github.com/vmware/go-vcloud-director/v2@v2.24.0/govcd/nsxt_ipsec_vpn_tunnel_test.go (about) 1 //go:build network || nsxt || functional || openapi || ALL 2 3 package govcd 4 5 import ( 6 "fmt" 7 8 "github.com/vmware/go-vcloud-director/v2/types/v56" 9 . "gopkg.in/check.v1" 10 ) 11 12 func (vcd *TestVCD) Test_NsxtIpSecVpn(check *C) { 13 skipNoNsxtConfiguration(vcd, check) 14 skipOpenApiEndpointTest(vcd, check, types.OpenApiPathVersion1_0_0+types.OpenApiEndpointFirewallGroups) 15 16 org, err := vcd.client.GetOrgByName(vcd.config.VCD.Org) 17 check.Assert(err, IsNil) 18 19 nsxtVdc, err := org.GetVDCByName(vcd.config.VCD.Nsxt.Vdc, false) 20 check.Assert(err, IsNil) 21 22 edge, err := nsxtVdc.GetNsxtEdgeGatewayByName(vcd.config.VCD.Nsxt.EdgeGateway) 23 check.Assert(err, IsNil) 24 25 ipSecDef := &types.NsxtIpSecVpnTunnel{ 26 Name: check.TestName(), 27 Description: check.TestName() + "-description", 28 Enabled: true, 29 LocalEndpoint: types.NsxtIpSecVpnTunnelLocalEndpoint{ 30 LocalAddress: edge.EdgeGateway.EdgeGatewayUplinks[0].Subnets.Values[0].PrimaryIP, 31 LocalNetworks: []string{"10.10.10.0/24"}, 32 }, 33 RemoteEndpoint: types.NsxtIpSecVpnTunnelRemoteEndpoint{ 34 RemoteId: "192.168.140.1", 35 RemoteAddress: "192.168.140.1", 36 RemoteNetworks: []string{"20.20.20.0/24"}, 37 }, 38 PreSharedKey: "PSK-Sec", 39 SecurityType: "DEFAULT", 40 Logging: true, 41 } 42 43 runIpSecVpnTests(check, edge, ipSecDef) 44 45 } 46 47 func (vcd *TestVCD) Test_NsxtIpSecVpnCustomSecurityProfile(check *C) { 48 skipNoNsxtConfiguration(vcd, check) 49 skipOpenApiEndpointTest(vcd, check, types.OpenApiPathVersion1_0_0+types.OpenApiEndpointFirewallGroups) 50 51 org, err := vcd.client.GetOrgByName(vcd.config.VCD.Org) 52 check.Assert(err, IsNil) 53 54 nsxtVdc, err := org.GetVDCByName(vcd.config.VCD.Nsxt.Vdc, false) 55 check.Assert(err, IsNil) 56 57 edge, err := nsxtVdc.GetNsxtEdgeGatewayByName(vcd.config.VCD.Nsxt.EdgeGateway) 58 check.Assert(err, IsNil) 59 60 ipSecDef := &types.NsxtIpSecVpnTunnel{ 61 Name: check.TestName(), 62 Description: check.TestName() + "-description", 63 Enabled: true, 64 AuthenticationMode: types.NsxtIpSecVpnAuthenticationModePSK, // Default value even when it is unset 65 LocalEndpoint: types.NsxtIpSecVpnTunnelLocalEndpoint{ 66 LocalAddress: edge.EdgeGateway.EdgeGatewayUplinks[0].Subnets.Values[0].PrimaryIP, 67 LocalNetworks: []string{"10.10.10.0/24"}, 68 }, 69 RemoteEndpoint: types.NsxtIpSecVpnTunnelRemoteEndpoint{ 70 RemoteId: "192.168.140.1", 71 RemoteAddress: "192.168.140.1", 72 RemoteNetworks: []string{"20.20.20.0/24"}, 73 }, 74 PreSharedKey: "PSK-Sec", 75 SecurityType: "DEFAULT", 76 Logging: false, 77 } 78 79 createdIpSecVpn, err := edge.CreateIpSecVpnTunnel(ipSecDef) 80 check.Assert(err, IsNil) 81 openApiEndpoint := types.OpenApiPathVersion1_0_0 + fmt.Sprintf(types.OpenApiEndpointIpSecVpnTunnel, createdIpSecVpn.edgeGatewayId) + createdIpSecVpn.NsxtIpSecVpn.ID 82 AddToCleanupListOpenApi(createdIpSecVpn.NsxtIpSecVpn.Name, check.TestName(), openApiEndpoint) 83 84 // Customize Security Profile 85 secProfile := &types.NsxtIpSecVpnTunnelSecurityProfile{ 86 SecurityType: "CUSTOM", 87 IkeConfiguration: types.NsxtIpSecVpnTunnelProfileIkeConfiguration{ 88 IkeVersion: "IKE_V2", 89 EncryptionAlgorithms: []string{"AES_128"}, 90 DigestAlgorithms: []string{"SHA2_256"}, 91 DhGroups: []string{"GROUP14"}, 92 SaLifeTime: addrOf(86400), 93 }, 94 TunnelConfiguration: types.NsxtIpSecVpnTunnelProfileTunnelConfiguration{ 95 PerfectForwardSecrecyEnabled: true, 96 DfPolicy: "CLEAR", 97 EncryptionAlgorithms: []string{"AES_256"}, 98 DigestAlgorithms: []string{"SHA2_256"}, 99 DhGroups: []string{"GROUP14"}, 100 SaLifeTime: addrOf(3600), 101 }, 102 DpdConfiguration: types.NsxtIpSecVpnTunnelProfileDpdConfiguration{ProbeInterval: 3}, 103 } 104 setSecProfile, err := createdIpSecVpn.UpdateTunnelConnectionProperties(secProfile) 105 check.Assert(err, IsNil) 106 check.Assert(setSecProfile, DeepEquals, secProfile) 107 108 // Check if status endpoint works properly, but cannot rely on returned status as it is not immediately returned and 109 // it can hold on for a long time before available. At least validate that this function does not return error. 110 _, err = createdIpSecVpn.GetStatus() 111 check.Assert(err, IsNil) 112 113 //Latest Version 114 latestSecProfile, err := edge.GetIpSecVpnTunnelById(createdIpSecVpn.NsxtIpSecVpn.ID) 115 check.Assert(err, IsNil) 116 117 // Reset security profile to default 118 latestSecProfile.NsxtIpSecVpn.SecurityType = "DEFAULT" 119 updatedIpSecVpn, err := createdIpSecVpn.Update(latestSecProfile.NsxtIpSecVpn) 120 check.Assert(err, IsNil) 121 // All fields should be the same, except version 122 latestSecProfile.NsxtIpSecVpn.Version = updatedIpSecVpn.NsxtIpSecVpn.Version 123 check.Assert(updatedIpSecVpn.NsxtIpSecVpn, DeepEquals, latestSecProfile.NsxtIpSecVpn) 124 125 // Remove object 126 err = createdIpSecVpn.Delete() 127 check.Assert(err, IsNil) 128 } 129 130 // Test_NsxtIpSecVpnUniqueness checks that uniqueness is enforced at API level on LocalAddress+RemoteAddress by creating 131 // two IPsec VPN tunnels with different field values but the same LocalAddress and RemoteAddress without any other 132 // fields clashing. 133 func (vcd *TestVCD) Test_NsxtIpSecVpnUniqueness(check *C) { 134 skipNoNsxtConfiguration(vcd, check) 135 skipOpenApiEndpointTest(vcd, check, types.OpenApiPathVersion1_0_0+types.OpenApiEndpointFirewallGroups) 136 137 org, err := vcd.client.GetOrgByName(vcd.config.VCD.Org) 138 check.Assert(err, IsNil) 139 140 nsxtVdc, err := org.GetVDCByName(vcd.config.VCD.Nsxt.Vdc, false) 141 check.Assert(err, IsNil) 142 143 edge, err := nsxtVdc.GetNsxtEdgeGatewayByName(vcd.config.VCD.Nsxt.EdgeGateway) 144 check.Assert(err, IsNil) 145 146 ipSecDef := &types.NsxtIpSecVpnTunnel{ 147 Name: check.TestName(), 148 Description: check.TestName() + "-description", 149 Enabled: true, 150 LocalEndpoint: types.NsxtIpSecVpnTunnelLocalEndpoint{ 151 LocalAddress: edge.EdgeGateway.EdgeGatewayUplinks[0].Subnets.Values[0].PrimaryIP, 152 LocalNetworks: []string{"10.10.10.0/24"}, 153 }, 154 RemoteEndpoint: types.NsxtIpSecVpnTunnelRemoteEndpoint{ 155 RemoteId: "192.168.170.1", 156 RemoteAddress: "192.168.170.1", 157 RemoteNetworks: []string{"20.20.20.0/24"}, 158 }, 159 PreSharedKey: "PSK-Sec", 160 SecurityType: "DEFAULT", 161 Logging: true, 162 } 163 164 // Create first IPsec VPN Tunnel 165 createdIpSecVpn, err := edge.CreateIpSecVpnTunnel(ipSecDef) 166 check.Assert(err, IsNil) 167 openApiEndpoint := types.OpenApiPathVersion1_0_0 + fmt.Sprintf(types.OpenApiEndpointIpSecVpnTunnel, createdIpSecVpn.edgeGatewayId) + createdIpSecVpn.NsxtIpSecVpn.ID 168 AddToCleanupListOpenApi(createdIpSecVpn.NsxtIpSecVpn.Name, check.TestName(), openApiEndpoint) 169 170 // Try to create second IPsec VPN Tunnel with the same localAddress and RemoteAddress and expect an error 171 ipSecDef2 := &types.NsxtIpSecVpnTunnel{ 172 Name: check.TestName() + "2", 173 Description: check.TestName() + "-description2", 174 Enabled: true, 175 LocalEndpoint: types.NsxtIpSecVpnTunnelLocalEndpoint{ 176 LocalAddress: edge.EdgeGateway.EdgeGatewayUplinks[0].Subnets.Values[0].PrimaryIP, 177 LocalNetworks: []string{"40.10.10.0/24"}, 178 }, 179 RemoteEndpoint: types.NsxtIpSecVpnTunnelRemoteEndpoint{ 180 RemoteId: "192.168.170.1", 181 RemoteAddress: "192.168.170.1", 182 RemoteNetworks: []string{"50.20.20.0/24"}, 183 }, 184 PreSharedKey: "PSK-Sec", 185 SecurityType: "DEFAULT", 186 Logging: true, 187 } 188 189 // Ensure that the IsEqual matches those definitions as equal ones 190 check.Assert(createdIpSecVpn.IsEqualTo(ipSecDef2), Equals, true) 191 192 createdIpSecVpn2, err := edge.CreateIpSecVpnTunnel(ipSecDef2) 193 check.Assert(err.Error(), Matches, ".*IPSec VPN Tunnel with local address .* and remote address .* is already in use.*") 194 check.Assert(createdIpSecVpn2, IsNil) 195 196 // Removing the first IPsec VPN tunnel 197 err = createdIpSecVpn.Delete() 198 check.Assert(err, IsNil) 199 } 200 201 func runIpSecVpnTests(check *C, edge *NsxtEdgeGateway, ipSecDef *types.NsxtIpSecVpnTunnel) { 202 createdIpSecVpn, err := edge.CreateIpSecVpnTunnel(ipSecDef) 203 check.Assert(err, IsNil) 204 openApiEndpoint := types.OpenApiPathVersion1_0_0 + fmt.Sprintf(types.OpenApiEndpointIpSecVpnTunnel, createdIpSecVpn.edgeGatewayId) + createdIpSecVpn.NsxtIpSecVpn.ID 205 AddToCleanupListOpenApi(createdIpSecVpn.NsxtIpSecVpn.Name, check.TestName(), openApiEndpoint) 206 207 foundIpSecVpnById, err := edge.GetIpSecVpnTunnelById(createdIpSecVpn.NsxtIpSecVpn.ID) 208 check.Assert(err, IsNil) 209 check.Assert(foundIpSecVpnById.NsxtIpSecVpn, DeepEquals, createdIpSecVpn.NsxtIpSecVpn) 210 211 foundIpSecVpnByName, err := edge.GetIpSecVpnTunnelByName(createdIpSecVpn.NsxtIpSecVpn.Name) 212 check.Assert(err, IsNil) 213 check.Assert(foundIpSecVpnByName.NsxtIpSecVpn, DeepEquals, createdIpSecVpn.NsxtIpSecVpn) 214 check.Assert(foundIpSecVpnByName.NsxtIpSecVpn, DeepEquals, foundIpSecVpnById.NsxtIpSecVpn) 215 216 check.Assert(createdIpSecVpn.NsxtIpSecVpn.ID, Not(Equals), "") 217 218 ipSecDef.Name = check.TestName() + "-updated" 219 ipSecDef.RemoteEndpoint.RemoteAddress = "192.168.40.1" 220 ipSecDef.ID = createdIpSecVpn.NsxtIpSecVpn.ID 221 222 updatedIpSecVpn, err := createdIpSecVpn.Update(ipSecDef) 223 check.Assert(err, IsNil) 224 check.Assert(updatedIpSecVpn.NsxtIpSecVpn.Name, Equals, ipSecDef.Name) 225 check.Assert(updatedIpSecVpn.NsxtIpSecVpn.ID, Equals, ipSecDef.ID) 226 check.Assert(updatedIpSecVpn.NsxtIpSecVpn.RemoteEndpoint.RemoteAddress, Equals, ipSecDef.RemoteEndpoint.RemoteAddress) 227 228 err = createdIpSecVpn.Delete() 229 check.Assert(err, IsNil) 230 231 // Ensure rule does not exist in the list 232 allVpnConfigs, err := edge.GetAllIpSecVpnTunnels(nil) 233 check.Assert(err, IsNil) 234 for _, vpnConfig := range allVpnConfigs { 235 check.Assert(vpnConfig.IsEqualTo(updatedIpSecVpn.NsxtIpSecVpn), Equals, false) 236 } 237 } 238 239 func (vcd *TestVCD) Test_NsxtIpSecVpnCertificateAuth(check *C) { 240 skipNoNsxtConfiguration(vcd, check) 241 skipOpenApiEndpointTest(vcd, check, types.OpenApiPathVersion1_0_0+types.OpenApiEndpointFirewallGroups) 242 vcd.skipIfNotSysAdmin(check) 243 244 org, err := vcd.client.GetOrgByName(vcd.config.VCD.Org) 245 check.Assert(err, IsNil) 246 247 adminOrg, err := vcd.client.GetAdminOrgByName(vcd.config.VCD.Org) 248 check.Assert(err, IsNil) 249 250 nsxtVdc, err := org.GetVDCByName(vcd.config.VCD.Nsxt.Vdc, false) 251 check.Assert(err, IsNil) 252 253 edge, err := nsxtVdc.GetNsxtEdgeGatewayByName(vcd.config.VCD.Nsxt.EdgeGateway) 254 check.Assert(err, IsNil) 255 256 // Upload Certificates to use in the test 257 aliasForPrivateKey := check.TestName() + "cert-with-private-key" 258 privateKeyPassphrase := "test" 259 certificateWithPrivateKeyConfig := &types.CertificateLibraryItem{ 260 Alias: aliasForPrivateKey, 261 Certificate: certificate, 262 PrivateKey: privateKey, 263 PrivateKeyPassphrase: privateKeyPassphrase, 264 } 265 266 certWithKey, err := adminOrg.AddCertificateToLibrary(certificateWithPrivateKeyConfig) 267 check.Assert(err, IsNil) 268 openApiEndpoint, err := getEndpointByVersion(&vcd.client.Client) 269 check.Assert(err, IsNil) 270 check.Assert(openApiEndpoint, NotNil) 271 PrependToCleanupListOpenApi(certWithKey.CertificateLibrary.Alias, check.TestName(), 272 openApiEndpoint+certWithKey.CertificateLibrary.Id) 273 274 // Upload CA Certificate to use in the test 275 aliasForCaCertificate := check.TestName() + "ca-certificate" 276 caCertificateConfig := &types.CertificateLibraryItem{ 277 Alias: aliasForCaCertificate, 278 Certificate: rootCaCertificate, 279 } 280 281 caCert, err := adminOrg.AddCertificateToLibrary(caCertificateConfig) 282 check.Assert(err, IsNil) 283 PrependToCleanupListOpenApi(caCert.CertificateLibrary.Alias, check.TestName(), 284 openApiEndpoint+caCert.CertificateLibrary.Id) 285 286 // Create IPSec VPN configuration with certificate authentication mode 287 ipSecDef := &types.NsxtIpSecVpnTunnel{ 288 Name: check.TestName(), 289 Description: check.TestName() + "-description", 290 Enabled: true, 291 AuthenticationMode: types.NsxtIpSecVpnAuthenticationModeCertificate, 292 CertificateRef: &types.OpenApiReference{ 293 ID: certWithKey.CertificateLibrary.Id, 294 }, 295 CaCertificateRef: &types.OpenApiReference{ 296 ID: caCert.CertificateLibrary.Id, 297 }, 298 299 LocalEndpoint: types.NsxtIpSecVpnTunnelLocalEndpoint{ 300 LocalAddress: edge.EdgeGateway.EdgeGatewayUplinks[0].Subnets.Values[0].PrimaryIP, 301 LocalNetworks: []string{"10.10.10.0/24"}, 302 }, 303 RemoteEndpoint: types.NsxtIpSecVpnTunnelRemoteEndpoint{ 304 RemoteId: "custom-remote-id", 305 RemoteAddress: "192.168.140.1", 306 RemoteNetworks: []string{"20.20.20.0/24"}, 307 }, 308 SecurityType: "DEFAULT", 309 Logging: true, 310 } 311 312 runIpSecVpnTests(check, edge, ipSecDef) 313 314 // cleanup uploaded certificates 315 err = certWithKey.Delete() 316 check.Assert(err, IsNil) 317 err = caCert.Delete() 318 check.Assert(err, IsNil) 319 }