Add full IPsec tunnel connectivity test to E2E suite #14915
Description
Summary
The E2E VPN connectivity tests (PR #14914) currently validate IPsec certificates, service status, and port reachability, but don't establish an actual IPsec tunnel from the test namespace. This is a follow-up enhancement to add true tunnel connectivity testing.
Current IPsec Tests
- ✅ Certificate chain validation
- ✅ IPsec service running check
- ✅ Port reachability (UDP 500, 4500)
- ✅ DNS service responding
- ❌ Actual IKEv2 tunnel establishment
- ❌ Traffic through IPsec tunnel
Why This Is Complex
Running StrongSwan's charon daemon in a network namespace requires:
- Daemon setup: charon must run inside the namespace with proper plugin paths
- VICI socket: swanctl communicates with charon via VICI socket
- AppArmor handling: May need to adjust AppArmor profiles for charon in namespace
- Plugin loading: Many StrongSwan plugins with library dependencies
- Certificate paths: Must be accessible from namespace context
Proposed Implementation
# Start charon in namespace with custom paths
ip netns exec "${NAMESPACE}" /usr/lib/ipsec/charon \
--use-syslog --debug-ike 2 &
# Load credentials
ip netns exec "${NAMESPACE}" swanctl --load-all --file swanctl.conf
# Initiate connection
ip netns exec "${NAMESPACE}" swanctl --initiate --child algovpn
# Verify ESTABLISHED state
ip netns exec "${NAMESPACE}" swanctl --list-sas | grep -q ESTABLISHED
# Test connectivity through tunnel
ip netns exec "${NAMESPACE}" ping -c 3 ${VPN_SERVER_IP}Acceptance Criteria
- charon daemon starts successfully in namespace
- IKEv2 handshake completes (ESTABLISHED state)
- Traffic flows through IPsec tunnel
- Proper cleanup of charon process on test exit
- Works in GitHub Actions CI environment
References
- Parent issue: Add true end-to-end VPN connectivity tests using network namespaces #14912
- Implementation PR: Add end-to-end VPN connectivity tests using network namespaces #14914
- StrongSwan namespace docs: https://wiki.strongswan.org/projects/strongswan/wiki/Netns
Priority
Low - Current certificate and service validation catches most deployment issues. Full tunnel testing is a nice-to-have for comprehensive coverage.