summary |
shortlog | log |
commit |
commitdiff |
tree
first ⋅ prev ⋅ next
Yunlian Jiang [Thu, 18 Apr 2013 22:04:13 +0000 (15:04 -0700)]
vpn-manager: use MOCK_CONST_METHOD for const func
BUG=chromium:233350
TEST=FEATURES="test" CXXFLAGS="-clang" emerge-lumpy vpn-manager
passes.
Change-Id: I29f04071e0c95a3385a9026bd93c4aa37a28557e
Reviewed-on: https://gerrit.chromium.org/gerrit/48566
Reviewed-by: Paul Stewart <pstew@chromium.org>
Commit-Queue: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Paul Stewart [Tue, 2 Apr 2013 03:28:11 +0000 (20:28 -0700)]
vpn-manager: Change root of persistent directory
The symlinks for the ipsec configuration have changed from pointing
to the stateful partition to a link directory to be created in
/var/run. Update service_manager to point to these links, and
have ipsec_manager change permissions on the top level so that
CA certificate links are still world readable.
CQ-DEPEND=CL:47095
BUG=chromium:225565
TEST=Manual: run connect-vpn against an l2tpipsec VPN server; make sure
the /var/run/l2tpipsec_vpn/current directory is world readable:
su nobody -s /bin/bash -c "ls -al /var/run/l2tpipsec_vpn/current"
Change-Id: I9fba0a231d5fbbbc96c801f282d6d7801c4deaf7
Reviewed-on: https://gerrit.chromium.org/gerrit/47096
Reviewed-by: Darin Petkov <petkov@chromium.org>
Commit-Queue: Paul Stewart <pstew@chromium.org>
Tested-by: Paul Stewart <pstew@chromium.org>
Paul Stewart [Thu, 21 Mar 2013 19:09:55 +0000 (12:09 -0700)]
ipsec-manager: Accept "tunnel group" parameter
Specify to "Agressive Mode" and encode the tunnel group name
when asked to do so via a command-line flag. This allows a
user realm to be specified during the first round of negotiations,
which is interpreted by Cisco VPNs as the Tunnel Group for which
various configuration and policy is layered.
BUG=chromium:199004
TEST=Use in tandem with https://gerrit.chromium.org/gerrit/46154
and the new "--tunnel-group" parameter to the "connect-vpn" test
script and a Cisco ASA 5505 VPN configured with an alterate tunnel
group. Unfortunately due to configuration issues on the VPN, the
IPSec connection was observed to be established, and the correct
tunnel group was indicated in the logs, but the PPP link did not
come up due to an AAA internal issue to the VPN. Verify that
connections to the default tunnel group continue to work correctly
without the "--tunnel-group" flag.
Change-Id: Ie53bbe8dd1c16a72ae2265d4879e5435fb23d73e
Reviewed-on: https://gerrit.chromium.org/gerrit/46153
Commit-Queue: Paul Stewart <pstew@chromium.org>
Reviewed-by: Paul Stewart <pstew@chromium.org>
Tested-by: Paul Stewart <pstew@chromium.org>
Paul Stewart [Thu, 14 Mar 2013 15:49:35 +0000 (08:49 -0700)]
ipsec-manager: Unify configuration file writing
Unify the process of writing out configuration files, and
switch to a new output directory in /var/run instead of
using the chronos home directory.
BUG=chromium-os:36959,chromium-os:39676
TEST=Connected to StrongSwan 4.x using both PSK and certificate
authentication.
Change-Id: I9a6ff0d7b61ec7fefe829983946bd35b3af25369
Reviewed-on: https://gerrit.chromium.org/gerrit/45741
Commit-Queue: Paul Stewart <pstew@chromium.org>
Reviewed-by: Paul Stewart <pstew@chromium.org>
Tested-by: Paul Stewart <pstew@chromium.org>
Paul Stewart [Wed, 13 Mar 2013 19:31:25 +0000 (12:31 -0700)]
ipsec_manager: Be more careful when shutting down
The ipsec manager was sloppy about killing the child starter and
charon processes, in the sense that killing one may perturb the
state (notably the pid file) of the other in ways which make it
difficult to find and kill both processes. To fix this, create
a "Daemon" object which can hold the pid-file and process state
simultaneously so we can garner state about the running processes
in one pass, and kill them in a separate pass. This also cleans
up some questionable code, like re-using the starter Process
instance for killing both starter and charon processes during
startup. It also fixes references to base::FilePath in the
various files in this project where it is used, and uses a
ScopedTempDir for temporary files used in unit tests.
BUG=chromium-os:36959
TEST=Unit tests, manual: start and stop an l2tpipsec connection
repeately using connect-vpn / disconnect-service, and ensure that
no PID files or processes are left over for charon or starter.
Change-Id: I59c2cdabb9b99fc9fc54cb25bab029f8573b8c26
Reviewed-on: https://gerrit.chromium.org/gerrit/45334
Commit-Queue: Paul Stewart <pstew@chromium.org>
Reviewed-by: Paul Stewart <pstew@chromium.org>
Tested-by: Paul Stewart <pstew@chromium.org>
Paul Stewart [Wed, 20 Feb 2013 16:35:32 +0000 (08:35 -0800)]
vpn-manager: Support strongSwan 5.0.2
Update vpn-manager for writing out config files for StrongSwan 5.0.2.
This new StrongSwan now provides both IKEv1 and IKEv2 support through
the "charon" daemon. Small changes to the configuration file format
needed to be made. While here fix some questionable reuse of the
|starter_| Process instance in IpsecManager::KillRunningDaemon. This
appears to make the shutdown of the starter and charon processes much
more reliable.
CQ-DEPEND=CL:44988
BUG=chromium-os:36959
TEST=Connected to StrongSwan 4.x using both PSK and certificate
authentication. Connected to Cisco 5505 using PSK authentication.
Connected to Windows RRAS using PSK authentication.
Change-Id: I8620bb591622b2e87e2ce5265a76f879cb7322e0
Reviewed-on: https://gerrit.chromium.org/gerrit/44987
Reviewed-by: Ben Chan <benchan@chromium.org>
Commit-Queue: Paul Stewart <pstew@chromium.org>
Tested-by: Paul Stewart <pstew@chromium.org>
Gaurav Shah [Sun, 24 Mar 2013 22:54:53 +0000 (15:54 -0700)]
vpn_manager: Calculate gmock/gtest library dependencies programatically
(gmock/gtest doesn't generate pkg-config metadata, calculating lib
dependencies this way makes it easier to upgrade gmock/gtest packages.)
BUG=chromium:211445
TEST=build tests for package using gtest 1.6
Change-Id: I1f8cd7a5b9a6f5bcc462ad745667c886fcd6be4c
Reviewed-on: https://gerrit.chromium.org/gerrit/46422
Reviewed-by: Darin Petkov <petkov@chromium.org>
Commit-Queue: Gaurav Shah <gauravsh@chromium.org>
Tested-by: Gaurav Shah <gauravsh@chromium.org>
Darin Petkov [Wed, 13 Mar 2013 13:42:14 +0000 (14:42 +0100)]
vpn-manager: Wrap the code in a vpn_manager namespace.
This is done so that service_error.h can be included cleanly by shill
to translate vpn-manager exit codes to UI failure reasons. Also, it
follows code style now.
BUG=chromium-os:32877
TEST=build and ran vpn-manager unit tests
Change-Id: I4a123326487f9fe8e194c360f91589a755ca3a70
Reviewed-on: https://gerrit.chromium.org/gerrit/45311
Tested-by: Darin Petkov <petkov@chromium.org>
Reviewed-by: Paul Stewart <pstew@chromium.org>
Commit-Queue: Darin Petkov <petkov@chromium.org>
Chris Masone [Thu, 14 Feb 2013 22:08:57 +0000 (14:08 -0800)]
vpn-manager: Update to build against libchrome-180609
Updated to cope with moved scoped_temp_dir.h and eintr_wrapper.h,
and also the moving of ScopedTempDir into the base namespace.
CQ-DEPEND=Ib7a2e85819b2bf48ff82b1536dbaf78e6bc95a45
BUG=chromium-os:38951
TEST=FEATURES=test emerge-amd64-generic vpn-manager
STATUS=Fixed
Change-Id: Icab308db90fc2438c55428a536ab0ffd3ed5d4bf
Reviewed-on: https://gerrit.chromium.org/gerrit/43316
Reviewed-by: Chris Masone <cmasone@chromium.org>
Tested-by: Chris Masone <cmasone@chromium.org>
Commit-Queue: Chris Masone <cmasone@chromium.org>
Ryan Harrison [Wed, 6 Feb 2013 21:38:58 +0000 (16:38 -0500)]
vpn-manager: Updating common.mk to ToT to enable profiling
This update replaces the current common.mk used in this project with the newest
version. This will allow all of the common.mk based projects to be on the same
version for debugging and enables profiling support.
BUG=chromium-os:37854
TEST=Exectuted the following commands to confirm the build works:
MODE=profiling cros_workon_make --board=link
MODE=profiling cros_workon_make --board=link --test
cros_workon_make --board=link
cros_workon_make --board=link --test
Repeated these with emerge-link, USE=profiling, and
FEATURES=test as need.
For the emerge command with profiling and testing enable, confirmed the
appropriate coverage files were created in /usr/share/profiling/...
Change-Id: Iadfd956d42600209a4bc651cdda2409cd66c4264
Reviewed-on: https://gerrit.chromium.org/gerrit/42783
Tested-by: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Ben Chan [Tue, 11 Sep 2012 06:59:42 +0000 (23:59 -0700)]
vpn-manager: Use a different temporary directory for each unit test.
The CL modifies each unit test to use a different temporary directory to
prevent race conditions when unit tests run concurrently.
BUG=chromium-os:33867
TEST=cros_run_unit_tests -p vpn-manager
Change-Id: I5b0b66b4795d14422ea4861411cd8f220103614e
Reviewed-on: https://gerrit.chromium.org/gerrit/32904
Commit-Ready: Ben Chan <benchan@chromium.org>
Tested-by: Ben Chan <benchan@chromium.org>
Reviewed-by: Darin Petkov <petkov@chromium.org>
Mike Frysinger [Tue, 14 Aug 2012 18:54:31 +0000 (14:54 -0400)]
convert to common.mk
Use the common.mk build system so that we get things like out-of-tree
and incremental building.
BUG=chromium-os:33327
TEST=`cros_run_unit_tests --board x86-alex -p vpn-manager` worked
Change-Id: Ia32b622c675c4a52e4905e1403400b0488e84e19
Reviewed-on: https://gerrit.chromium.org/gerrit/30269
Reviewed-by: Ben Chan <benchan@chromium.org>
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Mike Frysinger [Tue, 14 Aug 2012 19:07:40 +0000 (15:07 -0400)]
fix out-of-tree tests
The current tests assume they are run in the source tree, but when we
try to build out-of-tree, they all fail. Look up the source tree via
the $SRC env var which common.mk exports for us.
BUG=chromium-os:33327
TEST=`cros_run_unit_tests --board x86-alex -p vpn-manager` passes
Change-Id: I1d9c3b2db5949cecde72668bd9add6c29ab071b8
Reviewed-on: https://gerrit.chromium.org/gerrit/30270
Reviewed-by: Ben Chan <benchan@chromium.org>
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Ben Chan [Sat, 14 Apr 2012 00:48:57 +0000 (17:48 -0700)]
vpn-manager: Create /mnt/stateful_partition/etc if it does not exist.
IpsecManager originally assumed that /mnt/stateful_partition/etc already
exists when it tries to create files such as ipsec.conf in that
directory. That is no longer true. To avoid making such an assumption,
this CL changes IpsecManager to create /mnt/stateful_partition/etc if it
does not exist.
BUG=chromium-os:29485
TEST=Tested the following:
1. Build vpn-manager for {x86,amd64,arm}-generic.
2. Run vpn-manager unit tests.
3. Manually remove /mnt/stateful_partition/etc on a Cr48 and verify that
l2tpipsec_vpn creates that directory when starting a VPN connection.
Change-Id: Ie01ba321f0dee97e0aac102aa7546227213bf292
Reviewed-on: https://gerrit.chromium.org/gerrit/20292
Reviewed-by: Paul Stewart <pstew@chromium.org>
Tested-by: Ben Chan <benchan@chromium.org>
Commit-Ready: Ben Chan <benchan@chromium.org>
Mike Frysinger [Wed, 11 Apr 2012 15:51:13 +0000 (11:51 -0400)]
add an OWNERS file
BUG=None
TEST=`cat OWNERS` looks legit
Change-Id: I9e6cc5a4b62c40b139bae9ddca82b4c74ed7bd48
Reviewed-on: https://gerrit.chromium.org/gerrit/19987
Reviewed-by: Ben Chan <benchan@chromium.org>
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Mike Frysinger [Wed, 11 Apr 2012 15:49:43 +0000 (11:49 -0400)]
update to newer libbase
BUG=chromium-os:25872
TEST=`emerge-x86-alex vpn-manager` works
TEST=`cros_run_unit_tests --board=x86-alex -p vpn-manager` passed
Change-Id: I57cdb99c3b7541d3acc1b2ae66c8e72320914057
Reviewed-on: https://gerrit.chromium.org/gerrit/19988
Reviewed-by: Ben Chan <benchan@chromium.org>
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Ben Chan [Wed, 14 Mar 2012 00:54:59 +0000 (17:54 -0700)]
Use LIBDIR to determine the PKCS11 module path in Makefile.
This CL changes the Makefile to use LIBDIR to determine where the PKCS11
module is installed (/usr/lib or /usr/lib64) such that ipsec can locate
libchaps.so.
BUG=chromium-os:27750
TEST=Tested the following:
1. emerge-{x86,amd64}-generic -v vpn-manager
2. FEATURES="test" emerge-{x86,amd64}-generic -v vpn-manager
3. Manually test L2TP/IPsec VPN connections.
Change-Id: Iae911e5cae8ae169f87ededa3b7d8fc7b1d6c901
Reviewed-on: https://gerrit.chromium.org/gerrit/18070
Tested-by: Ben Chan <benchan@chromium.org>
Commit-Ready: Ben Chan <benchan@chromium.org>
Reviewed-by: Paul Stewart <pstew@chromium.org>
Mike Frysinger [Fri, 9 Mar 2012 16:08:45 +0000 (11:08 -0500)]
convert to SLOT-ed libbase
BUG=chromium-os:16623
TEST=`emerge-x86-alex vpn-manager` still works
TEST=`cros_run_unit_tests --board x86-alex -p vpn-manager` passed
Change-Id: I0cf8b78008defff45d95ec6db786ea98625685da
Reviewed-on: https://gerrit.chromium.org/gerrit/17968
Reviewed-by: Ben Chan <benchan@chromium.org>
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Mike Frysinger [Thu, 16 Feb 2012 17:18:29 +0000 (12:18 -0500)]
vpn-manager: fix up pkg-config handling
Since libchrome provides a .pc file now, use that rather than hardcoding
the -lbase. This lets us drop all the other hardcoded libs too that we
were adding for libbase.
Further, run pkg-config just once per cflags/libs rather than on every
compile line.
BUG=chromium-os:16623
TEST=`emerge-x86-alex vpn-manager` still works
Change-Id: Icba157fba53866a969811f5d3e5f792b2f6f6bf3
Reviewed-on: https://gerrit.chromium.org/gerrit/16036
Reviewed-by: Ben Chan <benchan@chromium.org>
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Ben Chan [Thu, 26 Jan 2012 06:31:43 +0000 (22:31 -0800)]
vpn-manager: Switch to use the 'ignorepeeridcheck' option.
The Chromium OS version of strongswan is patched to allow pluto to
ignored any peer ID mismatch by specifying 'ignorepeeridcheck=yes' in
the 'config setup' section ipsec.conf, such that the server may use an
IP address or fully qualified domain name as its ID.
This CL changes IpsecManager to use the 'ignorepeeridcheck' option when
no server ID is specified instead of the special value '%usepeercert'.
BUG=chromium-os:24476
TEST=Tested the following:
1. Build vpn-manager and run unit tests.
2. Test connecting to a L2TP/IPsec VPN server using a pre-shared key or
user cerificate.
3. Run network_VPN autotest tests.
Change-Id: I54666a62197f4ca6b9bdfa84e95aad00ea51b68b
Reviewed-on: https://gerrit.chromium.org/gerrit/15009
Reviewed-by: Sam Leffler <sleffler@chromium.org>
Reviewed-by: Ken Mixter <kmixter@chromium.org>
Tested-by: Ben Chan <benchan@chromium.org>
Commit-Ready: Ben Chan <benchan@chromium.org>
Elly Jones [Wed, 11 Jan 2012 22:52:27 +0000 (17:52 -0500)]
[vpn-manager] use libchromeos.pc
BUG=chromium-os:24959
TEST=build
Signed-off-by: Elly Jones <ellyjones@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/14022
Reviewed-by: Mike Frysinger <vapier@chromium.org>
(cherry picked from commit
8658b6b585edc6596c872ce4f6c812ce09dcd61a)
Change-Id: Id5fba40180d2ab35aa34e06ebda4a6ff8659026f
Reviewed-on: https://gerrit.chromium.org/gerrit/14519
Reviewed-by: Kees Cook <keescook@chromium.org>
Commit-Ready: Elly Jones <ellyjones@chromium.org>
Tested-by: Elly Jones <ellyjones@chromium.org>
Ben Chan [Fri, 13 Jan 2012 21:01:57 +0000 (13:01 -0800)]
vpn-manager: Make rekey default to yes in ipsec.conf
This CL changes the rekey option in IpsecManager default to true such
that the pluto daemon on the client side (Chromium OS) can request a
renegotiation of the connection when it is about to expire. According to
the ipsec.conf man page, setting rekey=no is largely ineffective unless
both ends of the connection agree on it.
BUG=chromium-os:25070
TEST=Verified the following:
1. Connect successfully to Windows 2008 RRAS server, Cisco ASA 5505
and StrongSWAN VPN server with a L2TP/IPsec pre-shared key or user
certificate.
2. Check that pluto requests a renegotiation of the connection when the
connection is about to expire, and the connection remains established
after that.
3. Run network_VPN autotest test suite.
Change-Id: Ic9c25df0ff3fd3329e0ec3bccea4eade51a1aa54
Reviewed-on: https://gerrit.chromium.org/gerrit/14197
Reviewed-by: Sam Leffler <sleffler@chromium.org>
Tested-by: Ben Chan <benchan@chromium.org>
Commit-Ready: Ben Chan <benchan@chromium.org>
Scott James Remnant [Fri, 13 Jan 2012 01:58:48 +0000 (17:58 -0800)]
Revert "[vpn-manager] use libchromeos.pc"
This reverts commit
8b4bfc7760c7b2b6aa3bf9db68e51f9d81ddbea6
Change-Id: I7cf6b1d4f349b598951083fbbb05f146aa2cf14f
Reviewed-on: https://gerrit.chromium.org/gerrit/14116
Reviewed-by: Scott James Remnant <keybuk@chromium.org>
Tested-by: Scott James Remnant <keybuk@chromium.org>
Elly Jones [Wed, 11 Jan 2012 22:52:27 +0000 (17:52 -0500)]
[vpn-manager] use libchromeos.pc
BUG=chromium-os:24959
TEST=build
Change-Id: I48411e75322cf28f7b7211ed561118eeb1bc75c2
Signed-off-by: Elly Jones <ellyjones@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/14022
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Darren Krahn [Tue, 8 Nov 2011 18:19:53 +0000 (10:19 -0800)]
Changed PKCS #11 module from libopencryptoki.so to libchaps.so.
BUG=chromium-os:21005
TEST=Manual test: l2tpipsec vpn with certs.
Change-Id: Ieebd197aebc422dba45500974d1ee63fc471578d
Reviewed-on: https://gerrit.chromium.org/gerrit/11432
Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
Reviewed-by: Ken Mixter <kmixter@chromium.org>
Commit-Ready: Darren Krahn <dkrahn@chromium.org>
Tested-by: Darren Krahn <dkrahn@chromium.org>
Ben Chan [Tue, 1 Nov 2011 23:33:12 +0000 (16:33 -0700)]
vpn-manager: Not to refuse PAP authentication by default.
This CL changes the default value of the refuse_pap flag from true to
false in L2tpManager, which makes xl2tpd not to refuse PAP
authentication by default.
BUG=chromium-os:22386
TEST=Verified the following:
1. Connected successfully to Check Point VPN server (with a patched
version of xl2tpd to remove some AVPs in L2TP control packets).
2. Connected successfully to Windows 2008 RRAS server, Cisco ASA 5505
and StrongSWAN VPN server with L2TP/IPsec pre-shared key to make sure
the existing VPN support still works fine.
3. Ran network_VPN autotest test suite.
Change-Id: I8626fa376977804339d44bf398a321b25b81836e
Reviewed-on: https://gerrit.chromium.org/gerrit/11018
Reviewed-by: Ken Mixter <kmixter@chromium.org>
Tested-by: Ben Chan <benchan@chromium.org>
Ben Chan [Sat, 1 Oct 2011 00:58:32 +0000 (17:58 -0700)]
Change log pattern for detecting IPsec authentication failures.
The previously used log pattern for detecting IPsec authentication
failures did not work when connnecting to a Windows 2008 RRAS server or
Cisco ASA 5505. This CL changes the log pattern to better handle these
cases.
BUG=chromium-os:18573
TEST=Tested connecting to Windows 2008 RRAS server, Cisco ASA 5505 and
StrongSWAN VPN server with invalid pre-shared key and certificate, and
verified that the UI shows the expected error messages.
Change-Id: I20fbaeecaea59f556321d2e799e1de213a8eb947
Reviewed-on: http://gerrit.chromium.org/gerrit/8609
Reviewed-by: Ken Mixter <kmixter@chromium.org>
Tested-by: Ben Chan <benchan@chromium.org>
Ben Chan [Fri, 16 Sep 2011 18:26:45 +0000 (11:26 -0700)]
Improve L2TP/IPsec VPN error reporting.
This CL modifies l2tpipsec_vpn to extract error information from
low-level daemons (ipsec, xl2tpd, pppd) and return different exit codes
based on the type of error.
BUG=chromium-os:18573
TEST=Examined the exit code of l2tpipsec_vpn for different types of error.
Change-Id: I5c58fb0b003fa52e934f2a33ab5cd2126f41b2be
Reviewed-on: http://gerrit.chromium.org/gerrit/7897
Reviewed-by: Ken Mixter <kmixter@chromium.org>
Tested-by: Ben Chan <benchan@chromium.org>
Ken Mixter [Tue, 13 Sep 2011 00:02:26 +0000 (17:02 -0700)]
vpn-manager: add option to disable pppd system configuration
BUG=chromium-os:17185
TEST=automated tests
Change-Id: I54139efead439ed09ce3675f31f94f62bdea3146
Reviewed-on: http://gerrit.chromium.org/gerrit/7752
Reviewed-by: Ben Chan <benchan@chromium.org>
Tested-by: Ken Mixter <kmixter@chromium.org>
Ken Mixter [Fri, 26 Aug 2011 20:54:57 +0000 (13:54 -0700)]
vpn-manager: also enable l2tp layer debugging with --debug
BUG=none
TEST=manual
Change-Id: I07fe247f991ca3520770017854bf39b197ef9241
Reviewed-on: http://gerrit.chromium.org/gerrit/6782
Tested-by: Ken Mixter <kmixter@chromium.org>
Reviewed-by: Ben Chan <benchan@chromium.org>
Ken Mixter [Thu, 8 Sep 2011 01:16:20 +0000 (18:16 -0700)]
vpn-manager: Kill pluto daemon if running when bring up ipsec
I have encountered during testing that ipsec does not come up because
pluto is running from an earlier instance but starter is not.
Change-Id: I95cc2eb4605336e4d0bf92f8dea7cdf8c77870ad
BUG=none
TEST=Run with pluto
Change-Id: Ic779bdd5b05b4b129e5890b05d4d13a7e94a2aeb
Reviewed-on: http://gerrit.chromium.org/gerrit/7387
Tested-by: Ken Mixter <kmixter@chromium.org>
Reviewed-by: James Simonsen <simonjam@chromium.org>
Reviewed-by: Ben Chan <benchan@chromium.org>
Ken Mixter [Thu, 11 Aug 2011 21:29:38 +0000 (14:29 -0700)]
vpn-manager: Add more inner SA authentication proposals (md5)
BUG=chromium-os:17185
TEST=Test connectivity to concentrator
Without this, we require SHA which is different from the defaults
for some VPN concentrators.
Change-Id: Idc18c108e539b5562860a460edd396a7585bf5c9
Reviewed-on: http://gerrit.chromium.org/gerrit/6612
Tested-by: Ken Mixter <kmixter@chromium.org>
Reviewed-by: Sam Leffler <sleffler@chromium.org>
Ken Mixter [Sat, 30 Jul 2011 00:31:02 +0000 (17:31 -0700)]
vpn-manager: fix unit test for when certs and psk are both given
BUG=chromium-os:18420
TEST=run unit tests
Change-Id: Ib4de399322e99449faf7f714509c16a5c080f4c5
Reviewed-on: http://gerrit.chromium.org/gerrit/5040
Tested-by: Ken Mixter <kmixter@chromium.org>
Reviewed-by: Ken Mixter <kmixter@chromium.org>
Ken Mixter [Fri, 29 Jul 2011 17:33:51 +0000 (10:33 -0700)]
vpn-manager: Chrome started passing the pin in PSK mode. Ignore it.
BUG=chromium-os:18420
TEST=connect with psk to RRAS server and local server.
Note no warnings about configuration.
Change-Id: I37a255c719a7aecbfc208223aceab561d056007c
Reviewed-on: http://gerrit.chromium.org/gerrit/5007
Reviewed-by: Ken Mixter <kmixter@chromium.org>
Tested-by: Ken Mixter <kmixter@chromium.org>
Ken Mixter [Sun, 24 Jul 2011 14:27:54 +0000 (07:27 -0700)]
vpn-manager: Take --debug to emit IKE debug output
Change-Id: I8c100cbab9cd550225d3c37caff6610222a413f2
Reviewed-on: http://gerrit.chromium.org/gerrit/4639
Reviewed-by: James Simonsen <simonjam@chromium.org>
Tested-by: Ken Mixter <kmixter@chromium.org>
Ken Mixter [Tue, 19 Jul 2011 22:25:09 +0000 (15:25 -0700)]
vpn-manager: Default to slot 0 if none is given
BUG=chromium-os:17619
TEST=unit test, hand test with certificate VPN from UI (after working around missing PIN)
Change-Id: I1ec4957344a8b691b6fc7a73155bc2a5fbbf45b4
Reviewed-on: http://gerrit.chromium.org/gerrit/4336
Tested-by: Ken Mixter <kmixter@chromium.org>
Reviewed-by: James Simonsen <simonjam@chromium.org>
Ken Mixter [Wed, 8 Jun 2011 17:22:09 +0000 (10:22 -0700)]
vpn-manager: remove "tpm" from names, use "%usepeercert" to allow any server id
Since the slots and ids are pkcs#11 slots and IDs (that happen to use the PKCS#11 TPM token)
change the names to remove "tpm" from them. Now that we've added the ability to connect
to any server with a proper CA signature in strongswan, pass %usepeercerts as rightid
whenever --server_id is not specified.
BUG=chromium-os:16279 chromium-os:16280
TEST=connect with certs from command line
connect with psk from command line
Change-Id: If03c69de8abb21c936ce55392d945530b728d8cd
Reviewed-on: http://gerrit.chromium.org/gerrit/2295
Tested-by: Ken Mixter <kmixter@chromium.org>
Reviewed-by: James Simonsen <simonjam@chromium.org>
Ken Mixter [Mon, 23 May 2011 22:59:51 +0000 (15:59 -0700)]
vpn-manager: Resolve remote server address and pass it down to ppp plugin
Instead of passing around hostnames all over the place when starting all
the services, resolve the hostname early and use the IP address. Also
send the IP address down through the PPP plugin so that flimflam can
use it to set up a specific vpn host route.
BUG=chromium-os:15369
TEST=VPN wifilab test & manual tests
Change-Id: If345c7ef30c17569a515a4605dc7749d3e6a101e
Reviewed-on: http://gerrit.chromium.org/gerrit/1410
Tested-by: Ken Mixter <kmixter@chromium.org>
Reviewed-by: Darin Petkov <petkov@chromium.org>
Chris Masone [Thu, 12 May 2011 21:43:41 +0000 (14:43 -0700)]
[vpn-manager] Roll forward to new libchrome
BUG=chromium-os:14304
TEST=build, unit tests
Change-Id: Ib9ee646be51b60410f03aca557f6b1a45edcbc14
Reviewed-on: http://gerrit.chromium.org/gerrit/824
Reviewed-by: Chris Masone <cmasone@chromium.org>
Tested-by: Chris Masone <cmasone@chromium.org>
Ken Mixter [Sat, 7 May 2011 01:02:14 +0000 (18:02 -0700)]
vpn-manager: Change names of parameters to be more exact (PKCS#11 vs TPM)
BUG=chromium-os:12695
TEST=connect-vpn
Change-Id: I181762267cf89863d2095e9c794a958862180c86
Reviewed-on: http://gerrit.chromium.org/gerrit/485
Tested-by: Ken Mixter <kmixter@chromium.org>
Reviewed-by: Darin Petkov <petkov@chromium.org>
James Simonsen [Wed, 4 May 2011 18:39:44 +0000 (11:39 -0700)]
Support IPsec with certificates.
BUG=12695
TEST=ipsec_manager_test and invoking l2tpipsec_vpn on system with custom
permissions.
Create a request:
pkcs11-tool --module=/usr/lib/opencryptoki/libopencryptoki.so.0 -l -k -d 07 -a vpn --key-type rsa:2048
Copy /etc/entd/openssl.conf and update it with the user PIN.
openssl req -config openssl.conf -engine pkcs11 -new -keyform engine -out ~/req.pem -subj "/CN=localhost" -key slot_0-id_07
(Sign the requset on the VPN server.)
Install the new certificate:
openssl x509 -in tpm.pem -out tpm.der -outform DER
pkcs11-tool --module=/usr/lib/opencryptoki/libopencryptoki.so.0 -l -d 07 -a vpn -w ~/tpm.der -y cert
Set the permissions:
add pkcs11 to ipsec in /etc/group
chgrp pkcs11 /home/chronos/user
chmod 750 /home/chronos/user
chmod 750 /home/chronos/user/.tpm
cd /home/chronos/user/.tpm
chmod 640 NVTOK.DAT P*
cd TOK_OBJ
chmod 640 *
chgrp pkcs11 *
cd /var/lib/opencryptoki/tpm
ln -s /home/chronos/user/.tpm ipsec
chgrp pkcs11 ipsec
Change-Id: Idab3e80824562a97c16adc514211e267354b6f96
Ken Mixter [Thu, 24 Mar 2011 22:48:42 +0000 (15:48 -0700)]
vpn-manager: accept a hostname for remote host
Change-Id: Iefe53207cf8df8bfbe32c3b69409348e23ac1bb2
BUG=chromium-os:13472
TEST=connect-vpn with remote host name instead of ip address
Review URL: http://codereview.chromium.org/6731015
Ken Mixter [Wed, 23 Mar 2011 00:49:48 +0000 (17:49 -0700)]
vpn-manager: Fix l2tp/ipsec connections to Windows RRAS server
Change-Id: I6322c0d4d8e7f21ed1abf24c645eb7e7cd41cc3f
BUG=none
TEST=Connect to windows vpn
Review URL: http://codereview.chromium.org/6713058
Ken Mixter [Mon, 21 Mar 2011 19:52:19 +0000 (12:52 -0700)]
vpn-manager: set up l2tp/ipsec gateway by default
Change-Id: I7786ab0d1bdcfc4bf23f7257db216cd8e33d947f
R=petkov@chromium.org,simonjam@chromium.org
BUG=none
TEST=connect-vpn l2tpisec
Review URL: http://codereview.chromium.org/6712013
Ken Mixter [Fri, 11 Mar 2011 20:56:50 +0000 (12:56 -0800)]
vpn-manager: Add l2tp/ipsec vpn manager
Change-Id: I3d0e36bc8595b9038782364368ff2e7d77b39472
Related to flimflam review:
http://codereview.chromium.org/6513009/
BUG=chromium-os:11814
TEST=unit tests / run connect-vpn script with l2tpipsec type
Review URL: http://codereview.chromium.org/6508016
Nelson Araujo [Thu, 6 Jan 2011 22:21:57 +0000 (14:21 -0800)]
Repo init.
projects / chromiumos / platform / vpn-manager.git / log