Merge pull request #4601 from aapostoliuk/T7504-current

ipsec: T7504: Added IKEv2 retransmission options

Author: dmbaturin

data/templates/ipsec/charon.j2

@@ -202,15 +202,16 @@ charon {
     # Size of the AH/ESP replay window, in packets.
     # replay_window = 32
 
-    # Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
-    # in strongswan.conf(5).
-    # retransmit_base = 1.8
-
-    # Timeout in seconds before sending first retransmit.
-    # retransmit_timeout = 4.0
-
-    # Number of times to retransmit a packet before giving up.
-    # retransmit_tries = 5
+    # IKEv2 RETRANSMISSION
+{% if options.retransmission.attempts is vyos_defined %}
+    retransmit_tries = {{ options.retransmission.attempts }}
+{% endif %}
+{% if options.retransmission.base is vyos_defined %}
+    retransmit_base = {{ options.retransmission.base }}
+{% endif %}
+{% if options.retransmission.timeout is vyos_defined %}
+    retransmit_timeout = {{ options.retransmission.timeout }}
+{% endif %}
 
     # Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if
     # DNS resolution failed), 0 to disable retries.

interface-definitions/vpn_ipsec.xml.in

@@ -701,6 +701,52 @@
                   <valueless/>
                 </properties>
               </leafNode>
+              <node name="retransmission">
+                <properties>
+                  <help>IPsec retransmission settings</help>
+                </properties>
+                <children>
+                  <leafNode name="attempts">
+                    <properties>
+                      <help>Maximum number of retransmissions</help>
+                      <valueHelp>
+                        <format>u32:1-65535</format>
+                        <description>Maximum number of retransmissions</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="numeric" argument="--range 1-65535"/>
+                      </constraint>
+                    </properties>
+                    <defaultValue>5</defaultValue>
+                  </leafNode>
+                  <leafNode name="base">
+                    <properties>
+                      <help>Base of exponential backoff</help>
+                      <valueHelp>
+                        <format>&lt;1.0-5.0&gt;</format>
+                        <description>Base of exponential backoff</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="numeric" argument="--range 1-5 --float"/>
+                      </constraint>
+                    </properties>
+                    <defaultValue>1.8</defaultValue>
+                  </leafNode>
+                  <leafNode name="timeout">
+                    <properties>
+                      <help>Timeout in seconds before the first retransmission</help>
+                      <valueHelp>
+                        <format>u32:1-1000</format>
+                        <description>Timeout in seconds before the first retransmission</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="numeric" argument="--range 1-1000"/>
+                      </constraint>
+                    </properties>
+                    <defaultValue>4</defaultValue>
+                  </leafNode>
+                </children>
+              </node>
             </children>
           </node>
           <tagNode name="profile">

smoketest/scripts/cli/test_vpn_ipsec.py

@@ -16,6 +16,7 @@
 
 import os
 import unittest
+import re
 
 from base_vyostest_shim import VyOSUnitTestSHIM
 
@@ -24,6 +25,8 @@
 from vyos.utils.convert import encode_to_base64
 from vyos.utils.process import process_named_running
 from vyos.utils.file import read_file
+from vyos.xml_ref import default_value
+
 
 ethernet_path = ['interfaces', 'ethernet']
 tunnel_path = ['interfaces', 'tunnel']
@@ -107,6 +110,11 @@
 CERT_PATH   = f'{swanctl_dir}/x509/'
 CA_PATH     = f'{swanctl_dir}/x509ca/'
 
+def get_config_value(file, key):
+    tmp = read_file(file)
+    tmp = re.findall(f'\n?{key}\s+(.*)', tmp)
+    return tmp
+
 class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
     skip_process_check = False
 
@@ -1468,5 +1476,51 @@ def test_remote_access_vti(self):
 
         self.tearDownPKI()
 
+    def test_retransmission_settings(self):
+        retransmit_base = '2.2'
+        retransmit_timeout = '10'
+        retransmit_attempts = '8'
+        self.cli_set(base_path + ['options', 'retransmission', 'base', retransmit_base])
+        self.cli_set(base_path + ['options', 'retransmission', 'timeout', retransmit_timeout])
+        self.cli_set(base_path + ['options', 'retransmission', 'attempts', retransmit_attempts])
+
+        self.cli_commit()
+
+        # Verify charon configuration
+        charon_conf = read_file(charon_file)
+        charon_conf_lines = [
+            f'# IKEv2 RETRANSMISSION',
+            f'retransmit_tries = {retransmit_attempts}',
+            f'retransmit_base = {retransmit_base}',
+            f'retransmit_timeout = {retransmit_timeout}',
+        ]
+
+        for line in charon_conf_lines:
+            self.assertIn(line, charon_conf)
+
+    def test_retransmission_default_settings(self):
+        # config file to cli options correspondence
+        retransmission_options = {
+            'retransmit_base' : 'base',
+            'retransmit_timeout': 'timeout',
+            'retransmit_tries': 'attempts',
+        }
+
+        # commit changes
+        self.cli_commit()
+
+        for config_option, cli_option in retransmission_options.items():
+            # Check configured value agains CLI default value
+            config_values_list = get_config_value(charon_file,config_option + ' =')
+
+            if config_values_list:
+                config_value = config_values_list[0]
+            else:
+                config_value = None
+            cli_value = default_value(base_path + ['options', 'retransmission', cli_option])
+            self.assertEqual(config_value, cli_value)
+
+
+
 if __name__ == '__main__':
     unittest.main(verbosity=2)