Add automated StrongSwan test

server/site_tests/network_VPN/050StrongSwanGenesis

Index: server/site_tests/network_VPN/050StrongSwanGenesis
diff --git a/server/site_tests/network_VPN/050StrongSwanGenesis b/server/site_tests/network_VPN/050StrongSwanGenesis
new file mode 100644
index 0000000000000000000000000000000000000000..3923d398ca094306c4bbadabef86bde19076994f
--- /dev/null
+++ b/server/site_tests/network_VPN/050StrongSwanGenesis
@@ -0,0 +1,110 @@
+# Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+#
+# An example of how to set up a VPN from the Client (DUT), through the
+# Router to to the Server.

[Sam Leffler, 2011/03/31 17:11:27]

mention StrongSwan somewhere in here?

+#
+
+{ "name" : "VPNStrongSwanGenesis",
+  "steps":[
+    ###  Create WiFi connection from Client to Router.

[Sam Leffler, 2011/03/31 17:11:27]

don't think any of the other tests use '###'; not a big deal but prefer
consistency

+    [ "create",         { "type" : "hostap" } ],
+    [ "config",         { "channel" : "2412", "mode" : "11b" } ],
+    [ "connect",        { "security" : "none" } ],
+
+    ### Declare the templates for the configuration files which are
+    ### going to be used.  Text of the form '@fnord@' can be replaced
+    ### at write-out time by putting it into the 'replacements'
+    ### parameter of the 'vpn_server_config' step.
+    ###
+    ### The text '@ipsecrets-ip@' is automtically replaced with the
+    ### correct server IP for the current test configuration, and
+    ### should not be replaced through this list of steps.
+    [ "vpn_strongswan_config_templates", {

[Sam Leffler, 2011/03/31 17:11:27]

style nit; not sure you're using 4-space indent here like everywhere else?

[thutt, 2011/04/05 21:38:21]

I've removed this step altogether (unrelated to the indentation).  Any other
locations not up-to-snuff?

+                "/etc/ipsec.conf" :
+                    "config setup\n"
+                    "  charonstart=no\n"
+                    "  plutostart=yes\n"
+                    "  plutodebug=@plutodebug@\n"
+                    "conn L2TP\n"
+                    "  keyexchange=ikev1\n"
+                    "  authby=psk\n"
+                    "  pfs=no\n"
+                    "  rekey=no\n"
+                    "  left=%defaultroute\n"
+                    "  leftprotoport=17/1701\n"
+                    "  right=%any\n"
+                    "  rightprotoport=17/%any\n"
+                    "  auto=add\n",
+
+                "/etc/ipsec.secrets" :
+                    "@ipsecrets-ip@ %any : PSK \"password\"",
+
+                "/etc/xl2tpd/xl2tpd.conf" :
+                    "[global]\n"
+                    "\n"
+                    "[lns default]\n"
+                    "  ip range = 192.168.1.128-192.168.1.254\n"

[Sam Leffler, 2011/03/31 17:11:27]

can this be automatically filled in?

[thutt, 2011/04/05 21:38:21]

Yes, it can.  I don't have it set up for being filled in because I was just
handed a set of 6 config files, and I don't know which knobs are likely to be
tuned.  It's a simple matter of textual replacement with the new implementation.

+                    "  local ip = 192.168.1.99\n"
+                    "  require chap = yes\n"
+                    "  refuse pap = yes\n"
+                    "  require authentication = yes\n"
+                    "  name = LinuxVPNserver\n"
+                    "  ppp debug = yes\n"
+                    "  pppoptfile = /etc/ppp/options.xl2tpd\n"
+                    "  length bit = yes\n",
+
+                "/etc/xl2tpd/xl2tp-secrets" :
+                    "*      them    l2tp-secret",
+
+                "/etc/xl2tpd/l2tp-secrets" :
+                    "*      them    l2tp-secret",
+
+                "/etc/ppp/chap-secrets" :
+                    "chapuser        *       chapsecret      *",
+
+                "/etc/ppp/options.xl2tpd" :
+                    "ipcp-accept-local\n"
+                    "ipcp-accept-remote\n"
+                    "ms-dns  192.168.1.1\n"
+                    "ms-dns  192.168.1.3\n"
+                    "ms-wins 192.168.1.2\n"
+                    "ms-wins 192.168.1.4\n"
+                    "noccp\n"
+                    "auth\n"
+                    "crtscts\n"
+                    "idle 1800\n"
+                    "mtu 1410\n"
+                    "mru 1410\n"
+                    "nodefaultroute\n"
+                    "debug\n"
+                    "lock\n"
+                    "proxyarp\n"
+                    "connect-delay 5000\n"

[Sam Leffler, 2011/03/31 17:11:27]

much of the above is magic to me; please add comments

[thutt, 2011/04/05 21:38:21]

I agree, it's entirely magic.  I'd like to defer to Ken to provide comments on
what this all means.  I can provide a link to the StrongSwan documentation, but
it's incomplete, so it won't really be much help.

+                }],
+
+    ### Configure and launch the VPN server.
+    ### Automatically kills any previously running server.
+    ###
+    [ "vpn_server_config", {
+                "kind" : "l2tpipsec",

[Sam Leffler, 2011/03/31 17:11:27]

indent

[thutt, 2011/04/05 21:38:21]

Addressed.

+                "replacements" : {
+                    # @ipsecrets-ip@ should not be replaced here.

[Sam Leffler, 2011/03/31 17:11:27]

don't understand this; did you mean "should not be used here"?

[thutt, 2011/04/05 21:38:21]

Yes; the @ipsecrets-ip@ is replaced with a runtime IP.  So, you shouldn't
provide an IP in the control file.

+                    # Instead, it is automatically replaced in
+                    # 'site_linux_server.py' with the appropriate
+                    # server IP address.
+                    "@plutodebug@" : "all"
+                    }}],

[Sam Leffler, 2011/03/31 17:11:27]

add \n? also is vpn_server_config synchronous? are there startup races?

[thutt, 2011/04/05 21:38:21]

I did nothing to make it synchronous or asynchronous.  I'm assuming that it is
synchronous.

I don't understand the '\n' comment.

+    ###  Launch the VPN Client.
+    [ "vpn_client_config", { "kind" : "l2tpipsec-psk" }],
+
+    ### Verify the client is connected to the server
+    [ "client_ping",       { "ping_ip" : "192.168.1.99", # In xl2tpd.conf.

[Sam Leffler, 2011/03/31 17:11:27]

seems like you can factor out this fixed ip as we do for client/server ping's
etc

[thutt, 2011/04/05 21:38:21]

How?  How will the code be able to differentiate between the default ping
(without the IP provided) and a ping of a StrongSwan IP (192.168.1.99) and a
ping of an OpenVPN IP (10.8.0.1)?  I suppose it might be able to use the
'vpn_kind' field, but perhaps you had something else in mind?

+                             "count" : "10" } ],
+
+    [ "vpn_server_kill" ],       # Shut down the VPN Server.
+    [ "vpn_client_kill" ],       # Shut down the VPN Client.
+    [ "disconnect" ],            # Disconnect WiFi setup
+    ],
+}