VPN IPSec connection with fqdn not possible

Bug #1405413 reported by Tobias on 2014-12-24
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
Medium
Numan Siddique

Bug Description

Hi all

as of https://wiki.openstack.org/wiki/Neutron/VPNaaS#ipsec-site-connection_Resource it should be possible to create ipsec site connections with a peer fqdn.

When adding a new IPSec site connection with --peer-address <fqdn> I get the an error in vpn-agent logs on network node and VPN for that router wont be enabled.

I'm adding the connection like this:
neutron ipsec-site-connection-create --psk 'XXXX' --peer-id "@tobi.dyndns.org" --peer-cidr 192.168.178.0/24 --peer-address "tobi.dyndns.org" --vpnservice-id af2979de-4800-43b3-ae8a-e85ede71bf8c --ikepolicy-id ed4726b7-cc1a-4c3d-af4d-d4fd736f20b1 --ipsecpolicy-id 4daba6a6-ac7f-4e37-b8ce-441c043b8285 --name "Tobi Home"

Created a new ipsec_site_connection:
+----------------+----------------------------------------------------+
| Field | Value |
+----------------+----------------------------------------------------+
| admin_state_up | True |
| auth_mode | psk |
| description | |
| dpd | {"action": "hold", "interval": 30, "timeout": 120} |
| id | 1c57278b-1633-4637-ae8d-f9dfc57cddcc |
| ikepolicy_id | ed4726b7-cc1a-4c3d-af4d-d4fd736f20b1 |
| initiator | bi-directional |
| ipsecpolicy_id | 4daba6a6-ac7f-4e37-b8ce-441c043b8285 |
| mtu | 1500 |
| name | Tobi Home |
| peer_address | tobi.dyndns.org |
| peer_cidrs | 192.168.178.0/24 |
| peer_id | tobi.dyndns.org |
| psk | XXX |
| route_mode | static |
| status | PENDING_CREATE |
| tenant_id | 46fcbd40f9b34a1b96fcf91ae84c9bba |
| vpnservice_id | af2979de-4800-43b3-ae8a-e85ede71bf8c |
+----------------+----------------------------------------------------+

Log:

2014-12-24 13:30:22.807 24920 ERROR neutron.services.vpn.device_drivers.ipsec [-] Failed to enable vpn process on router 0b4c88fa-4944-45a7-b1b3-fbee1d7fc2ac
2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec Traceback (most recent call last):
2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/dist-packages/neutron/services/vpn/device_drivers/ipsec.py", line 242, in enable
2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec self.restart()
2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/dist-packages/neutron/services/vpn/device_drivers/ipsec.py", line 342, in restart
2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec self.start()
2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/dist-packages/neutron/services/vpn/device_drivers/ipsec.py", line 389, in start
2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec nexthop = self._get_nexthop(ipsec_site_conn['peer_address'])
2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/dist-packages/neutron/services/vpn/device_drivers/ipsec.py", line 347, in _get_nexthop
2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec ['ip', 'route', 'get', address])
2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/dist-packages/neutron/services/vpn/device_drivers/ipsec.py", line 314, in _execute
2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec check_exit_code=check_exit_code)
2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/dist-packages/neutron/agent/linux/ip_lib.py", line 550, in execute
2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec check_exit_code=check_exit_code, extra_ok_codes=extra_ok_codes)
2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/dist-packages/neutron/agent/linux/utils.py", line 84, in execute
2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec raise RuntimeError(m)
2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec RuntimeError:
2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-0b4c88fa-4944-45a7-b1b3-fbee1d7fc2ac', 'ip', 'route', 'get', 'tobi.dyndns.org']
2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec Exit code: 1
2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec Stdout: ''
2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec Stderr: 'Error: an inet prefix is expected rather than "tobi.dyndns.org".\n'
2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec
2014-12-24 13:30:22.965 24920 ERROR neutron.agent.linux.utils [-]
Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-fd8e2460-6542-40ab-bf41-6d2e403dce74', 'ipsec', 'whack', '--ctlbase', '/var/lib/neutron/ipsec/fd8e2460-6542-40ab-bf41-6d2e403dce74/var/run/pluto', '--status']
Exit code: 1
Stdout: ''
Stderr: 'whack: Pluto is not running (no "/var/lib/neutron/ipsec/fd8e2460-6542-40ab-bf41-6d2e403dce74/var/run/pluto.ctl")\n'
2014-12-24 13:30:23.751 24920 ERROR neutron.agent.linux.utils [req-be9b2275-a022-4f03-aa4c-65fc187046a9 None]
Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-0b4c88fa-4944-45a7-b1b3-fbee1d7fc2ac', 'ip', 'route', 'get', 'tobi.dyndns.org']
Exit code: 1
Stdout: ''
Stderr: 'Error: an inet prefix is expected rather than "tobi.dyndns.org".\n'
2014-12-24

Tobias (tobik) on 2014-12-24
description: updated
description: updated
Changed in neutron:
assignee: nobody → Numan Siddique (numansiddique)
Changed in neutron:
status: New → In Progress
Changed in neutron:
status: In Progress → Confirmed
status: Confirmed → In Progress
Numan Siddique (numansiddique) wrote :

"ip route get tobi.dyndns.org" is failing because, it expects ip address. Since the peer address is a fqdn its failing.

There can be 2 solutions
1. If peer address is fqdn use the default gw i.e ip router list 0/0
2. Resolve the fqdn to ip address and then call "ip route get <ip_address>"

I tested (1) and it is working.
I am not sure which is the right approach.

Tobias (tobik) wrote :

The ip address of next hop for VPN destination is used as parameter "--defaultroutenexthop" in openswan's ipsec addcon.
I do not understand the purpose of this parameter and cannot find any documentation on this - but it should have any purpose, otherwise the function _get_nexthop wouldn't exist in neutron vpnaas.

To clone the behaviour for FQDN peers approach #2 would be the best. Quick and dirty is approach #1, but I am not sure about any issues in some situations.

Numan Siddique (numansiddique) wrote :

@tobik Thanks. I will work on #2.

Kyle Mestery (mestery) on 2015-02-24
Changed in neutron:
milestone: none → kilo-3
importance: Undecided → Medium

Reviewed: https://review.openstack.org/145005
Committed: https://git.openstack.org/cgit/openstack/neutron-vpnaas/commit/?id=e546478c7f8229ace261daa0102b06cf9ba953f1
Submitter: Jenkins
Branch: master

commit e546478c7f8229ace261daa0102b06cf9ba953f1
Author: Numan Siddique <email address hidden>
Date: Sun Feb 8 00:08:09 2015 +0530

    Fix the ipsec conn issue when peer addr is fqdn

    ipsec site connection fails when fqdn is provided for peer addr.
    The failure is because the command 'ip route get' expects
    ip address.

    This patch fixes the issue by resolving the fqdn to the ip address
    and using this ip address to the 'ip route get'.

    Change-Id: I3e22e8170ffe977ece3d36355a59def9e9d01d94
    Closes-bug: #1405413

Changed in neutron:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2015-03-19
Changed in neutron:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2015-04-30
Changed in neutron:
milestone: kilo-3 → 2015.1.0
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers