[VPNaas] Libreswan driver support in VPNaaS
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Undecided
|
venkata anil |
Bug Description
I am running devstack on Fedora. VPNaas is not working on Fedora/centos devstack.
"neutron ipsec-site-
q-vpn log -
Command: ['sudo', '/usr/bin/
FATAL: NSS readonly initialization ("/opt/
Because of this error, pluto daemon is not running.
So VPNaas is not working on Fedora/centos devstack.
Fedora/centos uses Libreswan for ipsec.
From the wiki - "Libreswan is a fork of the Openswan IPSEC VPN implementation created by almost all of the openswan developers after a lawsuit about the ownership of the Openswan name was filed against Paul Wouters, then release manager of Openswan, in December 2012."
Changed in neutron: | |
assignee: | nobody → venkata anil (anil-venkata) |
tags: | added: vpnaas |
summary: |
- [VPNaas] NSS init failing for libreswan + [VPNaas] Libreswan driver support in VPNaaS |
Changed in neutron: | |
milestone: | none → liberty-1 |
status: | Fix Committed → Fix Released |
Changed in neutron: | |
milestone: | liberty-1 → 7.0.0 |
Libreswan will be compiled with NSS by default.
when 'ipsec pluto' is called, it checks for NSS db. If NSS db is not initialised, it fails.
So VPNaaS should create NSS db before calling ipsec pluto(for Libreswan implementation) .
ipsec initnss /opt/stack/ data/neutron/ ipsec/250faac2- 167b-4861- 9d0c-b5710bf02e e2/etc/ pki/nssdb/
then run pluto by specifying this etc/pki/nssdb/ as --ipsecdir data/neutron/ ipsec/250faac2- 167b-4861- 9d0c-b5710bf02e e2/etc/ pki/nssdb
ipsec pluto --ipsecdir /opt/stack/