network_VPNConnect: Add test case for PPP remote IP == public gateway IP
Normally the PPP remote IP should be an "internal" VPN IP, but some
providers use the gateway's public IP instead. This test makes sure that
Chrome OS doesn't try to route traffic to the gateway's public IP through
the tunnel, as this would cause a routing loop.
BUG=chromium:813199
TEST=test_that and then manually check pppd IPs in /var/log/net.log
TEST=verify that 10411.0.0 (not containing CL:924471) fails ping test
TEST=verify that 10413.0.0 (containing CL:924471) passes
Change-Id: I56a69becbeaff0d46a09f271702af1957e620415
Reviewed-on: https://chromium-review.googlesource.com/924764
Commit-Ready: Kevin Cernekee <cernekee@chromium.org>
Tested-by: Kevin Cernekee <cernekee@chromium.org>
Reviewed-by: Harpreet Grewal <harpreet@chromium.org>
(cherry picked from commit f5ac82aad1ed3b166e93abd7d2e1c57716683303)
Reviewed-on: https://chromium-review.googlesource.com/959183
Reviewed-by: Kevin Cernekee <cernekee@chromium.org>
Commit-Queue: Kevin Cernekee <cernekee@chromium.org>
diff --git a/client/cros/vpn_server.py b/client/cros/vpn_server.py
index da3231f..88a0398 100644
--- a/client/cros/vpn_server.py
+++ b/client/cros/vpn_server.py
@@ -152,12 +152,19 @@
"""Implementation of an L2TP/IPSec server instance."""
def __init__(self, auth_type, interface_name, address, network_prefix,
- perform_xauth_authentication=False):
+ perform_xauth_authentication=False,
+ local_ip_is_public_ip=False):
self._auth_type = auth_type
self._chroot = network_chroot.NetworkChroot(interface_name,
address, network_prefix)
self._perform_xauth_authentication = perform_xauth_authentication
+ if local_ip_is_public_ip:
+ self.IPSEC_COMMON_CONFIGS[self.XL2TPD_CONFIG_FILE] = \
+ self.IPSEC_COMMON_CONFIGS[self.XL2TPD_CONFIG_FILE].replace(
+ self.SERVER_IP_ADDRESS, address)
+ self.SERVER_IP_ADDRESS = address
+
def start_server(self):
"""Start VPN server instance"""
diff --git a/client/site_tests/network_VPNConnect/control.l2tpipsec_psk b/client/site_tests/network_VPNConnect/control.l2tpipsec_psk
index 8b117ef..a28ab0e 100644
--- a/client/site_tests/network_VPNConnect/control.l2tpipsec_psk
+++ b/client/site_tests/network_VPNConnect/control.l2tpipsec_psk
@@ -20,8 +20,14 @@
L2TP/IPSec PSK VPN server runing at the other end of a virtual Ethernet
interface.
+ The -evil variant simulates connecting to a VPN gateway that specifies
+ its public IP as the point-to-point (remote) PPP address. This
+ configuration has caused routing loops in the past, so we test it
+ explicitly in order to catch regressions.
+
"""
job.run_test('network_VPNConnect',
- vpn_types=[ 'l2tpipsec-psk' ],
+ vpn_types=[ 'l2tpipsec-psk',
+ 'l2tpipsec-psk-evil' ],
tag=NAME.split('.')[1])
diff --git a/client/site_tests/network_VPNConnect/network_VPNConnect.py b/client/site_tests/network_VPNConnect/network_VPNConnect.py
index b9bc64a..e1456e0 100644
--- a/client/site_tests/network_VPNConnect/network_VPNConnect.py
+++ b/client/site_tests/network_VPNConnect/network_VPNConnect.py
@@ -81,11 +81,13 @@
def get_vpn_server(self):
"""Returns a VPN server instance."""
if self._vpn_type.startswith('l2tpipsec-psk'):
- return vpn_server.L2TPIPSecVPNServer('psk',
- self.SERVER_INTERFACE_NAME,
- self.SERVER_ADDRESS,
- self.NETWORK_PREFIX,
- 'xauth' in self._vpn_type)
+ return vpn_server.L2TPIPSecVPNServer(
+ 'psk',
+ self.SERVER_INTERFACE_NAME,
+ self.SERVER_ADDRESS,
+ self.NETWORK_PREFIX,
+ perform_xauth_authentication = 'xauth' in self._vpn_type,
+ local_ip_is_public_ip = 'evil' in self._vpn_type)
elif self._vpn_type.startswith('l2tpipsec-cert'):
return vpn_server.L2TPIPSecVPNServer('cert',
self.SERVER_INTERFACE_NAME,
