neutron

VPNaas: strongswan: cannnot add more than one subnet to ipsec

Bug #1478778 reported by hanumanth jerbandi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Expired
Undecided
Unassigned

Bug Description

I used this patch (VPNaaS: Fedora support for StrongSwan) for vpnaas on centos referring this bug
https://bugs.launchpad.net/neutron/+bug/1441788

1. I used a single node with 2 routers, create ike/ipsec/vpn-service/site vpn, the tunnels came
up fine
kilo-vpnaas-centos71

10.10.10.x/24--------R1-------------R2-------------20.20.20.x/24

R1 to R2 on 192.168.122.202, 192.168.122.203.

2. When i added one more interface to r1 and r2, 30.30.30.x and 40.40.40.x respectively, created
ike/ipsec/vpn-service/site-vpn, it did not create a new conn in ipsec.conf file, rather, it
over wrote the existing(10.10.10.x) conn in ipsec.conf file.

[root@ceos71 ~]# cat /var/lib/neutron/ipsec/70e88c46-c6b2-4c8d-afad-76ebd77b55cb/etc/strongswan/ipsec.conf
# Configuration for vpn10
config setup

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        authby=psk
        mobike=no

conn 221c6d37-e7a1-4afc-8d0f-4de32df3818b #### this for 10.10.10.x
    keyexchange=ikev2
    left=192.168.122.202
    leftsubnet=10.10.10.0/24
    leftid=192.168.122.202
    leftfirewall=yes
    right=192.168.122.203
    rightsubnet=20.20.20.0/24
    rightid=192.168.122.203
    auto=route

### added 1 more subnet 30.30.30.x

[root@ceos71 ~]# cat /var/lib/neutron/ipsec/70e88c46-c6b2-4c8d-afad-76ebd77b55cb/etc/strongswan/ipsec.conf
# Configuration for vpn30
config setup

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        authby=psk
        mobike=no

conn 7b57fc83-3581-4e86-a193-e14474eef295 ### this is for 30.30.30.x, it over wrote the 10.10.10.x conn
    keyexchange=ikev2
    left=192.168.122.202
    leftsubnet=30.30.30.0/24 <<<<<<<<<<<<<
    leftid=192.168.122.202
    leftfirewall=yes
    right=192.168.122.203
    rightsubnet=40.40.40.0/24
    rightid=192.168.122.203
    auto=route

3. My understanding is that, it should add new conn to ipsec.conf file, than overwriting the existing conn. am i right ???

Revision history for this message
Paul Michali (pcm) wrote : Re: [Bug 1478778] [NEW] VPNaas: strongswan: cannnot add more than one subnet to ipsec
Download full text (5.3 KiB)

Please show the commands you are using for the IPSec connection. It sounds
like you are trying to create an IPSec connection with multiple subsets on
each end. Is that correct?
Currently, VPNaaS IPSec connections may have one or more peer subsets, but
only one local subnet. There is an bug out, to enhance this to support more
than one subnet (https://bugs.launchpad.net/neutron/+bug/1459423).
Regards,
PCM
On Tue, Jul 28, 2015 at 1:15 AM hanumanth jerbandi <email address hidden>
wrote:

> Public bug reported:
>
> I used this patch (VPNaaS: Fedora support for StrongSwan) for vpnaas on
> centos referring this bug
> https://bugs.launchpad.net/neutron/+bug/1441788
>
> 1. I used a single node with 2 routers, create ike/ipsec/vpn-service/site
> vpn, the tunnels came
> up fine
> kilo-vpnaas-centos71
>
>
> 10.10.10.x/24--------R1-------------R2-------------20.20.20.x/24
>
> R1 to R2 on 192.168.122.202, 192.168.122.203.
>
> 2. When i added one more interface to r1 and r2, 30.30.30.x and 40.40.40.x
> respectively, created
> ike/ipsec/vpn-service/site-vpn, it did not create a new conn in ipsec.conf
> file, rather, it
> over wrote the existing(10.10.10.x) conn in ipsec.conf file.
>
> [root@ceos71 ~]# cat
> /var/lib/neutron/ipsec/70e88c46-c6b2-4c8d-afad-76ebd77b55cb/etc/strongswan/ipsec.conf
> # Configuration for vpn10
> config setup
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> authby=psk
> mobike=no
>
> conn 221c6d37-e7a1-4afc-8d0f-4de32df3818b #### this for 10.10.10.x
> keyexchange=ikev2
> left=192.168.122.202
> leftsubnet=10.10.10.0/24
> leftid=192.168.122.202
> leftfirewall=yes
> right=192.168.122.203
> rightsubnet=20.20.20.0/24
> rightid=192.168.122.203
> auto=route
>
> ### added 1 more subnet 30.30.30.x
>
> [root@ceos71 ~]# cat
> /var/lib/neutron/ipsec/70e88c46-c6b2-4c8d-afad-76ebd77b55cb/etc/strongswan/ipsec.conf
> # Configuration for vpn30
> config setup
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> authby=psk
> mobike=no
>
> conn 7b57fc83-3581-4e86-a193-e14474eef295 ### this is for 30.30.30.x, it
> over wrote the 10.10.10.x conn
> keyexchange=ikev2
> left=192.168.122.202
> leftsubnet=30.30.30.0/24 <<<<<<<<<<<<<
> leftid=192.168.122.202
> leftfirewall=yes
> right=192.168.122.203
> rightsubnet=40.40.40.0/24
> rightid=192.168.122.203
> auto=route
>
> 3. My understanding is that, it should add new conn to ipsec.conf file,
> than overwriting the existing conn. am i right ???
>
> ** Affects: neutron
> Importance: Undecided
> Status: New
>
> --
> You received this bug notification because you are subscribed to
> neutron.
> Matching subscriptions: <email address hidden>
> https://bugs.launchpad.net/bugs/1478778
>
> Title:
> VPNaas: strongswan: cannnot add more than one subnet to ipsec
>
> Status in neutron:
> New
>
> Bug description:
> I used this patch (VPNaaS: Fedora support for StrongSwan) for vpnaas on
> centos referring this bug
> https://bugs.launchpad.net/neutron/+bug/1441788
>
> 1. I used a si...

Read more...

Revision history for this message
hanumanth jerbandi (hanubgl) wrote :
Download full text (32.3 KiB)

Hi

I have ike and ipsec policy as below
[root@ceos71 ~(keystone_admin)]# neutron vpn-ipsecpolicy-list
+--------------------------------------+--------+----------------+----------------------+--------+
| id | name | auth_algorithm | encryption_algorithm | pfs |
 +--------------------------------------+--------+----------------+----------------------+--------+
| cac5e1df-4276-4163-af83-416df76319ff | ipsec1 | sha1 | aes-128 | group5 |
 +--------------------------------------+--------+----------------+----------------------+--------+
[root@ceos71 ~(keystone_admin)]# neutron vpn-ikepolicy-list
+--------------------------------------+------+----------------+----------------------+-------------+--------+
| id | name | auth_algorithm | encryption_algorithm | ike_version | pfs |
 +--------------------------------------+------+----------------+----------------------+-------------+--------+
| 908c3d3b-0d00-4e8d-9d62-6c45ecd361e5 | ike1 | sha1 | aes-128 | v2 | group5 |
 +--------------------------------------+------+----------------+----------------------+-------------+--------+
[root@ceos71 ~(keystone_admin)]# neutron vpn-ikepolicy-show 908c3d3b-0d00-4e8d-9d62-6c45ecd361e5
+-------------------------+--------------------------------------+
| Field | Value |
 +-------------------------+--------------------------------------+
| auth_algorithm | sha1 |
| description | |
| encryption_algorithm | aes-128 |
| id | 908c3d3b-0d00-4e8d-9d62-6c45ecd361e5 |
| ike_version | v2 |
| lifetime | {"units": "seconds", "value": 3600} |
| name | ike1 |
| pfs | group5 |
| phase1_negotiation_mode | main |
| tenant_id | 92f04cefdbb84b96bd961d8722ea9476 |
 +-------------------------+--------------------------------------+
[root@ceos71 ~(keystone_admin)]# neutron vpn-ipsecpolicy-show cac5e1df-4276-4163-af83-416df76319ff
+----------------------+--------------------------------------+
| Field | Value |
 +----------------------+--------------------------------------+
| auth_algorithm | sha1 |
| description | |
| encapsulation_mode | tunnel |
| encryption_algorithm | aes-128 |
| id | cac5e1df-4276-4163-af83-416df76319ff |
| lifetime | {"units": "seconds", "value": 3600} |
| name | ipsec1 |
| pfs | group5 |
| tenant_id | 92f04cefdbb84b96bd961d8722ea9476 |
| transform_protocol | esp |
 +-------------------...

Revision history for this message
Paul Michali (pcm) wrote :

The issue here is that there is a 1:1 correspondence between the VPN service and the router. There can only be one router for a service, and vice versa. The "bug" here, is that the VPN code does not enforce this condition, preventing you from creating another VPN service with the same router.

There is a separate effort under progress that will allow multiple local and peer subnets to be associated with a single VPN connection. This would allow you to have both 10.10.10.x/24 and 30.30.30.x/24 subnets associated with the connection (something that is not currently possible).

Changed in neutron:
status: New → Confirmed
Revision history for this message
Paul Michali (pcm) wrote :

Having multiple local subnets is being handled under this bug - https://bugs.launchpad.net/neutron/+bug/1459423.

Granted, once implemented, it'll need to be tested for all the *Swan flavors and platforms (the approach being taken may need different syntax on different flavors/platforms), and follow-up bugs created if needed.

Revision history for this message
Paul Michali (pcm) wrote :

Mentioned feature is upstreamed. Could just mark this as duplicate, or if enthusiastic, could try the feature with all *Swan flavors.

Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

This bug is > 240 days without activity. We are unsetting assignee and milestone and setting status to Incomplete in order to allow its expiry in 60 days.

If the bug is still valid, then update the bug status.

Changed in neutron:
status: Confirmed → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for neutron because there has been no activity for 60 days.]

Changed in neutron:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.