VPNaaS: mtu parameter isn't used in ipsec.conf template

package neutron has been built for project openstack/neutron
Package version == 2014.2.2, package release == fuel6.1.mira6.git.91135ba.8256a3e

Changeset: https://review.fuel-infra.org/4216
project: openstack/neutron
branch: openstack-ci/fuel-6.1/2014.2
author: Andrey Epifanov
committer: Andrey Epifanov
subject: Enable the use of the MTU value of IPSec connection
status: patchset-created

Files placed on repository:

NOTE: Changeset is not merged, created temporary package repository.
 repository URL: /centos-fuel-6.1-stable-4216/

DEB package neutron has been built for project openstack/neutron
Package version == 2014.2.2, package release == fuel6.1~mira4+git.91135ba.8256a3e

Changeset: https://review.fuel-infra.org/4216
project: openstack/neutron
branch: openstack-ci/fuel-6.1/2014.2
author: Andrey Epifanov
committer: Andrey Epifanov
subject: Enable the use of the MTU value of IPSec connection
status: patchset-created

Files placed on repository:
neutron-common_2014.2.2-fuel6.1~mira4+git.91135ba.8256a3e_all.deb
neutron-dhcp-agent_2014.2.2-fuel6.1~mira4+git.91135ba.8256a3e_all.deb
neutron-l3-agent_2014.2.2-fuel6.1~mira4+git.91135ba.8256a3e_all.deb
neutron-lbaas-agent_2014.2.2-fuel6.1~mira4+git.91135ba.8256a3e_all.deb
neutron-metadata-agent_2014.2.2-fuel6.1~mira4+git.91135ba.8256a3e_all.deb
neutron-metering-agent_2014.2.2-fuel6.1~mira4+git.91135ba.8256a3e_all.deb
neutron-plugin-bigswitch-agent_2014.2.2-fuel6.1~mira4+git.91135ba.8256a3e_all.deb
neutron-plugin-bigswitch_2014.2.2-fuel6.1~mira4+git.91135ba.8256a3e_all.deb
neutron-plugin-brocade_2014.2.2-fuel6.1~mira4+git.91135ba.8256a3e_all.deb
neutron-plugin-cisco_2014.2.2-fuel6.1~mira4+git.91135ba.8256a3e_all.deb
neutron-plugin-hyperv_2014.2.2-fuel6.1~mira4+git.91135ba.8256a3e_all.deb
neutron-plugin-ibm-agent_2014.2.2-fuel6.1~mira4+git.91135ba.8256a3e_all.deb
neutron-plugin-ibm_2014.2.2-fuel6.1~mira4+git.91135ba.8256a3e_all.deb
neutron-plugin-linuxbridge-agent_2014.2.2-fuel6.1~mira4+git.91135ba.8256a3e_all.deb
neutron-plugin-linuxbridge_2014.2.2-fuel6.1~mira4+git.91135ba.8256a3e_all.deb
neutron-plugin-metaplugin_2014.2.2-fuel6.1~mira4+git.91135ba.8256a3e_all.deb
neutron-plugin-metering-agent_2014.2.2-fuel6.1~mira4+git.91135ba.8256a3e_all.deb
neutron-plugin-midonet_2014.2.2-fuel6.1~mira4+git.91135ba.8256a3e_all.deb
neutron-plugin-ml2_2014.2.2-fuel6.1~mira4+git.91135ba.8256a3e_all.deb
neutron-plugin-mlnx-agent_2014.2.2-fuel6.1~mira4+git.91135ba.8256a3e_all.deb
neutron-plugin-mlnx_2014.2.2-fuel6.1~mira4+git.91135ba.8256a3e_all.deb
neutron-plugin-nec-agent_2014.2.2-fuel6.1~mira4+git.91135ba.8256a3e_all.deb
neutron-plugin-nec_2014.2.2-fuel6.1~mira4+git.91135ba.8256a3e_all.deb
neutron-plugin-nicira_2014.2.2-fuel6.1~mira4+git.91135ba.8256a3e_all.deb
neutron-plugin-oneconvergence-agent_2014.2.2-fuel6.1~mira4+git.91135ba.8256a3e_all.deb
neutron-plugin-oneconvergence_2014.2.2-fuel6.1~mira4+git.91135ba.8256a3e_all.deb
neutron-plugin-openflow-agent_2014.2.2-fuel6.1~mira4+git.91135ba.8256a3e_all.deb
neutron-plugin-openvswitch-agent_2014.2.2-fuel6.1~mira4+git.91135ba.8256a3e_all.deb
neutron-plugin-openvswitch_2014.2.2-fuel6.1~mira4+git.91135ba.8256a3e_all.deb
neutron-plugin-plumgrid_2014.2.2-fuel6.1~mira4+git.91135ba.8256a3e_all.deb
neutron-plugin-ryu-agent_2014.2.2-fuel6.1~mira4+git.91135ba.8256a3e_all.deb
neutron-plugin-ryu_2014.2.2-fuel6.1~mira4+git.91135ba.8256a3e_all.deb
neutron-plugin-vmware_2014.2.2-fuel6.1~mira4+git.91135ba.8256a3e_all.deb
neutron-plugin-vpn-agent_2014.2.2-fuel6.1~mira4+git.91135ba.8256a3e_all.deb
neutron-server_2014.2.2-fuel6.1~mira4+git.91135ba.8256a3e_all.deb
neutron-vpn-agent_2014.2.2-fuel6.1~mira4+git.91135ba.8256a3e_all.deb
python-neutron_2014.2.2-fuel6.1~mira4+git.91135ba.8256a3e_all.deb

NOT...

package neutron has been built for project openstack/neutron
Package version == 2014.2.2, package release == fuel6.1~mira5+git.91135ba.8256a3e

Changeset: https://review.fuel-infra.org/4216
project: openstack/neutron
branch: openstack-ci/fuel-6.1/2014.2
author: Andrey Epifanov
committer: Andrey Epifanov
subject: Enable the use of the MTU value of IPSec connection
status: patchset-created

Files placed on repository:

NOTE: Changeset is not merged, created temporary package repository.
 repository URL: /ubuntu-fuel-6.1-stable-4216/

Verify

{"build_id": "2015-03-25_09-13-15", "ostf_sha": "a4cf5f218c6aea98105b10c97a4aed8115c15867", "build_number": "227", "release_versions": {"2014.2-6.1": {"VERSION": {"build_id": "2015-03-25_09-13-15", "ostf_sha": "a4cf5f218c6aea98105b10c97a4aed8115c15867", "build_number": "227", "api": "1.0", "nailgun_sha": "aaeee045ea755c9a81f48de2019fce3e368afa60", "production": "docker", "python-fuelclient_sha": "3624051242c83fdbdd1df9a0e466797c06b75043", "astute_sha": "631f96d5a09cc48bfbddcbf056b946c8a80438f0", "feature_groups": ["mirantis"], "release": "6.1", "fuelmain_sha": "320b5f46fc1b2798f9e86ed7df51d3bda1686c10", "fuellib_sha": "96669c3b59b2286c4fe5a06940ef1c004f6aaeae"}}}, "auth_required": true, "api": "1.0", "nailgun_sha": "aaeee045ea755c9a81f48de2019fce3e368afa60", "production": "docker", "python-fuelclient_sha": "3624051242c83fdbdd1df9a0e466797c06b75043", "astute_sha": "631f96d5a09cc48bfbddcbf056b946c8a80438f0", "feature_groups": ["mirantis"], "release": "6.1", "fuelmain_sha": "320b5f46fc1b2798f9e86ed7df51d3bda1686c10", "fuellib_sha": "96669c3b59b2286c4fe5a06940ef1c004f6aaeae"}

Steps to reproduce:
1) Create vpn-connection
2) Navigate to the controller node
3) ps aux | grep pluto
4) check that there is process with /var/lib/neutron/ipsec/*
5) Open file /var/lib/neutron/ipsec/*/etc/ipsec.conf from process
6) Check, that parameter mtu in this file is equal the value in the ipsec site connection which have been created at the step 1

Fix proposed to branch: openstack-ci/fuel-7.0/2015.1.0
Change author: Andrey Epifanov <email address hidden>
Review: https://review.fuel-infra.org/8023

Fix proposed to branch: openstack-ci/fuel-7.0/2015.1.0
Change author: Ilya Shakhat <email address hidden>
Review: https://review.fuel-infra.org/8367

Change abandoned by Ilya Shakhat <email address hidden> on branch: openstack-ci/fuel-7.0/2015.1.0
Review: https://review.fuel-infra.org/8023
Reason: moved to neutron-vpnaas -- https://review.fuel-infra.org/#/c/8367/

Upstream bug: https://bugs.launchpad.net/neutron/+bug/1478949

Seems that the fix that is proposed (https://review.fuel-infra.org/#/c/8367/) is not ready to merge because the overridemtu is a KLIPS option which has no effect on NETKEY stack which we are using [1]. The same can be said about StronSwan driver [2] .

[1] https://github.com/xelerance/Openswan/blob/master/programs/_confread/d.ipsec.conf/overridemtu.xml
[2] https://www.strongswan.org/docs/ipsec.conf.html

Change abandoned by Elena Ezhova <email address hidden> on branch: openstack-ci/fuel-7.0/2015.1.0
Review: https://review.fuel-infra.org/8367
Reason: Abandoned in favor of https://review.fuel-infra.org/#/c/10523/1

The research has shown that it is currently possible to set mtu for the route(s) to the remote endpoint and/or subnets only on OpenSwan using the mtu option. For this option to take effect it is needed to add 'leftupdown="ipsec _updown --route yes"' to the ipsec.conf template. [1]
[1] http://linux.die.net/man/5/ipsec.conf

Reviewed: https://review.fuel-infra.org/10523
Submitter: mos-infra-ci <>
Branch: openstack-ci/fuel-7.0/2015.1.0

Commit: 4b1558723f6fef6d8791b6c920ed420a216f887e
Author: Elena Ezhova <email address hidden>
Date: Tue Aug 18 13:25:25 2015

[OpenSwan] Enable usage of the MTU value of an IPSec connection

It is possible to specify MTU parameter when creating IPSec Site
Connection but it is ignored, because it is missing in
ipsec.conf.template. This change adds overridemtu option to OpenSwan
ipsec.conf template.

Closes-Bug: #1427232

Conflicts:
 neutron_vpnaas/services/vpn/device_drivers/template/openswan/ipsec.conf.template
 neutron_vpnaas/tests/unit/services/vpn/device_drivers/test_ipsec.py

Change-Id: If822454a7acaa3fd003cae3e5e342c8b66ef656c

VERSION:
  feature_groups:
    - mirantis
  production: "docker"
  release: "7.0"
  openstack_version: "2015.1.0-7.0"
  api: "1.0"
  build_number: "252"
  build_id: "2015-08-29_17-24-57"
  nailgun_sha: "3189ccfb8c1dac888e351f535b03bdbc9d392406"
  python-fuelclient_sha: "9643fa07f1290071511066804f962f62fe27b512"
  fuel-agent_sha: "1e8f38bbb864ed99aa8fe862b6367e82afec3263"
  fuel-nailgun-agent_sha: "d7027952870a35db8dc52f185bb1158cdd3d1ebd"
  astute_sha: "53c86cba593ddbac776ce5a3360240274c20738c"
  fuel-library_sha: "f05b958ef318f70170fe0db71bffcbaadbc39ae4"
  fuel-ostf_sha: "83048d68609854324ceeaf04242e68d658cfb55d"
  fuelmain_sha: "0e54d68392b359bc122e5bbba9249c729eeaf579"

Verified on cluster: neutron+vxlan+vpn

Verification scenario

1. The VPN connection has been created by the script: http://paste.openstack.org/show/449984/

2. On a controller node:
root@node-11:~# ps aux | grep pluto | grep /var/lib/neutron/ipsec
root 16415 0.0 0.0 94052 2356 ? Ss 09:10 0:00 /usr/lib/ipsec/pluto --ctlbase /var/lib/neutron/ipsec/3cb72d8a-027b-409e-b2ce-5d51f3043abb/var/run/pluto/ --ipsecdir /var/lib/neutron/ipsec/3cb72d8a-027b-409e-b2ce-5d51f3043abb/etc --use-netkey --uniqueids --nat_traversal --secretsfile /var/lib/neutron/ipsec/3cb72d8a-027b-409e-b2ce-5d51f3043abb/etc/ipsec.secrets --virtual_private %v4:192.168.111.0/24,%v4:172.16.1.0/24

3.
root@node-11:~# vi /var/lib/neutron/ipsec/3cb72d8a-027b-409e-b2ce-5d51f3043abb/etc/ipsec.conf
...
    # rightsubnet=networkA/netmaskA, networkB/netmaskB (IKEv2 only)
    rightnexthop=%defaultroute
    # [mtu]
    mtu=1500
...

4.
root@node-11:/var/lib/neutron/ipsec/3cb72d8a-027b-409e-b2ce-5d51f3043abb/etc# neutron ipsec-site-connection-list
+--------------------------------------+-----------------+----------------+--------------------+------------+-----------+--------+
| id | name | peer_address | peer_cidrs | route_mode | auth_mode | status |
+--------------------------------------+-----------------+----------------+--------------------+------------+-----------+--------+
| 5d9110d4-5ea0-4e05-8b46-32f3c8c734ed | test_connection | 172.18.171.152 | "192.168.111.0/24" | static | psk | ACTIVE |
| 646c9912-ac37-49f3-85df-3ef7e4c628b7 | test_connection | 172.18.171.154 | "172.16.1.0/24" | static | psk | ACTIVE |
+--------------------------------------+-----------------+----------------+--------------------+------------+-----------+--------+

5.
root@node-11:/var/lib/neutron/ipsec/3cb72d8a-027b-409e-b2ce-5d51f3043abb/etc# neutron ipsec-site-connection-show 646c9912-ac37-49f3-85df-3ef7e4c628b7
+----------------+----------------------------------------------------+
| Field | Value |
+----------------+----------------------------------------------------+
| admin_state_up | True |
| auth_mode | psk |
| description | |
| dpd | {"action": "hold", "interval": 30, "timeout": 120} |
| id | 646c9912-ac37-49f3-85d...