pptp vpn doesn't work with openvswitch firewall
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
In Progress
|
Undecided
|
Yang Li |
Bug Description
I have a VM with pptp vpn installed, and the vpn server is running. And I use security group rules like this:
# neutron security-
# neutron security-
# neutron security-
Then I create a new VM to connect with vpn server, but seems there is a problem in the connectivity that no reply from the vpn server. I captured the vpn server's tap device with tcpdump, the information like this:
16:09:15.486548 fa:16:3e:26:7f:fe > fa:16:3e:e2:bd:f9, ethertype IPv4 (0x0800), length 75: 192.168.111.57 > 192.168.111.45: GREv1, call 0, seq 4, proto PPP (0x880b), length 41: LCP (0xc021), length 29: LCP, Conf-Request (0x01), id 1, length 27
16:09:18.490483 fa:16:3e:26:7f:fe > fa:16:3e:e2:bd:f9, ethertype IPv4 (0x0800), length 75: 192.168.111.57 > 192.168.111.45: GREv1, call 0, seq 5, proto PPP (0x880b), length 41: LCP (0xc021), length 29: LCP, Conf-Request (0x01), id 1, length 27
16:09:21.494344 fa:16:3e:26:7f:fe > fa:16:3e:e2:bd:f9, ethertype IPv4 (0x0800), length 75: 192.168.111.57 > 192.168.111.45: GREv1, call 0, seq 6, proto PPP (0x880b), length 41: LCP (0xc021), length 29: LCP, Conf-Request (0x01), id 1, length 27
16:09:24.498097 fa:16:3e:26:7f:fe > fa:16:3e:e2:bd:f9, ethertype IPv4 (0x0800), length 75: 192.168.111.57 > 192.168.111.45: GREv1, call 0, seq 7, proto PPP (0x880b), length 41: LCP (0xc021), length 29: LCP, Conf-Request (0x01), id 1, length 27
16:09:27.501446 fa:16:3e:26:7f:fe > fa:16:3e:e2:bd:f9, ethertype IPv4 (0x0800), length 75: 192.168.111.57 > 192.168.111.45: GREv1, call 0, seq 8, proto PPP (0x880b), length 41: LCP (0xc021), length 29: LCP, Conf-Request (0x01), id 1, length 27
16:09:30.504937 fa:16:3e:26:7f:fe > fa:16:3e:e2:bd:f9, ethertype IPv4 (0x0800), length 75: 192.168.111.57 > 192.168.111.45: GREv1, call 0, seq 9, proto PPP (0x880b), length 41: LCP (0xc021), length 29: LCP, Conf-Request (0x01), id 1, length 27
Seems the vpn server has replied the packet, but these packets are dropped somewhere. After some investigation, I found the packets are set to mark=1:
47,orig=
This flow set the incoming packet to mark=1:
cookie=
When I add 2 flows into br-int, the connectivity will be normal:
cookie=
cookie=
Because pptp vpn is based on Grev1, I think there is a problem with Grev1.
BTW, if I create gre tunnel between VMs, the connectivity between them is fine. The gre tunnel is based on Grev0, so seems there is no problem with Grev0.
can you show all rules in your security group?
can you provide the dump of all flows?