neutron

VPNAAS :IPSEC Policy on peer site mismatched still the ipsec sitec connection shows active state

Bug #1316726 reported by Ashish Kumar Gupta
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Invalid
Low
Prithvi Raghav.T.M

Bug Description

Steps to Reproduce:
1. Create vpn site with one ipsec policy with encryption_algorithm aes-256 and other site as aes-128.
2. Create the ipsec-siteconnection and other operation like vpn-services and ike policy onto both the sites.
3. Check the status of vpn service

+--------------------------------------+------+--------------------------------------+--------+
| id | name | router_id | status |
+--------------------------------------+------+--------------------------------------+--------+
| 530c3dfb-9224-403c-b285-a224c9a7036d | vpn1 | cd288ec1-cad5-48e4-a402-882103ac6ec5 | ACTIVE |
| 77d0b36f-35e3-46d9-8d33-1b989092cecf | vpn2 | 224c35b8-01b3-4e9b-a148-2751840a1b18 | ACTIVE |
+--------------------------------------+------+--------------------------------------+--------+
4. Check the status of ipsec site connection.

+--------------------------------------+-------+--------------+----------------+------------+-----------+--------+
| id | name | peer_address | peer_cidrs | route_mode | auth_mode | status |
+--------------------------------------+-------+--------------+----------------+------------+-----------+--------+
| a158f5d5-128e-47ba-9260-34dc9ff315b0 | site1 | $peer_address2 | "$peer_cidrs2" | static | psk | ACTIVE |
| a9486296-bc36-439b-b0a8-4d4b0417486d | site2 | $peer_address1 | "$peer_cidrs1" | static | psk | ACTIVE |
+--------------------------------------+-------+--------------+----------------+------------+-----------+--------+
5. List the ike policy
+--------------------------------------+------+----------------+----------------------+-------------+--------+
| id | name | auth_algorithm | encryption_algorithm | ike_version | pfs |
+--------------------------------------+------+----------------+----------------------+-------------+--------+
| b04d74ad-ec1f-44b0-8ae6-802872bf4ca0 | IKE1 | sha1 | aes-256 | v1 | group5 |
| e5be37ec-9888-46a7-b884-083b5b5336aa | IKE2 | sha1 | aes-256 | v1 | group5 |
+--------------------------------------+------+----------------+----------------------+-------------+--------+
6. List the ipsec-policy
+--------------------------------------+--------+----------------+----------------------+--------+
| id | name | auth_algorithm | encryption_algorithm | pfs |
+--------------------------------------+--------+----------------+----------------------+--------+
| 12c9db3b-8122-4e1e-9aad-8e6e87225a1f | IPSEC1 | sha1 | aes-128 | group5 |
| d38bba51-ecdd-43ef-822c-4f1c86507c9a | IPSEC2 | sha1 | aes-256 | group5 |
+--------------------------------------+--------+----------------+----------------------+--------+

Actual Results: Ipsec site connection show as active with mismatched version of encryption algorithm in the ipsecpolicy
Ping across the sites also happening

Expected Results: Ipsec site connection should show as down state since mismatched version of encryption algorithm in the ipsecpolicy is provide

See original description
Tags: vpnaas
Salvatore Orlando (salvatore-orlando)
tags: added: vpnaas
Prithvi Raghav.T.M (prithvi-t-m)
Changed in neutron:
assignee: nobody → Prithvi Raghav.T.M (prithvi-t-m)
Revision history for this message
Prithvi Raghav.T.M (prithvi-t-m) wrote :

Is this bug also same as this https://bugs.launchpad.net/neutron/+bug/1316724 . i.e, Is this the default behaviour of openswan configuration. Can Nachi Ueno please comment on this.

Revision history for this message
Ashish Kumar Gupta (ashish-kumar-gupta) wrote :

@prthivi :
The defect
 https://bugs.launchpad.net/neutron/+bug/1316724 is related to IKE Policy on peer site mismatched parameter still the ipsec site connection shows in active state .
and the defect https://bugs.launchpad.net/neutron/+bug/1316726 is related to IPSEC Policy on peer site mismatched still the ipsec sitec connection shows active state

Both the defect are not the same .
In my understanding since the vpn agent is now using openswan driver to create the vpn tunnel and ipsec.conf file . Then the parameter on both the site should be matched before making services to active state by the vpn agent.

In this scenario since the site 1 and site2 have different ipsec policy parameter then how the tunnel creation is formed across the sites ?

Without vpn-agent /etc/ipsec.conf file is created and but once we install vpn-agent /var/lib/neutron/ipsec/$Router_id/etc/ipsec.conf file is created .
My comment is that the vpn agent should have checked the parameters and matched them accordingly on both the site and then is should update the service status.

Please let me know your thoughts.

Ashish Kumar Gupta (ashish-kumar-gupta)
description: updated
Eugene Nikanorov (enikanorov)
Changed in neutron:
importance: Undecided → Low
Revision history for this message
Paul Michali (pcm) wrote :

AFAIK, the IPSec connection is auto-negotiated and will use the IKE and IPSec policy that is compatible with each end (in this case negotiating down to aes-128.

This is not a bug, as far as I know. Will mark as invalid.

Changed in neutron:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.