neutron

Create IPSec site connection with IPSec policy that specifies AH-ESP protocol error

Bug #1488764 reported by Dongcan Ye on 2015-08-26

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Undecided	Dongcan Ye	neutron 7.0.0 "liberty"

Bug Description

Create IPSec site connection with IPSec policy that specifies AH-ESP protocol leads to the following error:

2015-08-26 13:29:10.976 ERROR neutron.agent.linux.utils [req-7b4a7ccc-286e-4267-9d50-d84afa5b5663 demo 99b8d178a6784d749920414ac08bce66]
Command: ['ip', 'netns', 'exec', u'qrouter-552bb850-4b33-4bf9-8d6a-c7f47f6e2d27', 'ipsec', 'addconn', '--ctlbase', u'/opt/stack/data/neutron/ipsec/552bb850-4b33-4bf9-8d6a-c7f47f6e2d27/var/run/pluto.ctl', '--defaultroutenexthop', u'172.24.4.3', '--config', u'/opt/stack/data/neutron/ipsec/552bb850-4b33-4bf9-8d6a-c7f47f6e2d27/etc/ipsec.conf', u'a9587a5c-ff6e-4257-89c1-475300fc8622']
Exit code: 34
Stdin:
Stdout: 034 Must do at AH or ESP, not neither.

Stderr: WARNING: /opt/stack/data/neutron/ipsec/552bb850-4b33-4bf9-8d6a-c7f47f6e2d27/etc/ipsec.co

2015-08-26 13:29:10.976 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec [req-7b4a7ccc-286e-4267-9d50-d84afa5b5663 demo 99b8d178a6784d749920414ac08bce66] Failed to enable vpn process on router 552bb850-4b33-4bf9-8d6a-c7f47f6e2d27
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Traceback (most recent call last):
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec File "/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 251, in enable
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec self.start()
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec File "/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 433, in start
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec ipsec_site_conn['id']
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec File "/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 332, in _execute
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec extra_ok_codes=extra_ok_codes)
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/agent/linux/ip_lib.py", line 719, in execute
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec extra_ok_codes=extra_ok_codes, **kwargs)
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/agent/linux/utils.py", line 153, in execute
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec raise RuntimeError(m)
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec RuntimeError:
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Command: ['ip', 'netns', 'exec', u'qrouter-552bb850-4b33-4bf9-8d6a-c7f47f6e2d27', 'ipsec', 'addconn', '--ctlbase', u'/opt/stack/data/neutron/ipsec/552bb850-4b33-4bf9-8d6a-c7f47f6e2d27/var/run/pluto.ctl', '--defaultroutenexthop', u'172.24.4.3', '--config', u'/opt/stack/data/neutron/ipsec/552bb850-4b33-4bf9-8d6a-c7f47f6e2d27/etc/ipsec.conf', u'a9587a5c-ff6e-4257-89c1-475300fc8622']
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Exit code: 34
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdin:
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdout: 034 Must do at AH or ESP, not neither.
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stderr: WARNING: /opt/stack/data/neutron/ipsec/552bb850-4b33-4bf9-8d6a-c7f47f6e2d27/etc/ipsec.co
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec

It seems Openswan doesn't support AH-ESP combined.

Tags:

Revision history for this message

Elena Ezhova (eezhova) wrote on 2015-08-26:

It seems that neither OpenSwan nor StrongSwan support AH+ESP. LibreSwan might support it but in the doc they *strongly* advise against such combination. Vyatta supports only ESP and I'm not sure about Cisco driver.

Apparently, we need some validation to be done for the transform_protocol option.

Changed in neutron:
status:	New → Confirmed

Dongcan Ye (hellochosen) on 2015-08-26

Changed in neutron:
assignee:	nobody → Dongcan Ye (hellochosen)

OpenStack Infra (hudson-openstack) on 2015-08-31

Changed in neutron:
status:	Confirmed → In Progress

Revision history for this message

lvmxh (shaohef) wrote on 2015-09-01:

hi, Dongcan Ye
  How can I produce this bug.
  I means the step of your operation the neutron.
  Also interesting in this bug.

Revision history for this message

Dongcan Ye (hellochosen) wrote on 2015-09-02:

Hi ,
you can create create ike_policy, ipsec_policy , vpn service and ipsec_site_connection.
But IPSec policy you should specifies AH-ESP protocol.

In vpn agent log, you can see errors which as the bug description.
And ipsec_site_connection always in PENDING_CREATE status.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-15: Fix merged to neutron-vpnaas (master)

Reviewed: https://review.openstack.org/218788
Committed: https://git.openstack.org/cgit/openstack/neutron-vpnaas/commit/?id=20a614fd64fb4b3fcd8d6dfa8e516fd1925610ad
Submitter: Jenkins
Branch: master

commit 20a614fd64fb4b3fcd8d6dfa8e516fd1925610ad
Author: Dongcan Ye <email address hidden>
Date: Mon Aug 31 09:34:30 2015 +0800

Fix AH-ESP transform protocol in IPSec Policy

    When creating ipsec_policy with transform_protocol AH-ESP,
    ipsec_site_connection will always PENDING_CREATE, in vpn-agent log
    it raise an ERROR: 034 Must do at AH or ESP, not neither.

    Currently Openswan, Strongswan and Libreswan do not support AH-ESP.
    In this patch, add a validator in service driver for Openswan,
    Strongswan and Libreswan, that will raise an exception when
    creating or updating the IPSec Policy transform protocol
    with "ah-esp".
    Other vendors can bypass validate ipsec_policy when creating and
    updating transform protocol, or implement specific logic for
    themselves.

DocImpact

Change-Id: I0fde0c815adb61e6eb2bf868cf57e1286e0231fc
Closes-Bug: #1488764

Changed in neutron:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2015-09-24

Changed in neutron:
milestone:	none → liberty-rc1
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-10-15

Changed in neutron:
milestone:	liberty-rc1 → 7.0.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.