neutron

Updation of IKE Policy after the site creation fails

Bug #1315809 reported by Ashish Kumar Gupta
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Low
Eugene Nikanorov
neutron 2014.2 "juno"

Bug Description

Updating the IKE policy after the site creation fails stating ike policy in already in use
Updating IKEPolicy 07fc4f3b-1b44-4d5c-9949-5f7fa3bc6ae5

_PUT-REST: url: http://<controller_ip>:9696/v2.0/vpn/ikepolicies/07fc4f3b-1b44-4d5c-9949-5f7fa3bc6ae5
_PUT-REST: X-Auth-Token: 86c8be3ce0204aa8bdd1458021eacec4
_PUT-REST: data: {"ikepolicy":{"name": "IKE1","encryption_algorithm": "aes-256"}}

{u'NeutronError': {u'message': u'IKEPolicy 07fc4f3b-1b44-4d5c-9949-5f7fa3bc6ae5 is still in use', u'type': u'IKEPolicyInUse', u'detail': u''}}
None

See original description
Revision history for this message
Ashish Kumar Gupta (ashish-kumar-gupta) wrote :
description: updated
Revision history for this message
Riccardo Padovani (rpadovani) wrote :

This bug isn't related to ubuntu-calculator-app.
I assign it to the project I think is referred to.

no longer affects: ubuntu-calculator-app
Revision history for this message
Paul Michali (pcm) wrote :

As far as I know, this is expected behavior. The IKE policy can be shared by multiple IPSec site-to-site connections, so it will not allow you to change the policy, if there are one or more uses of the policy.

Revision history for this message
Ashish Kumar Gupta (ashish-kumar-gupta) wrote :

Considering a scenario:
Site connection has be made with ike policy encryption algorithm as aes-128 and due to some security measures the user want to update the encryption algorithm aes-256 .
I thinks user should have an option to do so.

Revision history for this message
Eugene Nikanorov (enikanorov) wrote :

I think it should not be possible: you're updating the encryption on a live connection.
This would require update of both endpoints.

I suggest to change exception message for this case to be more clear, but preserve the behavior.

Changed in neutron:
importance: Undecided → Low
assignee: nobody → Eugene Nikanorov (enikanorov)
status: New → Confirmed
Revision history for this message
Openstack Gerrit (openstack-gerrit) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/92348

Changed in neutron:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/92348
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=14ebdbe77479a72ad1f324663ec795460e03e99a
Submitter: Jenkins
Branch: master

commit 14ebdbe77479a72ad1f324663ec795460e03e99a
Author: Eugene Nikanorov <email address hidden>
Date: Tue May 6 15:35:04 2014 +0400

    Make VPNaaS 'InUse' exception more clear

    In case IpSecPolicy or IKEPolicy is updated while VPN connection that uses it
    is already established, IPsecPolicyInUse or IKEPolicuInUse is raised.
    Need to clarify their messages to emphasize that policies can't be updated
    because they are used by established connection.

    Change-Id: I259f9b8bcff7f8ec13ac630285f6e881c6653309
    Closes-Bug: #1315809

Changed in neutron:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in neutron:
milestone: none → juno-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in neutron:
milestone: juno-1 → 2014.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.