neutron

Router gateway ip can be changed while being used by a VPN IPsec site connection

Bug #1743791 reported by Hunt Xu on 2018-01-17

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Confirmed	Undecided	Unassigned

Bug Description

* Summary
When an IPsec site connection is using the IP address of the router gateway port as the local IP, user can change the IP address of the router gateway port, then the IPsec site connection will malfunction.

* Environment

devstack with vpnaas

* Step-by-step reproduction steps:
  1. create two networks and two subnets respectively (left and right for VPN connection)
  2. create two routers, connect subnets of step 1 to each of them
  3. create a public network and subnet, connect two routers of step 2 to this public network
  4. setup IPsec VPN site connection between the two routers, wait for their status being ACTIVE
  5. change the router gateway port's fixed IP address of one of the routers:
    - openstack router set <ROUTER_NAME> --external-gateway <PUBLIC_NETWORK> --fixed-ip subnet=<SUBNET>,ip-address=<NEW_IP_ADDRESS>

* Expected output:
- Users cannot change the IP address of the router gateway port as it is being used by an active VPN IPsec site connection

* Actual output:
- IP address of router gateway port is successfully changed
- statuses of both IPsec VPN site connections will change to DOWN

Tags:

Revision history for this message

Hunt Xu (huntxu) wrote on 2018-01-17:

There are two things to be fixed/added:
- No notification is sent when router gateway port's IP address changes to another valid IP address in the same network, even to different subnet.
- No validation is performed in VPNaaS extension for such a change.

Changed in neutron:
assignee:	nobody → Hunt Xu (huntxu)

YAMAMOTO Takashi (yamamoto) on 2018-01-18

Changed in neutron:
status:	New → Confirmed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-01-18: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/535290

Changed in neutron:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-08-20: Change abandoned on neutron (master)

Change abandoned by Hunt Xu (<email address hidden>) on branch: master
Review: https://review.openstack.org/535290

Hunt Xu (huntxu) on 2018-08-20

Changed in neutron:
assignee:	Hunt Xu (huntxu) → nobody
status:	In Progress → Confirmed

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.