Code Review / vpp.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | inline | side by side
hs-test: improve get stats
[vpp.git] / test / test_wireguard.py
diff --git a/test/test_wireguard.py b/test/test_wireguard.py
index 6da112a..e63508a 100644 (file)
--- a/test/test_wireguard.py
+++ b/test/test_wireguard.py
@@ -11,6 +11,7 @@ from scapy.packet import Raw
 from scapy.layers.l2 import Ether, ARP
 from scapy.layers.inet import IP, UDP
 from scapy.layers.inet6 import IPv6
 from scapy.layers.l2 import Ether, ARP
 from scapy.layers.inet import IP, UDP
 from scapy.layers.inet6 import IPv6
+from scapy.layers.vxlan import VXLAN
 from scapy.contrib.wireguard import (
     Wireguard,
     WireguardResponse,
 from scapy.contrib.wireguard import (
     Wireguard,
     WireguardResponse,
@@ -38,11 +39,13 @@ from Crypto.Random import get_random_bytes
 
 from vpp_ipip_tun_interface import VppIpIpTunInterface
 from vpp_interface import VppInterface
 
 from vpp_ipip_tun_interface import VppIpIpTunInterface
 from vpp_interface import VppInterface
+from vpp_pg_interface import is_ipv6_misc
 from vpp_ip_route import VppIpRoute, VppRoutePath
 from vpp_ip_route import VppIpRoute, VppRoutePath
+from vpp_l2 import VppBridgeDomain, VppBridgeDomainPort
+from vpp_vxlan_tunnel import VppVxlanTunnel
 from vpp_object import VppObject
 from vpp_papi import VppEnum
 from vpp_object import VppObject
 from vpp_papi import VppEnum
-from framework import tag_fixme_ubuntu2204, tag_fixme_debian11
-from framework import is_distro_ubuntu2204, is_distro_debian11
+from framework import is_distro_ubuntu2204, is_distro_debian11, tag_fixme_vpp_debug
 from framework import VppTestCase
 from re import compile
 import unittest
 from framework import VppTestCase
 from re import compile
 import unittest
@@ -147,6 +150,8 @@ UNDER_LOAD_INTERVAL = 1.0
 HANDSHAKE_NUM_PER_PEER_UNTIL_UNDER_LOAD = 40
 HANDSHAKE_NUM_BEFORE_RATELIMITING = 5
 
 HANDSHAKE_NUM_PER_PEER_UNTIL_UNDER_LOAD = 40
 HANDSHAKE_NUM_BEFORE_RATELIMITING = 5
 
+HANDSHAKE_JITTER = 0.5
+
 
 class VppWgPeer(VppObject):
     def __init__(self, test, itf, endpoint, port, allowed_ips, persistent_keepalive=15):
 
 class VppWgPeer(VppObject):
     def __init__(self, test, itf, endpoint, port, allowed_ips, persistent_keepalive=15):
@@ -173,7 +178,7 @@ class VppWgPeer(VppObject):
         self.endpoint = endpoint
         self.port = port
 
         self.endpoint = endpoint
         self.port = port
 
-    def add_vpp_config(self, is_ip6=False):
+    def add_vpp_config(self):
         rv = self._test.vapi.wireguard_peer_add(
             peer={
                 "public_key": self.public_key_bytes(),
         rv = self._test.vapi.wireguard_peer_add(
             peer={
                 "public_key": self.public_key_bytes(),
@@ -375,12 +380,13 @@ class VppWgPeer(VppObject):
         if is_ip6 is False:
             self._test.assertEqual(p[IP].src, self.itf.src)
             self._test.assertEqual(p[IP].dst, self.endpoint)
         if is_ip6 is False:
             self._test.assertEqual(p[IP].src, self.itf.src)
             self._test.assertEqual(p[IP].dst, self.endpoint)
+            self._test.assert_packet_checksums_valid(p)
         else:
             self._test.assertEqual(p[IPv6].src, self.itf.src)
             self._test.assertEqual(p[IPv6].dst, self.endpoint)
         else:
             self._test.assertEqual(p[IPv6].src, self.itf.src)
             self._test.assertEqual(p[IPv6].dst, self.endpoint)
+            self._test.assert_packet_checksums_valid(p, False)
         self._test.assertEqual(p[UDP].sport, self.itf.port)
         self._test.assertEqual(p[UDP].dport, self.port)
         self._test.assertEqual(p[UDP].sport, self.itf.port)
         self._test.assertEqual(p[UDP].dport, self.port)
-        self._test.assert_packet_checksums_valid(p)
 
     def consume_init(self, p, tx_itf, is_ip6=False, is_mac2=False):
         self.noise.set_as_responder()
 
     def consume_init(self, p, tx_itf, is_ip6=False, is_mac2=False):
         self.noise.set_as_responder()
@@ -466,20 +472,22 @@ class VppWgPeer(VppObject):
     def encrypt_transport(self, p):
         return self.noise.encrypt(bytes(p))
 
     def encrypt_transport(self, p):
         return self.noise.encrypt(bytes(p))
 
-    def validate_encapped(self, rxs, tx, is_ip6=False):
+    def validate_encapped(self, rxs, tx, is_tunnel_ip6=False, is_transport_ip6=False):
+        ret_rxs = []
         for rx in rxs:
         for rx in rxs:
-            if is_ip6 is False:
-                rx = IP(self.decrypt_transport(rx, is_ip6=is_ip6))
-
+            rx = self.decrypt_transport(rx, is_tunnel_ip6)
+            if is_transport_ip6 is False:
+                rx = IP(rx)
                 # check the original packet is present
                 self._test.assertEqual(rx[IP].dst, tx[IP].dst)
                 self._test.assertEqual(rx[IP].ttl, tx[IP].ttl - 1)
             else:
                 # check the original packet is present
                 self._test.assertEqual(rx[IP].dst, tx[IP].dst)
                 self._test.assertEqual(rx[IP].ttl, tx[IP].ttl - 1)
             else:
-                rx = IPv6(self.decrypt_transport(rx, is_ip6=is_ip6))
-
+                rx = IPv6(rx)
                 # check the original packet is present
                 self._test.assertEqual(rx[IPv6].dst, tx[IPv6].dst)
                 self._test.assertEqual(rx[IPv6].hlim, tx[IPv6].hlim - 1)
                 # check the original packet is present
                 self._test.assertEqual(rx[IPv6].dst, tx[IPv6].dst)
                 self._test.assertEqual(rx[IPv6].hlim, tx[IPv6].hlim - 1)
+            ret_rxs.append(rx)
+        return ret_rxs
 
     def want_events(self):
         self._test.vapi.want_wireguard_peer_events(
 
     def want_events(self):
         self._test.vapi.want_wireguard_peer_events(
@@ -495,8 +503,12 @@ class VppWgPeer(VppObject):
         self._test.assertEqual(rv.peer_index, self.index)
 
 
         self._test.assertEqual(rv.peer_index, self.index)
 
 
-@tag_fixme_ubuntu2204
-@tag_fixme_debian11
+def is_handshake_init(p):
+    wg_p = Wireguard(p[Raw])
+
+    return wg_p[Wireguard].message_type == 1
+
+
 class TestWg(VppTestCase):
     """Wireguard Test Case"""
 
 class TestWg(VppTestCase):
     """Wireguard Test Case"""
 
@@ -566,6 +578,25 @@ class TestWg(VppTestCase):
             self.ratelimited6_err
         )
 
             self.ratelimited6_err
         )
 
+    def send_and_assert_no_replies_ignoring_init(
+        self, intf, pkts, remark="", timeout=None
+    ):
+        self.pg_send(intf, pkts)
+
+        def _filter_out_fn(p):
+            return is_ipv6_misc(p) or is_handshake_init(p)
+
+        try:
+            if not timeout:
+                timeout = 1
+            for i in self.pg_interfaces:
+                i.assert_nothing_captured(
+                    timeout=timeout, remark=remark, filter_out_fn=_filter_out_fn
+                )
+                timeout = 0.1
+        finally:
+            pass
+
     def test_wg_interface(self):
         """Simple interface creation"""
         port = 12312
     def test_wg_interface(self):
         """Simple interface creation"""
         port = 12312
@@ -649,6 +680,9 @@ class TestWg(VppTestCase):
         self.assertEqual(len(self.vapi.wireguard_peers_dump()), 1)
 
         if is_resp:
         self.assertEqual(len(self.vapi.wireguard_peers_dump()), 1)
 
         if is_resp:
+            # skip the first automatic handshake
+            self.pg1.get_capture(1, timeout=HANDSHAKE_JITTER)
+
             # prepare and send a handshake initiation
             # expect the peer to send a handshake response
             init = peer_1.mk_handshake(self.pg1, is_ip6=is_ip6)
             # prepare and send a handshake initiation
             # expect the peer to send a handshake response
             init = peer_1.mk_handshake(self.pg1, is_ip6=is_ip6)
@@ -741,6 +775,9 @@ class TestWg(VppTestCase):
             # reset noise to be able to turn into initiator later
             peer_1.noise_reset()
         else:
             # reset noise to be able to turn into initiator later
             peer_1.noise_reset()
         else:
+            # skip the first automatic handshake
+            self.pg1.get_capture(1, timeout=HANDSHAKE_JITTER)
+
             # prepare and send a bunch of handshake initiations
             # expect to switch to under load state
             init = peer_1.mk_handshake(self.pg1, is_ip6=is_ip6)
             # prepare and send a bunch of handshake initiations
             # expect to switch to under load state
             init = peer_1.mk_handshake(self.pg1, is_ip6=is_ip6)
@@ -806,6 +843,9 @@ class TestWg(VppTestCase):
         ).add_vpp_config()
         self.assertEqual(len(self.vapi.wireguard_peers_dump()), 1)
 
         ).add_vpp_config()
         self.assertEqual(len(self.vapi.wireguard_peers_dump()), 1)
 
+        # skip the first automatic handshake
+        self.pg1.get_capture(1, timeout=HANDSHAKE_JITTER)
+
         # prepare and send a bunch of handshake initiations
         # expect to switch to under load state
         init = peer_1.mk_handshake(self.pg1)
         # prepare and send a bunch of handshake initiations
         # expect to switch to under load state
         init = peer_1.mk_handshake(self.pg1)
@@ -870,6 +910,9 @@ class TestWg(VppTestCase):
             ).add_vpp_config()
         self.assertEqual(len(self.vapi.wireguard_peers_dump()), 1)
 
             ).add_vpp_config()
         self.assertEqual(len(self.vapi.wireguard_peers_dump()), 1)
 
+        # skip the first automatic handshake
+        self.pg1.get_capture(1, timeout=HANDSHAKE_JITTER)
+
         # prepare and send a bunch of handshake initiations
         # expect to switch to under load state
         init = peer_1.mk_handshake(self.pg1, is_ip6=is_ip6)
         # prepare and send a bunch of handshake initiations
         # expect to switch to under load state
         init = peer_1.mk_handshake(self.pg1, is_ip6=is_ip6)
@@ -940,6 +983,9 @@ class TestWg(VppTestCase):
         ).add_vpp_config()
         self.assertEqual(len(self.vapi.wireguard_peers_dump()), 2)
 
         ).add_vpp_config()
         self.assertEqual(len(self.vapi.wireguard_peers_dump()), 2)
 
+        # skip the first automatic handshake
+        self.pg1.get_capture(NUM_PEERS, timeout=HANDSHAKE_JITTER)
+
         # (peer_1) prepare and send a bunch of handshake initiations
         # expect not to switch to under load state
         init_1 = peer_1.mk_handshake(self.pg1)
         # (peer_1) prepare and send a bunch of handshake initiations
         # expect not to switch to under load state
         init_1 = peer_1.mk_handshake(self.pg1)
@@ -963,36 +1009,25 @@ class TestWg(VppTestCase):
         rxs = self.send_and_expect(self.pg1, [init_2], self.pg1)
         peer_2.consume_cookie(rxs[0])
 
         rxs = self.send_and_expect(self.pg1, [init_2], self.pg1)
         peer_2.consume_cookie(rxs[0])
 
-        # (peer_1) prepare and send a bunch of handshake initiations with correct mac2
-        # expect no ratelimiting and a handshake response
+        # (peer_1) (peer_2) prepare and send a bunch of handshake initiations with correct mac2
+        # expect a handshake response and then ratelimiting
+        PEER_1_NUM_TO_REJECT = 2
+        PEER_2_NUM_TO_REJECT = 5
         init_1 = peer_1.mk_handshake(self.pg1)
         init_1 = peer_1.mk_handshake(self.pg1)
-        txs = [init_1] * HANDSHAKE_NUM_BEFORE_RATELIMITING
-        rxs = self.send_and_expect_some(self.pg1, txs, self.pg1)
-        self.assertEqual(
-            self.base_ratelimited4_err,
-            self.statistics.get_err_counter(self.ratelimited4_err),
-        )
-
-        # (peer_1) verify the response
-        peer_1.consume_response(rxs[0])
-        peer_1.noise_reset()
-
-        # (peer_1) send another two handshake initiations with correct mac2
-        # expect ratelimiting
-        # (peer_2) prepare and send a handshake initiation with correct mac2
-        # expect no ratelimiting and a handshake response
+        txs = [init_1] * (HANDSHAKE_NUM_BEFORE_RATELIMITING + PEER_1_NUM_TO_REJECT)
         init_2 = peer_2.mk_handshake(self.pg1)
         init_2 = peer_2.mk_handshake(self.pg1)
-        txs = [init_1, init_2, init_1]
+        txs += [init_2] * (HANDSHAKE_NUM_BEFORE_RATELIMITING + PEER_2_NUM_TO_REJECT)
         rxs = self.send_and_expect_some(self.pg1, txs, self.pg1)
 
         rxs = self.send_and_expect_some(self.pg1, txs, self.pg1)
 
-        # (peer_1) verify ratelimiting
-        self.assertEqual(
-            self.base_ratelimited4_err + 2,
-            self.statistics.get_err_counter(self.ratelimited4_err),
+        self.assertTrue(
+            self.base_ratelimited4_err + PEER_1_NUM_TO_REJECT
+            < self.statistics.get_err_counter(self.ratelimited4_err)
+            <= self.base_ratelimited4_err + PEER_1_NUM_TO_REJECT + PEER_2_NUM_TO_REJECT
         )
 
         )
 
-        # (peer_2) verify the response
-        peer_2.consume_response(rxs[0])
+        # (peer_1) (peer_2) verify the response
+        peer_1.consume_response(rxs[0])
+        peer_2.consume_response(rxs[1])
 
         # clear up under load state
         self.sleep(UNDER_LOAD_INTERVAL)
 
         # clear up under load state
         self.sleep(UNDER_LOAD_INTERVAL)
@@ -1210,7 +1245,7 @@ class TestWg(VppTestCase):
         rxs = self.send_and_expect(self.pg0, [p], self.pg1)
 
         # verify the data packet
         rxs = self.send_and_expect(self.pg0, [p], self.pg1)
 
         # verify the data packet
-        peer_1.validate_encapped(rxs, p, is_ip6=is_ip6)
+        peer_1.validate_encapped(rxs, p, is_tunnel_ip6=is_ip6, is_transport_ip6=is_ip6)
 
         # remove configs
         r1.remove_vpp_config()
 
         # remove configs
         r1.remove_vpp_config()
@@ -1234,7 +1269,7 @@ class TestWg(VppTestCase):
         self._test_wg_peer_roaming_on_data_tmpl(is_async=True, is_ip6=True)
 
     def test_wg_peer_resp(self):
         self._test_wg_peer_roaming_on_data_tmpl(is_async=True, is_ip6=True)
 
     def test_wg_peer_resp(self):
-        """Send handshake response"""
+        """Send handshake response IPv4 tunnel"""
         port = 12323
 
         # Create interfaces
         port = 12323
 
         # Create interfaces
@@ -1311,6 +1346,83 @@ class TestWg(VppTestCase):
         peer_1.remove_vpp_config()
         wg0.remove_vpp_config()
 
         peer_1.remove_vpp_config()
         wg0.remove_vpp_config()
 
+    def test_wg_peer_resp_ipv6(self):
+        """Send handshake response IPv6 tunnel"""
+        port = 12323
+
+        # Create interfaces
+        wg0 = VppWgInterface(self, self.pg1.local_ip6, port).add_vpp_config()
+        wg0.admin_up()
+        wg0.config_ip4()
+
+        self.pg_enable_capture(self.pg_interfaces)
+        self.pg_start()
+
+        peer_1 = VppWgPeer(
+            self, wg0, self.pg1.remote_ip6, port + 1, ["10.11.3.0/24"]
+        ).add_vpp_config()
+        self.assertEqual(len(self.vapi.wireguard_peers_dump()), 1)
+
+        r1 = VppIpRoute(
+            self, "10.11.3.0", 24, [VppRoutePath("10.11.3.1", wg0.sw_if_index)]
+        ).add_vpp_config()
+
+        # wait for the peer to send a handshake
+        rx = self.pg1.get_capture(1, timeout=2)
+
+        # consume the handshake in the noise protocol and
+        # generate the response
+        resp = peer_1.consume_init(rx[0], self.pg1, is_ip6=True)
+
+        # send the response, get keepalive
+        rxs = self.send_and_expect(self.pg1, [resp], self.pg1)
+
+        for rx in rxs:
+            b = peer_1.decrypt_transport(rx, True)
+            self.assertEqual(0, len(b))
+
+        # send a packets that are routed into the tunnel
+        p = (
+            Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
+            / IP(src=self.pg0.remote_ip4, dst="10.11.3.2")
+            / UDP(sport=555, dport=556)
+            / Raw(b"\x00" * 80)
+        )
+
+        rxs = self.send_and_expect(self.pg0, p * 2, self.pg1)
+        peer_1.validate_encapped(rxs, p, True)
+
+        # send packets into the tunnel, expect to receive them on
+        # the other side
+        p = [
+            (
+                peer_1.mk_tunnel_header(self.pg1, True)
+                / Wireguard(message_type=4, reserved_zero=0)
+                / WireguardTransport(
+                    receiver_index=peer_1.sender,
+                    counter=ii,
+                    encrypted_encapsulated_packet=peer_1.encrypt_transport(
+                        (
+                            IP(src="10.11.3.1", dst=self.pg0.remote_ip4, ttl=20)
+                            / UDP(sport=222, dport=223)
+                            / Raw()
+                        )
+                    ),
+                )
+            )
+            for ii in range(255)
+        ]
+
+        rxs = self.send_and_expect(self.pg1, p, self.pg0)
+
+        for rx in rxs:
+            self.assertEqual(rx[IP].dst, self.pg0.remote_ip4)
+            self.assertEqual(rx[IP].ttl, 19)
+
+        r1.remove_vpp_config()
+        peer_1.remove_vpp_config()
+        wg0.remove_vpp_config()
+
     def test_wg_peer_v4o4(self):
         """Test v4o4"""
 
     def test_wg_peer_v4o4(self):
         """Test v4o4"""
 
@@ -1342,7 +1454,7 @@ class TestWg(VppTestCase):
             / UDP(sport=555, dport=556)
             / Raw()
         )
             / UDP(sport=555, dport=556)
             / Raw()
         )
-        self.send_and_assert_no_replies(self.pg0, [p])
+        self.send_and_assert_no_replies_ignoring_init(self.pg0, [p])
         self.assertEqual(
             self.base_kp4_err + 1, self.statistics.get_err_counter(self.kp4_error)
         )
         self.assertEqual(
             self.base_kp4_err + 1, self.statistics.get_err_counter(self.kp4_error)
         )
@@ -1356,7 +1468,7 @@ class TestWg(VppTestCase):
             / UDP(sport=555, dport=556)
             / Raw()
         )
             / UDP(sport=555, dport=556)
             / Raw()
         )
-        self.send_and_assert_no_replies(self.pg0, [p])
+        self.send_and_assert_no_replies_ignoring_init(self.pg0, [p])
         self.assertEqual(
             self.base_peer4_out_err + 1,
             self.statistics.get_err_counter(self.peer4_out_err),
         self.assertEqual(
             self.base_peer4_out_err + 1,
             self.statistics.get_err_counter(self.peer4_out_err),
@@ -1365,7 +1477,7 @@ class TestWg(VppTestCase):
         # send a handsake from the peer with an invalid MAC
         p = peer_1.mk_handshake(self.pg1)
         p[WireguardInitiation].mac1 = b"foobar"
         # send a handsake from the peer with an invalid MAC
         p = peer_1.mk_handshake(self.pg1)
         p[WireguardInitiation].mac1 = b"foobar"
-        self.send_and_assert_no_replies(self.pg1, [p])
+        self.send_and_assert_no_replies_ignoring_init(self.pg1, [p])
         self.assertEqual(
             self.base_mac4_err + 1, self.statistics.get_err_counter(self.mac4_error)
         )
         self.assertEqual(
             self.base_mac4_err + 1, self.statistics.get_err_counter(self.mac4_error)
         )
@@ -1374,7 +1486,7 @@ class TestWg(VppTestCase):
         p = peer_1.mk_handshake(
             self.pg1, False, X25519PrivateKey.generate().public_key()
         )
         p = peer_1.mk_handshake(
             self.pg1, False, X25519PrivateKey.generate().public_key()
         )
-        self.send_and_assert_no_replies(self.pg1, [p])
+        self.send_and_assert_no_replies_ignoring_init(self.pg1, [p])
         self.assertEqual(
             self.base_peer4_in_err + 1,
             self.statistics.get_err_counter(self.peer4_in_err),
         self.assertEqual(
             self.base_peer4_in_err + 1,
             self.statistics.get_err_counter(self.peer4_in_err),
@@ -1395,7 +1507,7 @@ class TestWg(VppTestCase):
             / UDP(sport=555, dport=556)
             / Raw()
         )
             / UDP(sport=555, dport=556)
             / Raw()
         )
-        self.send_and_assert_no_replies(self.pg0, [p])
+        self.send_and_assert_no_replies_ignoring_init(self.pg0, [p])
         self.assertEqual(
             self.base_kp4_err + 2, self.statistics.get_err_counter(self.kp4_error)
         )
         self.assertEqual(
             self.base_kp4_err + 2, self.statistics.get_err_counter(self.kp4_error)
         )
@@ -1481,7 +1593,7 @@ class TestWg(VppTestCase):
 
         peer_1 = VppWgPeer(
             self, wg0, self.pg1.remote_ip6, port + 1, ["1::3:0/112"]
 
         peer_1 = VppWgPeer(
             self, wg0, self.pg1.remote_ip6, port + 1, ["1::3:0/112"]
-        ).add_vpp_config(True)
+        ).add_vpp_config()
         self.assertEqual(len(self.vapi.wireguard_peers_dump()), 1)
 
         r1 = VppIpRoute(
         self.assertEqual(len(self.vapi.wireguard_peers_dump()), 1)
 
         r1 = VppIpRoute(
@@ -1501,7 +1613,7 @@ class TestWg(VppTestCase):
             / UDP(sport=555, dport=556)
             / Raw()
         )
             / UDP(sport=555, dport=556)
             / Raw()
         )
-        self.send_and_assert_no_replies(self.pg0, [p])
+        self.send_and_assert_no_replies_ignoring_init(self.pg0, [p])
 
         self.assertEqual(
             self.base_kp6_err + 1, self.statistics.get_err_counter(self.kp6_error)
 
         self.assertEqual(
             self.base_kp6_err + 1, self.statistics.get_err_counter(self.kp6_error)
@@ -1516,7 +1628,7 @@ class TestWg(VppTestCase):
             / UDP(sport=555, dport=556)
             / Raw()
         )
             / UDP(sport=555, dport=556)
             / Raw()
         )
-        self.send_and_assert_no_replies(self.pg0, [p])
+        self.send_and_assert_no_replies_ignoring_init(self.pg0, [p])
         self.assertEqual(
             self.base_peer6_out_err + 1,
             self.statistics.get_err_counter(self.peer6_out_err),
         self.assertEqual(
             self.base_peer6_out_err + 1,
             self.statistics.get_err_counter(self.peer6_out_err),
@@ -1525,7 +1637,7 @@ class TestWg(VppTestCase):
         # send a handsake from the peer with an invalid MAC
         p = peer_1.mk_handshake(self.pg1, True)
         p[WireguardInitiation].mac1 = b"foobar"
         # send a handsake from the peer with an invalid MAC
         p = peer_1.mk_handshake(self.pg1, True)
         p[WireguardInitiation].mac1 = b"foobar"
-        self.send_and_assert_no_replies(self.pg1, [p])
+        self.send_and_assert_no_replies_ignoring_init(self.pg1, [p])
 
         self.assertEqual(
             self.base_mac6_err + 1, self.statistics.get_err_counter(self.mac6_error)
 
         self.assertEqual(
             self.base_mac6_err + 1, self.statistics.get_err_counter(self.mac6_error)
@@ -1535,7 +1647,7 @@ class TestWg(VppTestCase):
         p = peer_1.mk_handshake(
             self.pg1, True, X25519PrivateKey.generate().public_key()
         )
         p = peer_1.mk_handshake(
             self.pg1, True, X25519PrivateKey.generate().public_key()
         )
-        self.send_and_assert_no_replies(self.pg1, [p])
+        self.send_and_assert_no_replies_ignoring_init(self.pg1, [p])
         self.assertEqual(
             self.base_peer6_in_err + 1,
             self.statistics.get_err_counter(self.peer6_in_err),
         self.assertEqual(
             self.base_peer6_in_err + 1,
             self.statistics.get_err_counter(self.peer6_in_err),
@@ -1556,7 +1668,7 @@ class TestWg(VppTestCase):
             / UDP(sport=555, dport=556)
             / Raw()
         )
             / UDP(sport=555, dport=556)
             / Raw()
         )
-        self.send_and_assert_no_replies(self.pg0, [p])
+        self.send_and_assert_no_replies_ignoring_init(self.pg0, [p])
         self.assertEqual(
             self.base_kp6_err + 2, self.statistics.get_err_counter(self.kp6_error)
         )
         self.assertEqual(
             self.base_kp6_err + 2, self.statistics.get_err_counter(self.kp6_error)
         )
@@ -1642,7 +1754,7 @@ class TestWg(VppTestCase):
 
         peer_1 = VppWgPeer(
             self, wg0, self.pg1.remote_ip4, port + 1, ["1::3:0/112"]
 
         peer_1 = VppWgPeer(
             self, wg0, self.pg1.remote_ip4, port + 1, ["1::3:0/112"]
-        ).add_vpp_config(True)
+        ).add_vpp_config()
         self.assertEqual(len(self.vapi.wireguard_peers_dump()), 1)
 
         r1 = VppIpRoute(
         self.assertEqual(len(self.vapi.wireguard_peers_dump()), 1)
 
         r1 = VppIpRoute(
@@ -1658,7 +1770,7 @@ class TestWg(VppTestCase):
             / UDP(sport=555, dport=556)
             / Raw()
         )
             / UDP(sport=555, dport=556)
             / Raw()
         )
-        self.send_and_assert_no_replies(self.pg0, [p])
+        self.send_and_assert_no_replies_ignoring_init(self.pg0, [p])
         self.assertEqual(
             self.base_kp6_err + 1, self.statistics.get_err_counter(self.kp6_error)
         )
         self.assertEqual(
             self.base_kp6_err + 1, self.statistics.get_err_counter(self.kp6_error)
         )
@@ -1666,7 +1778,7 @@ class TestWg(VppTestCase):
         # send a handsake from the peer with an invalid MAC
         p = peer_1.mk_handshake(self.pg1)
         p[WireguardInitiation].mac1 = b"foobar"
         # send a handsake from the peer with an invalid MAC
         p = peer_1.mk_handshake(self.pg1)
         p[WireguardInitiation].mac1 = b"foobar"
-        self.send_and_assert_no_replies(self.pg1, [p])
+        self.send_and_assert_no_replies_ignoring_init(self.pg1, [p])
 
         self.assertEqual(
             self.base_mac4_err + 1, self.statistics.get_err_counter(self.mac4_error)
 
         self.assertEqual(
             self.base_mac4_err + 1, self.statistics.get_err_counter(self.mac4_error)
@@ -1676,7 +1788,7 @@ class TestWg(VppTestCase):
         p = peer_1.mk_handshake(
             self.pg1, False, X25519PrivateKey.generate().public_key()
         )
         p = peer_1.mk_handshake(
             self.pg1, False, X25519PrivateKey.generate().public_key()
         )
-        self.send_and_assert_no_replies(self.pg1, [p])
+        self.send_and_assert_no_replies_ignoring_init(self.pg1, [p])
         self.assertEqual(
             self.base_peer4_in_err + 1,
             self.statistics.get_err_counter(self.peer4_in_err),
         self.assertEqual(
             self.base_peer4_in_err + 1,
             self.statistics.get_err_counter(self.peer4_in_err),
@@ -1697,7 +1809,7 @@ class TestWg(VppTestCase):
             / UDP(sport=555, dport=556)
             / Raw()
         )
             / UDP(sport=555, dport=556)
             / Raw()
         )
-        self.send_and_assert_no_replies(self.pg0, [p])
+        self.send_and_assert_no_replies_ignoring_init(self.pg0, [p])
         self.assertEqual(
             self.base_kp6_err + 2, self.statistics.get_err_counter(self.kp6_error)
         )
         self.assertEqual(
             self.base_kp6_err + 2, self.statistics.get_err_counter(self.kp6_error)
         )
@@ -1798,7 +1910,7 @@ class TestWg(VppTestCase):
             / UDP(sport=555, dport=556)
             / Raw()
         )
             / UDP(sport=555, dport=556)
             / Raw()
         )
-        self.send_and_assert_no_replies(self.pg0, [p])
+        self.send_and_assert_no_replies_ignoring_init(self.pg0, [p])
         self.assertEqual(
             self.base_kp4_err + 1, self.statistics.get_err_counter(self.kp4_error)
         )
         self.assertEqual(
             self.base_kp4_err + 1, self.statistics.get_err_counter(self.kp4_error)
         )
@@ -1806,7 +1918,7 @@ class TestWg(VppTestCase):
         # send a handsake from the peer with an invalid MAC
         p = peer_1.mk_handshake(self.pg1, True)
         p[WireguardInitiation].mac1 = b"foobar"
         # send a handsake from the peer with an invalid MAC
         p = peer_1.mk_handshake(self.pg1, True)
         p[WireguardInitiation].mac1 = b"foobar"
-        self.send_and_assert_no_replies(self.pg1, [p])
+        self.send_and_assert_no_replies_ignoring_init(self.pg1, [p])
         self.assertEqual(
             self.base_mac6_err + 1, self.statistics.get_err_counter(self.mac6_error)
         )
         self.assertEqual(
             self.base_mac6_err + 1, self.statistics.get_err_counter(self.mac6_error)
         )
@@ -1815,7 +1927,7 @@ class TestWg(VppTestCase):
         p = peer_1.mk_handshake(
             self.pg1, True, X25519PrivateKey.generate().public_key()
         )
         p = peer_1.mk_handshake(
             self.pg1, True, X25519PrivateKey.generate().public_key()
         )
-        self.send_and_assert_no_replies(self.pg1, [p])
+        self.send_and_assert_no_replies_ignoring_init(self.pg1, [p])
         self.assertEqual(
             self.base_peer6_in_err + 1,
             self.statistics.get_err_counter(self.peer6_in_err),
         self.assertEqual(
             self.base_peer6_in_err + 1,
             self.statistics.get_err_counter(self.peer6_in_err),
@@ -1836,7 +1948,7 @@ class TestWg(VppTestCase):
             / UDP(sport=555, dport=556)
             / Raw()
         )
             / UDP(sport=555, dport=556)
             / Raw()
         )
-        self.send_and_assert_no_replies(self.pg0, [p])
+        self.send_and_assert_no_replies_ignoring_init(self.pg0, [p])
         self.assertEqual(
             self.base_kp4_err + 2, self.statistics.get_err_counter(self.kp4_error)
         )
         self.assertEqual(
             self.base_kp4_err + 2, self.statistics.get_err_counter(self.kp4_error)
         )
@@ -2009,6 +2121,9 @@ class TestWg(VppTestCase):
         self.pg0.generate_remote_hosts(NUM_IFS)
         self.pg0.configure_ipv4_neighbors()
 
         self.pg0.generate_remote_hosts(NUM_IFS)
         self.pg0.configure_ipv4_neighbors()
 
+        self.pg_enable_capture(self.pg_interfaces)
+        self.pg_start()
+
         # Create interfaces with a peer on each
         peers = []
         routes = []
         # Create interfaces with a peer on each
         peers = []
         routes = []
@@ -2040,6 +2155,9 @@ class TestWg(VppTestCase):
 
         self.assertEqual(len(self.vapi.wireguard_peers_dump()), NUM_IFS)
 
 
         self.assertEqual(len(self.vapi.wireguard_peers_dump()), NUM_IFS)
 
+        # skip the first automatic handshake
+        self.pg1.get_capture(NUM_IFS, timeout=HANDSHAKE_JITTER)
+
         for i in range(NUM_IFS):
             # send a valid handsake init for which we expect a response
             p = peers[i].mk_handshake(self.pg1)
         for i in range(NUM_IFS):
             # send a valid handsake init for which we expect a response
             p = peers[i].mk_handshake(self.pg1)
@@ -2193,23 +2311,55 @@ class TestWg(VppTestCase):
 
         self.assertEqual(len(self.vapi.wireguard_peers_dump()), NUM_PEERS * 2)
 
 
         self.assertEqual(len(self.vapi.wireguard_peers_dump()), NUM_PEERS * 2)
 
+        # skip the first automatic handshake
+        self.pg1.get_capture(NUM_PEERS, timeout=HANDSHAKE_JITTER)
+        self.pg2.get_capture(NUM_PEERS, timeout=HANDSHAKE_JITTER)
+
         # Want events from the first perr of wg0
         # and from all wg1 peers
         peers_0[0].want_events()
         wg1.want_events()
 
         for i in range(NUM_PEERS):
         # Want events from the first perr of wg0
         # and from all wg1 peers
         peers_0[0].want_events()
         wg1.want_events()
 
         for i in range(NUM_PEERS):
-            # send a valid handsake init for which we expect a response
+            # wg0 peers: send a valid handsake init for which we expect a response
             p = peers_0[i].mk_handshake(self.pg1)
             rx = self.send_and_expect(self.pg1, [p], self.pg1)
             peers_0[i].consume_response(rx[0])
             p = peers_0[i].mk_handshake(self.pg1)
             rx = self.send_and_expect(self.pg1, [p], self.pg1)
             peers_0[i].consume_response(rx[0])
+
+            # wg0 peers: send empty packet, it means successful connection (WIREGUARD_PEER_ESTABLISHED)
+            keepalive = peers_0[i].encrypt_transport(0)
+            p = peers_0[i].mk_tunnel_header(self.pg1) / (
+                Wireguard(message_type=4, reserved_zero=0)
+                / WireguardTransport(
+                    receiver_index=peers_0[i].sender,
+                    counter=0,
+                    encrypted_encapsulated_packet=keepalive,
+                )
+            )
+            self.send_and_assert_no_replies(self.pg1, [p])
+
+            # wg0 peers: wait for established flag
             if i == 0:
                 peers_0[0].wait_event(ESTABLISHED_FLAG)
 
             if i == 0:
                 peers_0[0].wait_event(ESTABLISHED_FLAG)
 
+            # wg1 peers: send a valid handsake init for which we expect a response
             p = peers_1[i].mk_handshake(self.pg2)
             rx = self.send_and_expect(self.pg2, [p], self.pg2)
             peers_1[i].consume_response(rx[0])
 
             p = peers_1[i].mk_handshake(self.pg2)
             rx = self.send_and_expect(self.pg2, [p], self.pg2)
             peers_1[i].consume_response(rx[0])
 
+            # wg1 peers: send empty packet, it means successful connection (WIREGUARD_PEER_ESTABLISHED)
+            keepalive = peers_1[i].encrypt_transport(0)
+            p = peers_1[i].mk_tunnel_header(self.pg2) / (
+                Wireguard(message_type=4, reserved_zero=0)
+                / WireguardTransport(
+                    receiver_index=peers_1[i].sender,
+                    counter=0,
+                    encrypted_encapsulated_packet=keepalive,
+                )
+            )
+            self.send_and_assert_no_replies(self.pg2, [p])
+
+        # wg1 peers: wait for established flag
         wg1.wait_events(ESTABLISHED_FLAG, [peers_1[0].index, peers_1[1].index])
 
         # remove routes
         wg1.wait_events(ESTABLISHED_FLAG, [peers_1[0].index, peers_1[1].index])
 
         # remove routes
@@ -2234,9 +2384,361 @@ class TestWg(VppTestCase):
         wg0.remove_vpp_config()
         wg1.remove_vpp_config()
 
         wg0.remove_vpp_config()
         wg1.remove_vpp_config()
 
+    def test_wg_sending_handshake_when_admin_down(self):
+        """Sending handshake when admin down"""
+        port = 12323
+
+        # create wg interface
+        wg0 = VppWgInterface(self, self.pg1.local_ip4, port).add_vpp_config()
+        wg0.config_ip4()
+
+        # create a peer
+        peer_1 = VppWgPeer(
+            self, wg0, self.pg1.remote_ip4, port + 1, ["10.11.3.0/24"]
+        ).add_vpp_config()
+        self.assertEqual(len(self.vapi.wireguard_peers_dump()), 1)
+
+        self.pg_enable_capture(self.pg_interfaces)
+        self.pg_start()
+
+        # wait for the peer to send a handshake initiation
+        # expect no handshakes
+        for i in range(2):
+            self.pg1.assert_nothing_captured(remark="handshake packet(s) sent")
+
+        self.pg_enable_capture(self.pg_interfaces)
+        self.pg_start()
+
+        # administratively enable the wg interface
+        # expect the peer to send a handshake initiation
+        wg0.admin_up()
+        rxs = self.pg1.get_capture(1, timeout=2)
+        peer_1.consume_init(rxs[0], self.pg1)
+
+        self.pg_enable_capture(self.pg_interfaces)
+        self.pg_start()
+
+        # administratively disable the wg interface
+        # expect no handshakes
+        wg0.admin_down()
+        for i in range(6):
+            self.pg1.assert_nothing_captured(remark="handshake packet(s) sent")
+
+        # remove configs
+        peer_1.remove_vpp_config()
+        wg0.remove_vpp_config()
+
+    def test_wg_sending_data_when_admin_down(self):
+        """Sending data when admin down"""
+        port = 12323
+
+        # create wg interface
+        wg0 = VppWgInterface(self, self.pg1.local_ip4, port).add_vpp_config()
+        wg0.admin_up()
+        wg0.config_ip4()
+
+        self.pg_enable_capture(self.pg_interfaces)
+        self.pg_start()
+
+        # create a peer
+        peer_1 = VppWgPeer(
+            self, wg0, self.pg1.remote_ip4, port + 1, ["10.11.3.0/24"]
+        ).add_vpp_config()
+        self.assertEqual(len(self.vapi.wireguard_peers_dump()), 1)
+
+        # create a route to rewrite traffic into the wg interface
+        r1 = VppIpRoute(
+            self, "10.11.3.0", 24, [VppRoutePath("10.11.3.1", wg0.sw_if_index)]
+        ).add_vpp_config()
+
+        # wait for the peer to send a handshake initiation
+        rxs = self.pg1.get_capture(1, timeout=2)
+
+        # prepare and send a handshake response
+        # expect a keepalive message
+        resp = peer_1.consume_init(rxs[0], self.pg1)
+        rxs = self.send_and_expect(self.pg1, [resp], self.pg1)
+
+        # verify the keepalive message
+        b = peer_1.decrypt_transport(rxs[0])
+        self.assertEqual(0, len(b))
+
+        # prepare and send a packet that will be rewritten into the wg interface
+        # expect a data packet sent
+        p = (
+            Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
+            / IP(src=self.pg0.remote_ip4, dst="10.11.3.2")
+            / UDP(sport=555, dport=556)
+            / Raw()
+        )
+        rxs = self.send_and_expect(self.pg0, [p], self.pg1)
+
+        # verify the data packet
+        peer_1.validate_encapped(rxs, p)
+
+        # administratively disable the wg interface
+        wg0.admin_down()
+
+        # send a packet that will be rewritten into the wg interface
+        # expect no data packets sent
+        self.send_and_assert_no_replies(self.pg0, [p])
+
+        # administratively enable the wg interface
+        # expect the peer to send a handshake initiation
+        wg0.admin_up()
+        peer_1.noise_reset()
+        rxs = self.pg1.get_capture(1, timeout=2)
+        resp = peer_1.consume_init(rxs[0], self.pg1)
+
+        # send a packet that will be rewritten into the wg interface
+        # expect no data packets sent because the peer is not initiated
+        self.send_and_assert_no_replies(self.pg0, [p])
+        self.assertEqual(
+            self.base_kp4_err + 1, self.statistics.get_err_counter(self.kp4_error)
+        )
+
+        # send a handshake response and expect a keepalive message
+        rxs = self.send_and_expect(self.pg1, [resp], self.pg1)
+
+        # verify the keepalive message
+        b = peer_1.decrypt_transport(rxs[0])
+        self.assertEqual(0, len(b))
+
+        # send a packet that will be rewritten into the wg interface
+        # expect a data packet sent
+        rxs = self.send_and_expect(self.pg0, [p], self.pg1)
+
+        # verify the data packet
+        peer_1.validate_encapped(rxs, p)
+
+        # remove configs
+        r1.remove_vpp_config()
+        peer_1.remove_vpp_config()
+        wg0.remove_vpp_config()
+
+    def _test_wg_large_packet_tmpl(self, is_async, is_ip6):
+        self.vapi.wg_set_async_mode(is_async)
+        port = 12323
+
+        # create wg interface
+        if is_ip6:
+            wg0 = VppWgInterface(self, self.pg1.local_ip6, port).add_vpp_config()
+            wg0.admin_up()
+            wg0.config_ip6()
+        else:
+            wg0 = VppWgInterface(self, self.pg1.local_ip4, port).add_vpp_config()
+            wg0.admin_up()
+            wg0.config_ip4()
+
+        self.pg_enable_capture(self.pg_interfaces)
+        self.pg_start()
+
+        # create a peer
+        if is_ip6:
+            peer_1 = VppWgPeer(
+                self, wg0, self.pg1.remote_ip6, port + 1, ["1::3:0/112"]
+            ).add_vpp_config()
+        else:
+            peer_1 = VppWgPeer(
+                self, wg0, self.pg1.remote_ip4, port + 1, ["10.11.3.0/24"]
+            ).add_vpp_config()
+        self.assertEqual(len(self.vapi.wireguard_peers_dump()), 1)
+
+        # create a route to rewrite traffic into the wg interface
+        if is_ip6:
+            r1 = VppIpRoute(
+                self, "1::3:0", 112, [VppRoutePath("1::3:1", wg0.sw_if_index)]
+            ).add_vpp_config()
+        else:
+            r1 = VppIpRoute(
+                self, "10.11.3.0", 24, [VppRoutePath("10.11.3.1", wg0.sw_if_index)]
+            ).add_vpp_config()
 
 
-@tag_fixme_ubuntu2204
-@tag_fixme_debian11
+        # wait for the peer to send a handshake initiation
+        rxs = self.pg1.get_capture(1, timeout=2)
+
+        # prepare and send a handshake response
+        # expect a keepalive message
+        resp = peer_1.consume_init(rxs[0], self.pg1, is_ip6=is_ip6)
+        rxs = self.send_and_expect(self.pg1, [resp], self.pg1)
+
+        # verify the keepalive message
+        b = peer_1.decrypt_transport(rxs[0], is_ip6=is_ip6)
+        self.assertEqual(0, len(b))
+
+        # prepare and send data packets
+        # expect to receive them decrypted
+        if is_ip6:
+            ip_header = IPv6(src="1::3:1", dst=self.pg0.remote_ip6, hlim=20)
+        else:
+            ip_header = IP(src="10.11.3.1", dst=self.pg0.remote_ip4, ttl=20)
+        packet_len_opts = (
+            2500,  # two buffers
+            1500,  # one buffer
+            4500,  # three buffers
+            1910 if is_ip6 else 1950,  # auth tag is not contiguous
+        )
+        txs = []
+        for l in packet_len_opts:
+            txs.append(
+                peer_1.mk_tunnel_header(self.pg1, is_ip6=is_ip6)
+                / Wireguard(message_type=4, reserved_zero=0)
+                / WireguardTransport(
+                    receiver_index=peer_1.sender,
+                    counter=len(txs),
+                    encrypted_encapsulated_packet=peer_1.encrypt_transport(
+                        ip_header / UDP(sport=222, dport=223) / Raw(b"\xfe" * l)
+                    ),
+                )
+            )
+        rxs = self.send_and_expect(self.pg1, txs, self.pg0)
+
+        # verify decrypted packets
+        for i, l in enumerate(packet_len_opts):
+            if is_ip6:
+                self.assertEqual(rxs[i][IPv6].dst, self.pg0.remote_ip6)
+                self.assertEqual(rxs[i][IPv6].hlim, ip_header.hlim - 1)
+            else:
+                self.assertEqual(rxs[i][IP].dst, self.pg0.remote_ip4)
+                self.assertEqual(rxs[i][IP].ttl, ip_header.ttl - 1)
+            self.assertEqual(len(rxs[i][Raw]), l)
+            self.assertEqual(bytes(rxs[i][Raw]), b"\xfe" * l)
+
+        # prepare and send packets that will be rewritten into the wg interface
+        # expect data packets sent
+        if is_ip6:
+            ip_header = IPv6(src=self.pg0.remote_ip6, dst="1::3:2")
+        else:
+            ip_header = IP(src=self.pg0.remote_ip4, dst="10.11.3.2")
+        packet_len_opts = (
+            2500,  # two buffers
+            1500,  # one buffer
+            4500,  # three buffers
+            1980 if is_ip6 else 2000,  # no free space to write auth tag
+        )
+        txs = []
+        for l in packet_len_opts:
+            txs.append(
+                Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
+                / ip_header
+                / UDP(sport=555, dport=556)
+                / Raw(b"\xfe" * l)
+            )
+        rxs = self.send_and_expect(self.pg0, txs, self.pg1)
+
+        # verify the data packets
+        rxs_decrypted = peer_1.validate_encapped(
+            rxs, ip_header, is_tunnel_ip6=is_ip6, is_transport_ip6=is_ip6
+        )
+
+        for i, l in enumerate(packet_len_opts):
+            self.assertEqual(len(rxs_decrypted[i][Raw]), l)
+            self.assertEqual(bytes(rxs_decrypted[i][Raw]), b"\xfe" * l)
+
+        # remove configs
+        r1.remove_vpp_config()
+        peer_1.remove_vpp_config()
+        wg0.remove_vpp_config()
+
+    def test_wg_large_packet_v4_sync(self):
+        """Large packet (v4, sync)"""
+        self._test_wg_large_packet_tmpl(is_async=False, is_ip6=False)
+
+    def test_wg_large_packet_v6_sync(self):
+        """Large packet (v6, sync)"""
+        self._test_wg_large_packet_tmpl(is_async=False, is_ip6=True)
+
+    def test_wg_large_packet_v4_async(self):
+        """Large packet (v4, async)"""
+        self._test_wg_large_packet_tmpl(is_async=True, is_ip6=False)
+
+    def test_wg_large_packet_v6_async(self):
+        """Large packet (v6, async)"""
+        self._test_wg_large_packet_tmpl(is_async=True, is_ip6=True)
+
+    def test_wg_lack_of_buf_headroom(self):
+        """Lack of buffer's headroom (v6 vxlan over v6 wg)"""
+        port = 12323
+
+        # create wg interface
+        wg0 = VppWgInterface(self, self.pg1.local_ip6, port).add_vpp_config()
+        wg0.admin_up()
+        wg0.config_ip6()
+
+        self.pg_enable_capture(self.pg_interfaces)
+        self.pg_start()
+
+        # create a peer
+        peer_1 = VppWgPeer(
+            self, wg0, self.pg1.remote_ip6, port + 1, ["::/0"]
+        ).add_vpp_config()
+        self.assertEqual(len(self.vapi.wireguard_peers_dump()), 1)
+
+        # create a route to enable communication between wg interface addresses
+        r1 = VppIpRoute(
+            self, wg0.remote_ip6, 128, [VppRoutePath("0.0.0.0", wg0.sw_if_index)]
+        ).add_vpp_config()
+
+        # wait for the peer to send a handshake initiation
+        rxs = self.pg1.get_capture(1, timeout=2)
+
+        # prepare and send a handshake response
+        # expect a keepalive message
+        resp = peer_1.consume_init(rxs[0], self.pg1, is_ip6=True)
+        rxs = self.send_and_expect(self.pg1, [resp], self.pg1)
+
+        # verify the keepalive message
+        b = peer_1.decrypt_transport(rxs[0], is_ip6=True)
+        self.assertEqual(0, len(b))
+
+        # create vxlan interface over the wg interface
+        vxlan0 = VppVxlanTunnel(self, src=wg0.local_ip6, dst=wg0.remote_ip6, vni=1111)
+        vxlan0.add_vpp_config()
+
+        # create bridge domain
+        bd1 = VppBridgeDomain(self, bd_id=1)
+        bd1.add_vpp_config()
+
+        # add the vxlan interface and pg0 to the bridge domain
+        bd1_ports = (
+            VppBridgeDomainPort(self, bd1, vxlan0).add_vpp_config(),
+            VppBridgeDomainPort(self, bd1, self.pg0).add_vpp_config(),
+        )
+
+        # prepare and send packets that will be rewritten into the vxlan interface
+        # expect they to be rewritten into the wg interface then and data packets sent
+        tx = (
+            Ether(dst="00:00:00:00:00:01", src="00:00:00:00:00:02")
+            / IPv6(src="::1", dst="::2", hlim=20)
+            / UDP(sport=1111, dport=1112)
+            / Raw(b"\xfe" * 1900)
+        )
+        rxs = self.send_and_expect(self.pg0, [tx] * 5, self.pg1)
+
+        # verify the data packet
+        for rx in rxs:
+            rx_decrypted = IPv6(peer_1.decrypt_transport(rx, is_ip6=True))
+
+            self.assertEqual(rx_decrypted[VXLAN].vni, vxlan0.vni)
+            inner = rx_decrypted[VXLAN].payload
+
+            # check the original packet is present
+            self.assertEqual(inner[IPv6].dst, tx[IPv6].dst)
+            self.assertEqual(inner[IPv6].hlim, tx[IPv6].hlim)
+            self.assertEqual(len(inner[Raw]), len(tx[Raw]))
+            self.assertEqual(bytes(inner[Raw]), bytes(tx[Raw]))
+
+        # remove configs
+        for bdp in bd1_ports:
+            bdp.remove_vpp_config()
+        bd1.remove_vpp_config()
+        vxlan0.remove_vpp_config()
+        r1.remove_vpp_config()
+        peer_1.remove_vpp_config()
+        wg0.remove_vpp_config()
+
+
+@tag_fixme_vpp_debug
 class WireguardHandoffTests(TestWg):
     """Wireguard Tests in multi worker setup"""
 
 class WireguardHandoffTests(TestWg):
     """Wireguard Tests in multi worker setup"""
 
@@ -2252,6 +2754,9 @@ class WireguardHandoffTests(TestWg):
         wg0.admin_up()
         wg0.config_ip4()
 
         wg0.admin_up()
         wg0.config_ip4()
 
+        self.pg_enable_capture(self.pg_interfaces)
+        self.pg_start()
+
         peer_1 = VppWgPeer(
             self, wg0, self.pg1.remote_ip4, port + 1, ["10.11.2.0/24", "10.11.3.0/24"]
         ).add_vpp_config()
         peer_1 = VppWgPeer(
             self, wg0, self.pg1.remote_ip4, port + 1, ["10.11.2.0/24", "10.11.3.0/24"]
         ).add_vpp_config()
@@ -2261,6 +2766,9 @@ class WireguardHandoffTests(TestWg):
             self, "10.11.3.0", 24, [VppRoutePath("10.11.3.1", wg0.sw_if_index)]
         ).add_vpp_config()
 
             self, "10.11.3.0", 24, [VppRoutePath("10.11.3.1", wg0.sw_if_index)]
         ).add_vpp_config()
 
+        # skip the first automatic handshake
+        self.pg1.get_capture(1, timeout=HANDSHAKE_JITTER)
+
         # send a valid handsake init for which we expect a response
         p = peer_1.mk_handshake(self.pg1)
 
         # send a valid handsake init for which we expect a response
         p = peer_1.mk_handshake(self.pg1)
 
@@ -2326,7 +2834,7 @@ class WireguardHandoffTests(TestWg):
             self.assertEqual(rx[IP].ttl, 19)
 
         # send a packets that are routed into the tunnel
             self.assertEqual(rx[IP].ttl, 19)
 
         # send a packets that are routed into the tunnel
-        # from owrker 0
+        # from worker 0
         rxs = self.send_and_expect(self.pg0, pe * 255, self.pg1, worker=0)
 
         peer_1.validate_encapped(rxs, pe)
         rxs = self.send_and_expect(self.pg0, pe * 255, self.pg1, worker=0)
 
         peer_1.validate_encapped(rxs, pe)
@@ -2405,7 +2913,7 @@ class TestWgFIB(VppTestCase):
         self.assertEqual(0, len(b))
 
         # prepare and send a packet that will be rewritten into the wg interface
         self.assertEqual(0, len(b))
 
         # prepare and send a packet that will be rewritten into the wg interface
-        # expect a data packet sent to the new endpoint
+        # expect a data packet sent
         p = (
             Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
             / IP(src=self.pg0.remote_ip4, dst="10.11.3.2")
         p = (
             Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
             / IP(src=self.pg0.remote_ip4, dst="10.11.3.2")
Vector Packet Processing