VPNaaS dpd value disabled is invalid
Bug #1436910 reported by
Sid
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Expired
|
Undecided
|
Unassigned |
Bug Description
In the VPNaaS functionality, when you set dpd action to disabled (other choice are hold, clear, restart, restart by peer), the value configured for Openswan is :
# [dpd_action]
dpdaction=
I'm running OpenSwan 2.6.37-1 and disabled is not a recognized value.
When ipsec service is reloaded, the following error message is displayed :
WARNING: *** keyword dpdaction, invalid value: disabled
hold, clear, restart, et restart_by_peer are correct value for openswan, "disabled" seems to be incorrect.
Icehouse on ubuntu 12.04.
Changed in neutron: | |
status: | New → Incomplete |
To post a comment you must log in.
A few questions for you...
How are you reloading the IPSec service? Outside of Openstack?
What log messages does screen-q-vpn.log show?
Does it work?
I was unable to find an issue on my system using Ubuntu 14.04 and OpenSwan 2.6.38. I set DPD to disabled in OpenStack, and have confirmed that it is disabled in ipsec.conf. I could establish a VPN connection and pass traffic. I changed admin-state of the service to down and then up, and verified that the connection was destroyed/created.
IIRC, when using OpenStack, the reload command for OpenSwan is not used. It is stopped and then started.
I do see, however, when set to disabled, the status messages from OpenSwan report DPD action as clear:
00 "60a6ff46- 6480-422c- bb2c-ec06771fa4 96/0x1" : 10.1.0. 0/24=== 172.32. 1.11<172. 32.1.11> ...172. 32.1.21- --172.32. 1.21<172. 32.1.21> ===10.2. 0.0/24; unrouted; eroute owner: #0 6480-422c- bb2c-ec06771fa4 96/0x1" : myip=unset; hisip=unset; 6480-422c- bb2c-ec06771fa4 96/0x1" : ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 6480-422c- bb2c-ec06771fa4 96/0x1" : policy: PSK+ENCRYPT+ TUNNEL+ PFS+UP+ SAREFTRACK+ lKOD+rKOD; prio: 24,24; interface: qg-ed33be93-0c; 6480-422c- bb2c-ec06771fa4 96/0x1" : dpd: action:clear; delay:30; timeout:120; 6480-422c- bb2c-ec06771fa4 96/0x1" : newest ISAKMP SA: #1; newest IPsec SA: #0; 6480-422c- bb2c-ec06771fa4 96/0x1" : aliases: 60a6ff46- 6480-422c- bb2c-ec06771fa4 96 6480-422c- bb2c-ec06771fa4 96/0x1" : IKE algorithms wanted: AES_CBC( 7)_128- SHA1(2) _000-MODP1536( 5); flags=-strict 6480-422c- bb2c-ec06771fa4 96/0x1" : IKE algorithms found: AES_CBC( 7)_128- SHA1(2) _160-MODP1536( 5) 6480-422c- bb2c-ec06771fa4 96/0x1" : IKE algorithm newest: AES_CBC_ 128-SHA1- MODP1536 6480-422c- bb2c-ec06771fa4 96/0x1" : ESP algorithms wanted: AES(12) _128-SHA1( 2)_000; pfsgroup= MODP1536( 5); flags=-strict 6480-422c- bb2c-ec06771fa4 96/0x1" : ESP algorithms loaded: AES(12) _128-SHA1( 2)_160
000 "60a6ff46-
000 "60a6ff46-
000 "60a6ff46-
000 "60a6ff46-
000 "60a6ff46-
000 "60a6ff46-
000 "60a6ff46-
000 "60a6ff46-
000 "60a6ff46-
000 "60a6ff46-
000 "60a6ff46-
I'm not sure if it is due to the different version of OpenSwan, but on my system it appears to be negotiating and selecting this when disabled. Of course that is outside of OpenStack control.