neutron

VPNaaS dpd value disabled is invalid

Bug #1436910 reported by Sid
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Expired
Undecided
Unassigned

Bug Description

In the VPNaaS functionality, when you set dpd action to disabled (other choice are hold, clear, restart, restart by peer), the value configured for Openswan is :
# [dpd_action]
    dpdaction=disabled

I'm running OpenSwan 2.6.37-1 and disabled is not a recognized value.
When ipsec service is reloaded, the following error message is displayed :
WARNING: *** keyword dpdaction, invalid value: disabled

hold, clear, restart, et restart_by_peer are correct value for openswan, "disabled" seems to be incorrect.

Icehouse on ubuntu 12.04.

Revision history for this message
Paul Michali (pcm) wrote :

A few questions for you...

How are you reloading the IPSec service? Outside of Openstack?
What log messages does screen-q-vpn.log show?
Does it work?

I was unable to find an issue on my system using Ubuntu 14.04 and OpenSwan 2.6.38. I set DPD to disabled in OpenStack, and have confirmed that it is disabled in ipsec.conf. I could establish a VPN connection and pass traffic. I changed admin-state of the service to down and then up, and verified that the connection was destroyed/created.

IIRC, when using OpenStack, the reload command for OpenSwan is not used. It is stopped and then started.

I do see, however, when set to disabled, the status messages from OpenSwan report DPD action as clear:

00 "60a6ff46-6480-422c-bb2c-ec06771fa496/0x1": 10.1.0.0/24===172.32.1.11<172.32.1.11>...172.32.1.21---172.32.1.21<172.32.1.21>===10.2.0.0/24; unrouted; eroute owner: #0
000 "60a6ff46-6480-422c-bb2c-ec06771fa496/0x1": myip=unset; hisip=unset;
000 "60a6ff46-6480-422c-bb2c-ec06771fa496/0x1": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "60a6ff46-6480-422c-bb2c-ec06771fa496/0x1": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+SAREFTRACK+lKOD+rKOD; prio: 24,24; interface: qg-ed33be93-0c;
000 "60a6ff46-6480-422c-bb2c-ec06771fa496/0x1": dpd: action:clear; delay:30; timeout:120;
000 "60a6ff46-6480-422c-bb2c-ec06771fa496/0x1": newest ISAKMP SA: #1; newest IPsec SA: #0;
000 "60a6ff46-6480-422c-bb2c-ec06771fa496/0x1": aliases: 60a6ff46-6480-422c-bb2c-ec06771fa496
000 "60a6ff46-6480-422c-bb2c-ec06771fa496/0x1": IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP1536(5); flags=-strict
000 "60a6ff46-6480-422c-bb2c-ec06771fa496/0x1": IKE algorithms found: AES_CBC(7)_128-SHA1(2)_160-MODP1536(5)
000 "60a6ff46-6480-422c-bb2c-ec06771fa496/0x1": IKE algorithm newest: AES_CBC_128-SHA1-MODP1536
000 "60a6ff46-6480-422c-bb2c-ec06771fa496/0x1": ESP algorithms wanted: AES(12)_128-SHA1(2)_000; pfsgroup=MODP1536(5); flags=-strict
000 "60a6ff46-6480-422c-bb2c-ec06771fa496/0x1": ESP algorithms loaded: AES(12)_128-SHA1(2)_160

I'm not sure if it is due to the different version of OpenSwan, but on my system it appears to be negotiating and selecting this when disabled. Of course that is outside of OpenStack control.

Paul Michali (pcm)
Changed in neutron:
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for neutron because there has been no activity for 60 days.]

Changed in neutron:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.