Add full IPsec tunnel connectivity test to E2E suite

[dguido]

Summary

The E2E VPN connectivity tests (PR #14914) currently validate IPsec certificates, service status, and port reachability, but don't establish an actual IPsec tunnel from the test namespace. This is a follow-up enhancement to add true tunnel connectivity testing.

Current IPsec Tests

• ✅ Certificate chain validation
• ✅ IPsec service running check
• ✅ Port reachability (UDP 500, 4500)
• ✅ DNS service responding
• ❌ Actual IKEv2 tunnel establishment
• ❌ Traffic through IPsec tunnel

Why This Is Complex

Running StrongSwan's charon daemon in a network namespace requires:

1. Daemon setup: charon must run inside the namespace with proper plugin paths
2. VICI socket: swanctl communicates with charon via VICI socket
3. AppArmor handling: May need to adjust AppArmor profiles for charon in namespace
4. Plugin loading: Many StrongSwan plugins with library dependencies
5. Certificate paths: Must be accessible from namespace context

Proposed Implementation

# Start charon in namespace with custom paths
ip netns exec "${NAMESPACE}" /usr/lib/ipsec/charon \
    --use-syslog --debug-ike 2 &

# Load credentials
ip netns exec "${NAMESPACE}" swanctl --load-all --file swanctl.conf

# Initiate connection
ip netns exec "${NAMESPACE}" swanctl --initiate --child algovpn

# Verify ESTABLISHED state
ip netns exec "${NAMESPACE}" swanctl --list-sas | grep -q ESTABLISHED

# Test connectivity through tunnel
ip netns exec "${NAMESPACE}" ping -c 3 ${VPN_SERVER_IP}

Acceptance Criteria

• charon daemon starts successfully in namespace
• IKEv2 handshake completes (ESTABLISHED state)
• Traffic flows through IPsec tunnel
• Proper cleanup of charon process on test exit
• Works in GitHub Actions CI environment

References

• Parent issue: Add true end-to-end VPN connectivity tests using network namespaces #14912
• Implementation PR: Add end-to-end VPN connectivity tests using network namespaces #14914
• StrongSwan namespace docs: https://wiki.strongswan.org/projects/strongswan/wiki/Netns

Priority

Low - Current certificate and service validation catches most deployment issues. Full tunnel testing is a nice-to-have for comprehensive coverage.