neutron

Vpnaas VPN ikepolicy does not support aggressive mode

Bug #1701413 reported by Li Xiao on 2017-06-30

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	In Progress	Wishlist	zhanghao

Bug Description

When IPSec (openswan/libreswan/strongswan) creates a Ike policy,
you can choose one of the phase1-negotiation-mode: main or aggressive.
However, vpnaas can only select main, a mode, and cannot be modified.

When using IPSec (for example, libreswan) and the IKE version uses V1,
phase1-negotiation-mode uses main, and the IPSec connection does not support the NAT schema.
However, phase1-negotiation-mode is modified as aggressive mode, and the IPSec connection can traverse NAT.

Tags:

Li Xiao (leeshow) on 2017-06-30

Changed in neutron:
assignee:	nobody → Li Xiao (leeshow)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-06-30: Fix proposed to neutron-vpnaas (master)

Fix proposed to branch: master
Review: https://review.openstack.org/479150

YAMAMOTO Takashi (yamamoto) on 2017-06-30

tags:

added: rfe vpnaas

Akihiro Motoki (amotoki) on 2017-07-01

Changed in neutron:
importance:	Undecided → Wishlist

Li Xiao (leeshow) on 2017-07-03

Changed in neutron:
status:	In Progress → Confirmed

OpenStack Infra (hudson-openstack) on 2017-07-03

Changed in neutron:
status:	Confirmed → In Progress

Li Xiao (leeshow) on 2017-07-03

Changed in neutron:
status:	In Progress → Confirmed

OpenStack Infra (hudson-openstack) on 2017-07-04

Changed in neutron:
status:	Confirmed → In Progress

Li Xiao (leeshow) on 2017-07-04

Changed in neutron:
status:	In Progress → Confirmed

OpenStack Infra (hudson-openstack) on 2017-07-11

Changed in neutron:
status:	Confirmed → In Progress

Li Xiao (leeshow) on 2017-07-11

Changed in neutron:
status:	In Progress → Confirmed

OpenStack Infra (hudson-openstack) on 2017-07-17

Changed in neutron:
status:	Confirmed → In Progress

Li Xiao (leeshow) on 2017-07-17

Changed in neutron:
status:	In Progress → Confirmed

Armando Migliaccio (armando-migliaccio) on 2017-07-27

tags:	removed: rfe
tags:	added: rfe

Revision history for this message

Armando Migliaccio (armando-migliaccio) wrote on 2017-07-27:

Strictly speaking this is an API change, and as such should be tracked by a versioned API definition in neutron-lib. Though neutron-vpnaas API is not in neutron-lib and neutron-vpnaas is not under neutron governance at the moment, there's no much the drivers team can provide oversight on. That said I reviewed change [1].

[1] https://review.openstack.org/479150

OpenStack Infra (hudson-openstack) on 2017-10-23

Changed in neutron:
assignee:	Li Xiao (leeshow) → zhichao zhu (rtmdk)
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-10-24: Related fix proposed to neutron-vpnaas (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/514497

YAMAMOTO Takashi (yamamoto) on 2018-01-09

tags:	added: rfe-triaged
Changed in neutron:
status:	In Progress → Triaged

Revision history for this message

Miguel Lavalle (minsel) wrote on 2018-01-19:

This RFE is approved. The only caveat is that the ability to handle the new value should be discoverable as an API extension

tags:

added: rfe-approved
removed: rfe-triaged

Revision history for this message

Slawek Kaplonski (slaweq) wrote on 2019-12-04: auto-abandon-script

This bug has had a related patch abandoned and has been automatically un-assigned due to inactivity. Please re-assign yourself if you are continuing work or adjust the state as appropriate if it is no longer valid.

Changed in neutron:
assignee:	zhichao zhu (rtmdk) → nobody
tags:	added: timeout-abandon

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-12-04: Change abandoned on neutron-vpnaas (master)

Change abandoned by Slawek Kaplonski (<email address hidden>) on branch: master
Review: https://review.opendev.org/514497
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Slawek Kaplonski (slaweq) on 2020-03-24

tags:	removed: rfe
Changed in neutron:
status:	Triaged → Confirmed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-05-12: Fix proposed to neutron-vpnaas (master)

Fix proposed to branch: master
Review: https://review.opendev.org/727073

Changed in neutron:
assignee:	nobody → zhanghao (zhanghao2)
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-05-13: Fix proposed to neutron-lib (master)

Fix proposed to branch: master
Review: https://review.opendev.org/727667

OpenStack Infra (hudson-openstack) on 2020-05-15

Changed in neutron:
assignee:	zhanghao (zhanghao2) → Brian Haley (brian-haley)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-05-20: Fix merged to neutron-lib (master)

#10

Reviewed: https://review.opendev.org/727667
Committed: https://git.openstack.org/cgit/openstack/neutron-lib/commit/?id=89a2bd20013b47c1b65d47a46e032987d2409c9f
Submitter: Zuul
Branch: master

commit 89a2bd20013b47c1b65d47a46e032987d2409c9f
Author: zhanghao <email address hidden>
Date: Tue May 12 23:11:34 2020 -0400

Add aggressive negotiation mode for ikepolicy

The phase1 negotiation mode adds support for aggressive mode.

Change-Id: I9280fa5216dc98f72db24a13e9f9638711a3494b
Partial-Bug: #1701413

OpenStack Infra (hudson-openstack) on 2020-06-02

Changed in neutron:
assignee:	Brian Haley (brian-haley) → zhanghao (zhanghao2)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-06-18: Fix merged to neutron-vpnaas (master)

#11

Reviewed: https://review.opendev.org/727073
Committed: https://git.openstack.org/cgit/openstack/neutron-vpnaas/commit/?id=e6bb1584d75cf5dd6aaff199f8c235e08fb6f1d9
Submitter: Zuul
Branch: master

commit e6bb1584d75cf5dd6aaff199f8c235e08fb6f1d9
Author: zhanghao <email address hidden>
Date: Mon May 11 22:07:16 2020 -0400

Add aggressive negotiation mode for ikepolicy

    The *swan drivers can support the selection of main or aggressive
    negotiation mode, but vpnaas only supports main mode. When the external
    host establishes a VPN communication with the internal virtual machine in
    the cloud environment, if the external vpn site connection is configured
    in aggressive mode, this will cause communication failure. Therefore, this
    patch adds support for aggressive mode.

Change-Id: Ia3c9db2d151bd7c63c6ab500dbdecfaf07583a6f
Partial-Bug: #1701413

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-05-23: Change abandoned on neutron-vpnaas (master)

#12

Change abandoned by "Mohammed Naser <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/neutron-vpnaas/+/479150
Reason: this has been implemented in https://review.opendev.org/c/openstack/neutron-vpnaas/+/727073