns exec "${NAMESPACE}" ping -c 3 ${VPN_SERVER_IP}

Acceptance Criteria

  • charon daemon starts successfully in namespace
  • IKEv2 handshake completes (ESTABLISHED state)
  • Traffic flows through IPsec tunnel
  • Proper cleanup of charon process on test exit
  • Works in GitHub Actions CI environment

References

Priority

Low - Current certificate and service validation catches most deployment issues. Full tunnel testing is a nice-to-have for comprehensive coverage.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions