neutron

VPNaas-IPsec site connection is still active evenif IPsec service on Host OS is stopped and VM across the site are still able to ping each other

Bug #1440650 reported by Neeti Munshi on 2015-04-06

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Expired	Undecided	Unassigned

Bug Description

In the devstack setup with VPNaas enabled:

1. Establish a IPsec site connection between 2 devstack clouds.
2. Verify that the connection is active from both ends.
3. Now run "service ipsec stop" on either of the cloud.
4. Now check the status of IPsec site connection, it will still show active on both ends, and the VMs launched on both clouds are still accessible using the private IP. -issue 1
5. If we kill Pluto process also, then the IPsec site connection goes down.
6. If before creating the IPsec site connection IPsec service was stopped, after that if we create IPsec site connection it doesnot become active even after starting the IPsec service.-issue 2

See original description

Neeti Munshi (neeti-munshi) on 2015-04-06

description:	updated
description:	updated
description:	updated
description:	updated

Revision history for this message

Paul Michali (pcm) wrote on 2015-04-17:

I guess I'm wondering why you're using host commands to manipulate the IPSec service/process. Can you elaborate on the intent of the test?

The IPSec process is run in a namespace. I don't know the impact of using the host "service ipsec stop" in that case (step 3 and 4). Step 5 makes sense and is expected. Step 6, I'm not sure of the interaction of stopping and starting the service, independent of the connection creation.

I don't think we can ensure that VPN operates correctly, if there is manipulation outside of openstack. Again, I'd like to understand the objective of this test, and how it could naturally occur with openstack setup.

Changed in neutron:
status:	New → Incomplete

Aniruddha Singh Gautam (aniruddha-gautam) on 2015-04-30

Changed in neutron:
assignee:	nobody → Aniruddha Singh Gautam (aniruddha-gautam)

Revision history for this message

Paul Michali (pcm) wrote on 2015-11-13:

Aniruddha Singh Gautam, are you planning on working on this issue? There are open questions still, and bug is incomplete. Could expire, if no action going to be taken.

Revision history for this message

Armando Migliaccio (armando-migliaccio) wrote on 2016-08-17:

This bug is > 240 days without activity. We are unsetting assignee and milestone and setting status to Incomplete in order to allow its expiry in 60 days.

If the bug is still valid, then update the bug status.

Changed in neutron:
assignee:	Aniruddha Singh Gautam (aniruddha-gautam) → nobody

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-10-17:

[Expired for neutron because there has been no activity for 60 days.]

Changed in neutron:
status:	Incomplete → Expired

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.