neutron

vpn service can't be active again if the openswan process crash

Bug #1570852 reported by MingShuang Xian
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Won't Fix
Medium
Unassigned

Bug Description

We are using VPNaaS with OpenSwan on Ubuntu and found that the OpenSwan will crash when it receives some kinds of IKE2 attack packets. But I'm not very sure the format of the packet. After the OpenSwan crash, VPN-agent can't bring up it again and the VPN service status will be alway DOWN.

We could use following steps to reproduce it.
1. Bring up a VPN connection and show the VPN service status
vpn-service-list
+--------------------------------------+------+--------------------------------------+--------+
| id | name | router_id | status |
+--------------------------------------+------+--------------------------------------+--------+
| c354e5d7-aa81-44c0-9aa7-0f157a2c7b7d | s1 | dde4af28-31ff-4dff-bff9-8355998c5d0c | ACTIVE |
| daa15ef8-3e99-4e37-a839-18dcf7910f9d | s2 | 0e8fb378-3e25-493c-9610-e48025b640ba | ACTIVE |
+--------------------------------------+------+--------------------------------------+--------+

2. Kill the OpenSwan process

3. Show the VPN service status again
vpn-service-list
+--------------------------------------+------+--------------------------------------+--------+
| id | name | router_id | status |
+--------------------------------------+------+--------------------------------------+--------+
| c354e5d7-aa81-44c0-9aa7-0f157a2c7b7d | s1 | dde4af28-31ff-4dff-bff9-8355998c5d0c | DOWN |
| daa15ef8-3e99-4e37-a839-18dcf7910f9d | s2 | 0e8fb378-3e25-493c-9610-e48025b640ba | ACTIVE |
+--------------------------------------+------+--------------------------------------+--------+

The VPN service will keep DOWN until the VPN-agent is restarted.

So we expect the VPN-agent can bring the OpenSwan process again if it crashed.

We found this issue with vpnaas-agent master

Tags: vpnaas
MingShuang Xian (xianms)
Changed in neutron:
assignee: nobody → MingShuang Xian (xianms)
Revision history for this message
MingShuang Xian (xianms) wrote :

I should submit this defect in neutron-vpnaas project. So I change its status to invalid

Changed in neutron:
status: New → Invalid
status: Invalid → New
Elena Ezhova (eezhova)
tags: added: vpnaas
Brandon Logan (brandon-logan)
Changed in neutron:
importance: Undecided → Medium
Revision history for this message
Al Miller (al-miller) wrote :

The OpenSwan pluto process does not automatically restart after crashing, and the VPNaaS connections will go down and stay down until it is restarted. If it is not automatically monitored and restarted, this will be the result.

Changed in neutron:
status: New → Confirmed
Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

http://lists.openstack.org/pipermail/openstack-dev/2016-November/107384.html

Changed in neutron:
assignee: MingShuang Xian (xianms) → nobody
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.