VPN agent does not handle multiple connections per vpn service

Bug #1263194 reported by Swaminathan Vasudevan on 2013-12-20
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
neutron
Medium
Bo Lin

Bug Description

When you try to configure more than one VPN site connection object with a single VPN Service, the second site connection is not handled by the VPN Agent. The plugin configures the data in the db, but the second site-connection status is always in "PENDING_CREATE" state.

Also the agent does not update the "ipsec.conf" and "ipsec.secrets" file for the new site-connection details. There is not Exception or Error messages raised by the Plugin or Agent during this operation, so it is clueless.

[root@Neutron-Server sc]# neutron ipsec-site-connection-list
+--------------------------------------+----------------+--------------+----------------+------------+-----------+----------------+
| id | name | peer_address | peer_cidrs | route_mode | auth_mode | status |
+--------------------------------------+----------------+--------------+----------------+------------+-----------+----------------+
| 81b502a7-a1ae-47e1-80c8-eadf0a98a154 | vpnconnection2 | 192.102.0.62 | "10.10.3.0/24" | static | psk | PENDING_CREATE |
| ed982186-5f8d-4704-b5c7-2456f98a84f2 | vpnconnection2 | 192.102.0.60 | "10.10.1.0/24" | static | psk | ACTIVE |
+--------------------------------------+----------------+--------------+----------------+------------+-----------+----------------+
----------
81b502a7-a1ae-47e1-80c8-eadf0a98a154 | vpnconnection2 | 192.102.0.62 | "10.10.3.0/24" | static | psk | PENDING_CREATE |
this one is in pending state

shihanzhang (shihanzhang) wrote :

I met the same problem, but I think the current implementation does not allow such operations.

Bo Lin (linb) on 2014-01-21
Changed in neutron:
assignee: nobody → berlin (linb)
Bo Lin (linb) on 2014-02-18
Changed in neutron:
status: New → Incomplete
Bo Lin (linb) wrote :

The current codes implementation does allow such operation and it seems a codes bug.
After restarting the q-vpn, the ipsec.secrets and ipsec.conf would reflect running well. I am digging into the source codes to found the reasons.

Changed in neutron:
status: Incomplete → Confirmed
Bo Lin (linb) wrote :

 I think I found the reason. Once one OpenSwan process is created, incoming updated vpnservice data would not be
updated into the process which leads to config files and openswan process always keep old configurations

Fix proposed to branch: master
Review: https://review.openstack.org/74627

Changed in neutron:
status: Confirmed → In Progress
Changed in neutron:
importance: Undecided → Medium
milestone: none → icehouse-3

Reviewed: https://review.openstack.org/74627
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=6206d7e377cc5511042d2aa61a876d381493c8e5
Submitter: Jenkins
Branch: master

commit 6206d7e377cc5511042d2aa61a876d381493c8e5
Author: berlin <email address hidden>
Date: Wed Feb 19 15:34:47 2014 +0800

    Fix VPN agent does not handle multiple connections per vpn service

        Once the OpenSwan process is created, incoming updated vpnservice
    data would not be updated into the process class which leads to config
    files and openswan process always keep old configurations

    Change-Id: Ia91ab08b1d03fbbe46bafd4967b57181fc4c6e71
    Closes-Bug: 1263194

Changed in neutron:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2014-03-05
Changed in neutron:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2014-04-17
Changed in neutron:
milestone: icehouse-3 → 2014.1
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers