neutron

VPNaaS: Fedora support for StrongSwan

Bug #1441788 reported by Paul Michali
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Undecided
Wei Hu
neutron 7.0.0 "liberty"

Bug Description

In early testing, I was unable to create a VPN connection using Fedora Release 12 and StrongSwan driver.

Found out from StrongSwan IRC folks these issues:

A) Unlike Ubuntu, both Strongswan and LibreSwan can be installed at once
B) Fedora uses the process name "strongswan", whereas Ubuntu uses "ipsec". The "ipsec" process is for LIbreSwan, under Fedora.
C) The may be some sensitivity to tabs, in the config file, for Fedora (use only one?)

The StrongSwan folks also mentioned about a issue, where one needs a kernel with support for XFRM and namespaces. They stated that there can be problems with passing traffic. They indicated it was a kernel issue and therefore applied to all Swan flavors.

Research is needed to see if both Ubuntu and Fedora kernels have this support. Currently, we don't see an issue with Ubuntu, but should verify the kernel for all target operating systems.

venkata anil (anil-venkata)
Changed in neutron:
assignee: nobody → venkata anil (anil-venkata)
Revision history for this message
Wei Hu (huwei-xtu) wrote :

Hi @venkata anil, I filed a bug for this issue today(my fault not to find this issue first), and committed a patch. Do you mind we co-work to fix this bug.
See bug 1444776.
https://review.openstack.org/#/c/174205/

OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: venkata anil (anil-venkata) → Wei Hu (huwei-xtu)
status: New → In Progress
Revision history for this message
venkata anil (anil-venkata) wrote :

No problem Wei Hu. I will mark the other one as duplicate of this bug.
Also add my self as reviewer for https://review.openstack.org/#/c/174205/
Thanks

Revision history for this message
Wei Hu (huwei-xtu) wrote :
Download full text (3.1 KiB)

Thanks venkata anil.
@Paul. I checked the status of strongswan status and rhel strongswan status(using my patch set). Seems they have almost the same output.

Ubuntu(not established status):
Command: ['ip', 'netns', 'exec', u'qrouter-9194e4c5-4f45-445f-b32c-c1101f4c215b', 'neutron-vpn-netns-wrapper', u'--mount_paths=/etc:/opt/stack/data/neutron/ipsec/9194e4c5-4f45-445f-b32c-c1101f4c215b/etc,/var/run:/opt/stack/data/neutron/ipsec/9194e4c5-4f45-445f-b32c-c1101f4c215b/var/run', '--cmd=ipsec,status']
Exit code: 0
Stdin:
Stdout: Command: ['mount', '--bind', '/opt/stack/data/neutron/ipsec/9194e4c5-4f45-445f-b32c-c1101f4c215b/etc', '/etc'] Exit code: 0 Stdout: Stderr: Command: ['mount', '--bind', '/opt/stack/data/neutron/ipsec/9194e4c5-4f45-445f-b32c-c1101f4c215b/var/run', '/var/run'] Exit code: 0 Stdout: Stderr: Command: ['ipsec', 'status'] Exit code: 0 Stdout: Routed Connections:
ed765a9b-a008-4f3b-96ec-74eea7576ea1{1}: ROUTED, TUNNEL
ed765a9b-a008-4f3b-96ec-74eea7576ea1{1}: 10.0.0.0/24 === 10.2.0.0/24
Security Associations (0 up, 0 connecting):
  none
 Stderr:

RHEL(not establish status output)
[root@icm ~]# /usr/bin/python /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf ip netns exec qrouter-9f798b40-d2b8-4ed2-b060-707947941db4 neutron-vpn-netns-wrapper --mount_paths=/etc:/var/lib/neutron/ipsec/9f798b40-d2b8-4ed2-b060-707947941db4/etc,/var/run:/var/lib/neutron/ipsec/9f798b40-d2b8-4ed2-b060-707947941db4/var/run --cmd=strongswan,status
Command: ['mount', '--bind', '/var/lib/neutron/ipsec/9f798b40-d2b8-4ed2-b060-707947941db4/etc', '/etc'] Exit code: 0 Stdout: Stderr: Command: ['mount', '--bind', '/var/lib/neutron/ipsec/9f798b40-d2b8-4ed2-b060-707947941db4/var/run', '/var/run'] Exit code: 0 Stdout: Stderr: Command: ['strongswan', 'status'] Exit code: 0 Stdout: Routed Connections:
33791325-3bb0-4848-94cb-947c1d002668{4}: ROUTED, TUNNEL
33791325-3bb0-4848-94cb-947c1d002668{4}: 10.6.100.0/24 === 192.168.100.0/24
Security Associations (0 up, 0 connecting):
  none
 Stderr:

RHEL(established):
[root@icm ~]# /usr/bin/python /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf ip netns exec qrouter-9f798b40-d2b8-4ed2-b060-707947941db4 neutron-vpn-netns-wrapper --mount_paths=/etc:/var/lib/neutron/ipsec/9f798b40-d2b8-4ed2-b060-707947941db4/etc,/var/run:/var/lib/neutron/ipsec/9f798b40-d2b8-4ed2-b060-707947941db4/var/run --cmd=strongswan,status
Command: ['mount', '--bind', '/var/lib/neutron/ipsec/9f798b40-d2b8-4ed2-b060-707947941db4/etc', '/etc'] Exit code: 0 Stdout: Stderr: Command: ['mount', '--bind', '/var/lib/neutron/ipsec/9f798b40-d2b8-4ed2-b060-707947941db4/var/run', '/var/run'] Exit code: 0 Stdout: Stderr: Command: ['strongswan', 'status'] Exit code: 0 Stdout: Routed Connections:
d1a377d6-d796-4727-8825-4f5b89b5e483{2}: ROUTED, TUNNEL
d1a377d6-d796-4727-8825-4f5b89b5e483{2}: 10.6.100.0/24 === 192.168.100.0/24
Security Associations (1 up, 0 connecting):
d1a377d6-d796-4727-8825-4f5b89b5e483[1]: ESTABLISHED 34 seconds ago, 10.105.0.236[10.105.0.236]...10.105.0.163[10.105.0.163]
d1a377d6-d796-4727-8825-4f5b89b5e483{2}: INSTALLED, TUNNEL, ESP SPIs: cc17e56a_i c08d390c_o
d1a377d6-d796-4727-8825-4f5b89b5e483{2}: 10.6.100.0/24 === 192...

Read more...

Revision history for this message
Wei Hu (huwei-xtu) wrote :

@Paul.
check-neutron-vpnaas-dsvm-functional-sswan failed because no "strongswan" command(ubuntu uses ipsec).
http://logs.openstack.org/05/174205/12/check/check-neutron-vpnaas-dsvm-functional-sswan/0db9269/console.html

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron-vpnaas (master)

Reviewed: https://review.openstack.org/174205
Committed: https://git.openstack.org/cgit/openstack/neutron-vpnaas/commit/?id=f8a62b09b60d60ce3aa4d841ef97ec1d003281e2
Submitter: Jenkins
Branch: master

commit f8a62b09b60d60ce3aa4d841ef97ec1d003281e2
Author: Wei Hu <email address hidden>
Date: Thu Apr 16 13:15:00 2015 +0800

    Provide Fedora support for StrongSwan

    The initial release of StrongSwan VPNaaS driver only support Ubuntu.
    This patch will provide the Fedora support. The different usage of
    StrongSwan between Fedora and Ubuntu are:
    - Uses 'strongswan' CLI command instead of 'ipsec'
    - Configuration files location is different
    - Strongswan.d directory in template directory does not include
      'charon' directory

    Change-Id: I27d8518d1d8110453d4674a0c6fb3cb6072a32f0
    Closes-bug: 1444776
    Closes-bug: 1441788

Changed in neutron:
status: In Progress → Fix Committed
Revision history for this message
Wei Hu (huwei-xtu) wrote :

I think this driver should back port to kilo branch. Since in rhel7, there is no available vpnaas driver now. And as far as I have tested, only this driver and libreswan driver can support rhel7 in kilo.

In rhel7 with openswan driver I hit those similar bugs:
https://bugs.launchpad.net/neutron/+bug/1444017
https://bugs.launchpad.net/neutron/+bug/1452205

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-vpnaas (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/185491

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron-vpnaas (stable/kilo)

Reviewed: https://review.openstack.org/185491
Committed: https://git.openstack.org/cgit/openstack/neutron-vpnaas/commit/?id=9c73c0cb45590febd7b9b35830a5542e58d6aaa1
Submitter: Jenkins
Branch: stable/kilo

commit 9c73c0cb45590febd7b9b35830a5542e58d6aaa1
Author: Wei Hu <email address hidden>
Date: Thu Apr 16 13:15:00 2015 +0800

    Provide Fedora support for StrongSwan

    The initial release of StrongSwan VPNaaS driver only support Ubuntu.
    This patch will provide the Fedora support. The different usage of
    StrongSwan between Fedora and Ubuntu are:
    - Uses 'strongswan' CLI command instead of 'ipsec'
    - Configuration files location is different
    - Strongswan.d directory in template directory does not include
      'charon' directory

    Change-Id: I27d8518d1d8110453d4674a0c6fb3cb6072a32f0
    Closes-bug: 1444776
    Closes-bug: 1441788
    (cherry picked from commit f8a62b09b60d60ce3aa4d841ef97ec1d003281e2)

tags: added: in-stable-kilo
Thierry Carrez (ttx)
Changed in neutron:
milestone: none → liberty-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in neutron:
milestone: liberty-1 → 7.0.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.