Router gateway ip can be changed while being used by a VPN IPsec site connection
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
* Summary
When an IPsec site connection is using the IP address of the router gateway port as the local IP, user can change the IP address of the router gateway port, then the IPsec site connection will malfunction.
* Environment
devstack with vpnaas
* Step-by-step reproduction steps:
1. create two networks and two subnets respectively (left and right for VPN connection)
2. create two routers, connect subnets of step 1 to each of them
3. create a public network and subnet, connect two routers of step 2 to this public network
4. setup IPsec VPN site connection between the two routers, wait for their status being ACTIVE
5. change the router gateway port's fixed IP address of one of the routers:
- openstack router set <ROUTER_NAME> --external-gateway <PUBLIC_NETWORK> --fixed-ip subnet=
* Expected output:
- Users cannot change the IP address of the router gateway port as it is being used by an active VPN IPsec site connection
* Actual output:
- IP address of router gateway port is successfully changed
- statuses of both IPsec VPN site connections will change to DOWN
Changed in neutron: | |
status: | New → Confirmed |
Changed in neutron: | |
assignee: | Hunt Xu (huntxu) → nobody |
status: | In Progress → Confirmed |
There are two things to be fixed/added:
- No notification is sent when router gateway port's IP address changes to another valid IP address in the same network, even to different subnet.
- No validation is performed in VPNaaS extension for such a change.