neutron

VPNAAS: Updating the peer id from ip address to email id making the ipsec site connection forever down vm across the sites not able to ping each other

Bug #1316731 reported by Ashish Kumar Gupta on 2014-05-06

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Expired	Undecided	Unassigned

Bug Description

Steps to Reproduce:
1.Create two site with vpn service,vpn ike policy,ipsec policy and ipsec site connection.
2. Make sure the vm across the sit are able to ping each other with successfull tunnel creation .
3.Check the status of the operation on both the sites:
neutron ipsec-site-connection-list
+--------------------------------------+----------------+---------------+----------------+------------+-----------+--------+
| id | name | peer_address | peer_cidrs | route_mode | auth_mode | status |
+--------------------------------------+----------------+---------------+----------------+------------+-----------+--------+
| 8af2322c-aaac-4de1-b026-d5a2afdc3845 | vpnconnection1 | $peer_address2 | "11.11.1.0/24" | static | psk | ACTIVE |
+--------------------------------------+----------------+---------------+----------------+------------+-----------+--------+
neutron vpn-service-list
+--------------------------------------+--------+--------------------------------------+--------+
| id | name | router_id | status |
+--------------------------------------+--------+--------------------------------------+--------+
| 58caaf89-ecc2-4cf4-a86c-374b2d22dc35 | myvpn1 | 336c444b-22d1-40a8-ad9c-54063aaaa5e2 | ACTIVE |
+--------------------------------------+--------+--------------------------------------+--------+
neutron vpn-service-list
+--------------------------------------+--------+--------------------------------------+--------+
| id | name | router_id | status |
+--------------------------------------+--------+--------------------------------------+--------+
| 9408fed3-35e3-48c6-ae1c-23324eb9b108 | myvpn1 | cfd9c896-c56f-4da1-93b5-3591fc0a7841 | ACTIVE |
+--------------------------------------+--------+--------------------------------------+--------+
neutron ipsec-site-connection-list
+--------------------------------------+----------------+---------------+----------------+------------+-----------+--------+
| id | name | peer_address | peer_cidrs | route_mode | auth_mode | status |
+--------------------------------------+----------------+---------------+----------------+------------+-----------+--------+
| 465cca84-49a4-4170-b15b-64d9a9664e90 | vpnconnection1 | $peer_address1 | "10.10.1.0/24" | static | psk | ACTIVE |
+--------------------------------------+----------------+---------------+----------------+------------+-----------+--------+
neutron vpn-service- show 465cca84-49a4-4170-b15b-64d9a9664e90
+----------------+----------------------------------------------------+
| Field | Value |
+----------------+----------------------------------------------------+
| admin_state_up | True |
| auth_mode | psk |
| description | |
| dpd | {"action": "hold", "interval": 30, "timeout": 120} |
| id | 465cca84-49a4-4170-b15b-64d9a9664e90 |
| ikepolicy_id | 6159a86b-38f2-415e-b583-bca27b6b8c15 |
| initiator | bi-directional |
| ipsecpolicy_id | e63d8cef-56a0-4b13-9094-940256ce7cc8 |
| mtu | 1500 |
| name | vpnconnection1 |
| peer_address | $peer_address1 |
| peer_cidrs | 10.10.1.0/24 |
| peer_id | $peer_address1 |
| psk | secret |
| route_mode | static |
| status | ACTIVE |
| tenant_id | d209c7ac08304ff48c59a53c2c47516c |
| vpnservice_id | 9408fed3-35e3-48c6-ae1c-23324eb9b108 |
+----------------+----------------------------------------------------+
Make sure the VM across the site pinging each other.

4. Now update the peer id onto one of the site as email id.
neutron ipsec-site-connection-update 465cca84-49a4-4170-b15b-64d9a9664e90 --peer_id <email address hidden>
Updated ipsec_site_connection: 465cca84-49a4-4170-b15b-64d9a9664e90

Actual Results: Updating the peer id from peer ip addres to email id making ipsec site conenction down. VM across the sites not able to ping each other after the update

Expected Results: Updating the peer id from peer ip addres to email id should not make ipsec site conenction down forever and after succesfull updation the vm across the site should be able to ping each other.

Tags:

Salvatore Orlando (salvatore-orlando) on 2014-05-08

tags:

added: vpnaas

Revision history for this message

Nachi Ueno (nati-ueno) wrote on 2014-05-08:

could you make sure we can resolve the domain from the namespace?
May be it is dns issue.

Changed in neutron:
status:	New → Incomplete

Revision history for this message

Ashish Kumar Gupta (ashish-kumar-gupta) wrote on 2014-05-10:

Able to resolve the domain name from the namespace:
igann11:/var/lib/neutron/lbaas# ip netns exec qdhcp-9ad4f092-c237-41ba-860c-f1432224d279 ping <email address hidden>
PING <email address hidden> (192.132.0.32) 56(84) bytes of data.
64 bytes from <email address hidden> (192.132.0.32): icmp_req=1 ttl=64 time=0.342 ms
64 bytes from <email address hidden> (192.132.0.32): icmp_req=2 ttl=64 time=0.169 ms
64 bytes from <email address hidden> (192.132.0.32): icmp_req=3 ttl=64 time=0.044 ms
64 bytes from <email address hidden> (192.132.0.32): icmp_req=4 ttl=64 time=0.041 ms
--- <email address hidden> ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.041/0.149/0.342/0.122 ms
igann11:/var/lib/neutron/lbaas# ip netns exec qdhcp-9ad4f092-c237-41ba-860c-f1432224d279 ping <email address hidden>
PING <email address hidden> (192.132.0.31) 56(84) bytes of data.
64 bytes from <email address hidden> (192.132.0.31): icmp_req=1 ttl=63 time=0.254 ms
64 bytes from <email address hidden> (192.132.0.31): icmp_req=2 ttl=63 time=0.055 ms
Validating the status again:
neutron ipsecsite-connection-list
+--------------------------------------+-------+--------------+----------------+------------+-----------+--------+
| id | name | peer_address | peer_cidrs | route_mode | auth_mode | status |
+--------------------------------------+-------+--------------+----------------+------------+-----------+--------+
| 55075f5b-3bf1-4123-b129-7b031103775b | site2 | 192.132.0.31 | "10.10.1.0/24" | static | psk | DOWN |
| bf924188-0deb-46c0-8fa9-0bc5b68aab2b | site1 | 192.132.0.32 | "10.10.2.0/24" | static | psk | ACTIVE |
+--------------------------------------+-------+--------------+----------------+------------+-----------+--------+

Please let me know anything else missing/to be validated?

Able to resolve the domain name from the namespace:
igann11:/var/lib/neutron/lbaas# ip netns exec qdhcp-9ad4f092-c237-41ba-860c-f1432224d279 ping site2@hp.com
PING site2@hp.com (192.132.0.32) 56(84) bytes of data.
64 bytes from site2@hp.com (192.132.0.32): icmp_req=1 ttl=64 time=0.342 ms
64 bytes from site2@hp.com (192.132.0.32): icmp_req=2 ttl=64 time=0.169 ms
64 bytes from site2@hp.com (192.132.0.32): icmp_req=3 ttl=64 time=0.044 ms
64 bytes from site2@hp.com (192.132.0.32): icmp_req=4 ttl=64 time=0.041 ms
--- site2@hp.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.041/0.149/0.342/0.122 ms
igann11:/var/lib/neutron/lbaas# ip netns exec qdhcp-9ad4f092-c237-41ba-860c-f1432224d279 ping site1@hp.com
PING site1@hp.com (192.132.0.31) 56(84) bytes of data.
64 bytes from site1@hp.com (192.132.0.31): icmp_req=1 ttl=63 time=0.254 ms
64 bytes from site1@hp.com (192.132.0.31): icmp_req=2 ttl=63 time=0.055 ms
Validating the status again:
neutron ipsecsite-connection-list
+--------------------------------------+-------+--------------+----------------+------------+-----------+--------+
| id                                   | name  | peer_address | peer_cidrs     | route_mode | auth_mode | status |
+--------------------------------------+-------+--------------+----------------+------------+-----------+--------+
| 55075f5b-3bf1-4123-b129-7b031103775b | site2 | 192.132.0.31 | "10.10.1.0/24" | static     | psk       | DOWN   |
| bf924188-0deb-46c0-8fa9-0bc5b68aab2b | site1 | 192.132.0.32 | "10.10.2.0/24" | static     | psk       | ACTIVE |
+--------------------------------------+-------+--------------+----------------+------------+-----------+--------+

Please let me know anything else missing/to be validated?

vikas (vikas-d-m) on 2014-07-01

Changed in neutron:
assignee:	nobody → vikas (vikas-d-m)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-08-26: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/116835

Changed in neutron:
status:	Incomplete → In Progress

Revision history for this message

Akihiro Motoki (amotoki) wrote on 2014-09-23:

In my understanding, in some case peer_id should be IP address, but it depends on a deployment of your peer.
If the peer of VPN connection is a VPN gateway device which terminates VPN connection, peer_id and peer_address should match.

The case in the bug report, Neutron VPN services are connected to each other, so the peer device is VPN gateway and this is the case where peer_id and peer_address should match.

However, we cannot assume a peer device is always VPN gateway which terminates VPN connection. There is a case where peer_id and peer_address are different. If you have a router at the edge of the remote network and if that router does not support IPsec VPN, but there is another Layer 3 device that supports IPsec VPN connected internally to the external facing routers internal network, then you might need to have configured the “peer_id” as the identifier of that Layer 3 IPsec VPN device.

We need to consider the case. It completely depends on a peer device setup.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-01-07: Change abandoned on neutron (master)

Change abandoned by Kyle Mestery (<email address hidden>) on branch: master
Review: https://review.openstack.org/116835
Reason: Change needs to be repurposed against the neutron-vpnaas repository.

Revision history for this message

Paul Michali (pcm) wrote on 2015-04-17:

vikas, are you planning to continue working on this issue? If so, can you please update the bug report?

Akihiro, are you indicating that, in this case the peed_id and peer_address should both have been (the same) email address?

If so, Ashish, can you modify your test setup to see if it works with both the same?

Can you also check the case that Akihiro was mentioning (with a router and second L3 device)?

If it fails, we probably want to see what the config files are, and what the logs say.

Kyle Mestery (mestery) on 2015-04-20

Changed in neutron:
status:	In Progress → Incomplete

Revision history for this message

Paul Michali (pcm) wrote on 2015-11-13:

Unanswered questions still on this, and idle for a long time.

Revision history for this message

Armando Migliaccio (armando-migliaccio) wrote on 2016-08-17:

This bug is > 240 days without activity. We are unsetting assignee and milestone and setting status to Incomplete in order to allow its expiry in 60 days.

If the bug is still valid, then update the bug status.

Changed in neutron:
assignee:	vikas (vikas-d-m) → nobody

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-10-17:

[Expired for neutron because there has been no activity for 60 days.]

Changed in neutron:
status:	Incomplete → Expired

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.