VPNaas: strongswan: cannnot add more than one subnet to ipsec
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Expired
|
Undecided
|
Unassigned |
Bug Description
I used this patch (VPNaaS: Fedora support for StrongSwan) for vpnaas on centos referring this bug
https:/
1. I used a single node with 2 routers, create ike/ipsec/
up fine
kilo-vpnaas-
10.10.10.
R1 to R2 on 192.168.122.202, 192.168.122.203.
2. When i added one more interface to r1 and r2, 30.30.30.x and 40.40.40.x respectively, created
ike/ipsec/
over wrote the existing(
[root@ceos71 ~]# cat /var/lib/
# Configuration for vpn10
config setup
conn %default
keylife=20m
authby=psk
mobike=no
conn 221c6d37-
keyexchange
left=
leftsubnet=
leftid=
leftfirewal
right=
rightsubnet
rightid=
auto=route
### added 1 more subnet 30.30.30.x
[root@ceos71 ~]# cat /var/lib/
# Configuration for vpn30
config setup
conn %default
keylife=20m
authby=psk
mobike=no
conn 7b57fc83-
keyexchange
left=
leftsubnet=
leftid=
leftfirewal
right=
rightsubnet
rightid=
auto=route
3. My understanding is that, it should add new conn to ipsec.conf file, than overwriting the existing conn. am i right ???
Please show the commands you are using for the IPSec connection. It sounds /bugs.launchpad .net/neutron/ +bug/1459423).
like you are trying to create an IPSec connection with multiple subsets on
each end. Is that correct?
Currently, VPNaaS IPSec connections may have one or more peer subsets, but
only one local subnet. There is an bug out, to enhance this to support more
than one subnet (https:/
Regards,
PCM
On Tue, Jul 28, 2015 at 1:15 AM hanumanth jerbandi <email address hidden>
wrote:
> Public bug reported: /bugs.launchpad .net/neutron/ +bug/1441788 vpn-service/ site centos71 x/24--- -----R1- ------- -----R2- ------- -----20. 20.20.x/ 24 vpn-service/ site-vpn, it did not create a new conn in ipsec.conf 10.10.10. x) conn in ipsec.conf file. neutron/ ipsec/70e88c46- c6b2-4c8d- afad-76ebd77b55 cb/etc/ strongswan/ ipsec.conf e7a1-4afc- 8d0f-4de32df381 8b #### this for 10.10.10.x 168.122. 202 10.10.10. 0/24 192.168. 122.202 168.122. 203 20.20.20. 0/24 192.168. 122.203 neutron/ ipsec/70e88c46- c6b2-4c8d- afad-76ebd77b55 cb/etc/ strongswan/ ipsec.conf 3581-4e86- a193-e14474eef2 95 ### this is for 30.30.30.x, it 168.122. 202 30.30.30. 0/24 <<<<<<<<<<<<< 192.168. 122.202 168.122. 203 40.40.40. 0/24 192.168. 122.203 /bugs.launchpad .net/bugs/ 1478778 /bugs.launchpad .net/neutron/ +bug/1441788
>
> I used this patch (VPNaaS: Fedora support for StrongSwan) for vpnaas on
> centos referring this bug
> https:/
>
> 1. I used a single node with 2 routers, create ike/ipsec/
> vpn, the tunnels came
> up fine
> kilo-vpnaas-
>
>
> 10.10.10.
>
> R1 to R2 on 192.168.122.202, 192.168.122.203.
>
> 2. When i added one more interface to r1 and r2, 30.30.30.x and 40.40.40.x
> respectively, created
> ike/ipsec/
> file, rather, it
> over wrote the existing(
>
> [root@ceos71 ~]# cat
> /var/lib/
> # Configuration for vpn10
> config setup
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> authby=psk
> mobike=no
>
> conn 221c6d37-
> keyexchange=ikev2
> left=192.
> leftsubnet=
> leftid=
> leftfirewall=yes
> right=192.
> rightsubnet=
> rightid=
> auto=route
>
> ### added 1 more subnet 30.30.30.x
>
> [root@ceos71 ~]# cat
> /var/lib/
> # Configuration for vpn30
> config setup
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> authby=psk
> mobike=no
>
> conn 7b57fc83-
> over wrote the 10.10.10.x conn
> keyexchange=ikev2
> left=192.
> leftsubnet=
> leftid=
> leftfirewall=yes
> right=192.
> rightsubnet=
> rightid=
> auto=route
>
> 3. My understanding is that, it should add new conn to ipsec.conf file,
> than overwriting the existing conn. am i right ???
>
> ** Affects: neutron
> Importance: Undecided
> Status: New
>
> --
> You received this bug notification because you are subscribed to
> neutron.
> Matching subscriptions: <email address hidden>
> https:/
>
> Title:
> VPNaas: strongswan: cannnot add more than one subnet to ipsec
>
> Status in neutron:
> New
>
> Bug description:
> I used this patch (VPNaaS: Fedora support for StrongSwan) for vpnaas on
> centos referring this bug
> https:/
>
> 1. I used a si...