neutron

VPNaaS: IPsec siteconnection status DOWN while using IKE v2

Bug #1781354 reported by Dongcan Ye on 2018-07-12

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Medium	Dongcan Ye

Bug Description

While using IKE policy with version v2, the IPsec siteconnection status always down, but the network traffic is OK.

From the ipsec status we can see that the ipsec connection is established:

# ip netns exec snat-a4d93552-c534-4a2c-96f7-c9b0ea918ba7 ipsec whack --ctlbase /var/lib/neutron/ipsec/a4d93552-c534-4a2c-96f7-c9b0ea918ba7/var/run/pluto --status
000 Total IPsec connections: loaded 3, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000
000 #2: "b42f6ee6-acf3-4d2d-beb9-f115d68fef55/0x1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 2364s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #2: "b42f6ee6-acf3-4d2d-beb9-f115d68fef55/0x1" esp.2d6840c8@172.16.2.130 esp.5d0c4043@172.16.2.123 tun.0@172.16.2.130 tun.0@172.16.2.123 ref=0 refhim=4294901761 Traffic: ESPin=0B ESPout=0B! ESPmax=0B
000 #1: "b42f6ee6-acf3-4d2d-beb9-f115d68fef55/0x1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 2574s; newest ISAKMP; isakmp#0; idle; import:admin initiate
000 #1: "b42f6ee6-acf3-4d2d-beb9-f115d68fef55/0x1" ref=0 refhim=0 Traffic:
000
000 Bare Shunt list:
000

I think we should match "PARENT SA" in IKE v2. [1]

[1] https://libreswan.org/wiki/How_to_read_status_output

Tags:

Dongcan Ye (hellochosen) on 2018-07-12

Changed in neutron:
assignee:	nobody → Dongcan Ye (hellochosen)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-07-12: Fix proposed to neutron-vpnaas (master)

Fix proposed to branch: master
Review: https://review.openstack.org/582113

Changed in neutron:
status:	New → In Progress

Revision history for this message

Hunt Xu (huntxu) wrote on 2018-07-12:

What's your version information，I don't observe the same thing with libreswan-3.20 on CentOS 7.4.

---
[root@hosts ~]# ip netns exec qrouter-bd205844-be7f-474b-842f-c4333a238386 neutron-vpn-netns-wrapper --mount_paths=/etc:/opt/stack/data/neutron/ipsec/bd205844-be7f-474b-842f-c4333a238386/etc,/var/run:/opt/stack/data/neutron/ipsec/bd205844-be7f-474b-842f-c4333a238386/var/run --cmd=ipsec,whack,--status|grep establ
000 #12: "d8608ad2-61be-43c4-8b70-03aba58018bc/0x1":500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REPLACE in 339s; idle; import:respond to stranger
000 #13: "d8608ad2-61be-43c4-8b70-03aba58018bc/0x1":500 STATE_V2_IPSEC_R (IPsec SA established); EVENT_SA_REPLACE in 339s; isakmp#12; idle; import:respond to stranger
000 #14: "d8608ad2-61be-43c4-8b70-03aba58018bc/0x1":500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REPLACE in 2905s; newest ISAKMP; idle; import:respond to stranger
000 #15: "d8608ad2-61be-43c4-8b70-03aba58018bc/0x1":500 STATE_V2_IPSEC_R (IPsec SA established); EVENT_SA_REPLACE in 2905s; newest IPSEC; eroute owner; isakmp#14; idle; import:respond to stranger
---

Both "PARENT SA established" and "IPsec SA established" can be matched.

Revision history for this message

Dongcan Ye (hellochosen) wrote on 2018-07-12:

Thanks for providing those information：
os version: CentOS7.2
libreswan version: 3.16 and 3.17
neutron-vpnaas repo: stable/queens

Revision history for this message

Hunt Xu (huntxu) wrote on 2018-07-19:

This happens on master branch too.

I tested 3.16 through 3.20 packages from libreswan upstream [1] on a CentOS 7.4 host, only 3.20 is fine. I used the test_script from neutron-vpnaas repo with [2] applied and a slight change below to create a version2 ike policy.

------
$ git diff
diff --git a/tools/test_script.sh b/tools/test_script.sh
index c8eb66d..515b40c 100755
--- a/tools/test_script.sh
+++ b/tools/test_script.sh
@@ -32,7 +32,7 @@ function clean_site(){
}

function setup(){
- openstack vpn ike policy create ikepolicy1
+ openstack vpn ike policy create ikepolicy1 --ike-version v2
   openstack vpn ipsec policy create ipsecpolicy1
   setup_site west $WEST_SUBNET
   WEST_IP=$(get_external_ip vpn_west)
------

[1]. https://download.libreswan.org/binaries/rhel/7/x86_64/
[2]. https://review.openstack.org/#/c/566032/

Revision history for this message

Cao Xuan Hoang (hoangcx) wrote on 2018-07-19:

Thanks Hunt Xu for your confirmation.

Changed in neutron:
importance:	Undecided → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-09-25: Fix merged to neutron-vpnaas (master)

Reviewed: https://review.openstack.org/582113
Committed: https://git.openstack.org/cgit/openstack/neutron-vpnaas/commit/?id=321392b9a7d288167b0155284c0b7d30af44e5b3
Submitter: Zuul
Branch: master

commit 321392b9a7d288167b0155284c0b7d30af44e5b3
Author: Dongcan Ye <email address hidden>
Date: Thu Jul 12 09:00:13 2018 +0000

Match IPSEC SA established state

    While using IKE policy with version v2,
    the IPsec siteconnection status always down.
    From librewan wiki[1], the "phase2" in IKEv2 mistakenly
    calls itself a PARENT SA which same as "phase1",
    This is a known bug for some versions of libreswan.

    For the newer versions of libreswan(3.20+),
    the "IPsec SA established" will successful output if
    phase2 state established.

Here we match the "established" and "newest IPSEC" for
an established IPSEC SA.

[1] https://libreswan.org/wiki/How_to_read_status_output

Change-Id: Iffff7d00f48e69fbc53bb45df17d6a5be6760a6d
Closes-Bug: #1781354

Changed in neutron:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-09-25: Fix proposed to neutron-vpnaas (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.openstack.org/605100

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-09-25: Fix proposed to neutron-vpnaas (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/605101

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-01: Fix merged to neutron-vpnaas (stable/queens)

Reviewed: https://review.openstack.org/605101
Committed: https://git.openstack.org/cgit/openstack/neutron-vpnaas/commit/?id=3f36a0a552c30f103966ddfbd1373fd04aa8a9f4
Submitter: Zuul
Branch: stable/queens

commit 3f36a0a552c30f103966ddfbd1373fd04aa8a9f4
Author: Dongcan Ye <email address hidden>
Date: Thu Jul 12 09:00:13 2018 +0000

Match IPSEC SA established state

    For the newer versions of libreswan(3.20+),
    the "IPsec SA established" will successful output if
    phase2 state established.

Here we match the "established" and "newest IPSEC" for
an established IPSEC SA.

[1] https://libreswan.org/wiki/How_to_read_status_output

    Change-Id: Iffff7d00f48e69fbc53bb45df17d6a5be6760a6d
    Closes-Bug: #1781354
    (cherry picked from commit 321392b9a7d288167b0155284c0b7d30af44e5b3)

tags:

added: in-stable-queens

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-01: Fix merged to neutron-vpnaas (stable/rocky)

#10

Reviewed: https://review.openstack.org/605100
Committed: https://git.openstack.org/cgit/openstack/neutron-vpnaas/commit/?id=0876f4dfe7e2f57305110e035efa753bfb711a3f
Submitter: Zuul
Branch: stable/rocky

commit 0876f4dfe7e2f57305110e035efa753bfb711a3f
Author: Dongcan Ye <email address hidden>
Date: Thu Jul 12 09:00:13 2018 +0000

Match IPSEC SA established state

    For the newer versions of libreswan(3.20+),
    the "IPsec SA established" will successful output if
    phase2 state established.

Here we match the "established" and "newest IPSEC" for
an established IPSEC SA.

[1] https://libreswan.org/wiki/How_to_read_status_output

    Change-Id: Iffff7d00f48e69fbc53bb45df17d6a5be6760a6d
    Closes-Bug: #1781354
    (cherry picked from commit 321392b9a7d288167b0155284c0b7d30af44e5b3)