VPNaaS strongSwan driver does not reload secrets
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron-vpnaas (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
When a new IPsec Site Connection is added to VPN Service which already hosts a connection, it is not being properly propagated to L3 Agent with vpnaas plugin using strongSwan driver.
See following fragment: https:/
`ipsec reload` command only reloads the ipsec.conf configuration. If a new connection is added with different PSK credentials, then we also need to run `ipsec rereadsecrets`, otherwise charon will try to use "%any - <remote peer>" credentials.
Preparations:
1. Enable charon filelog in StrongSwan template. Add the following lines to /etc/neutron/
[strongswan]
strongswan_
2. Create /etc/neutron/
3. AppArmor systems only - temporarily place charon in complain mode in order to allow it to write logs to /var/log/neutron directory: aa-complain /usr/lib/
4. Restart neutron-l3-agent so it will regenerate all VPN configurations with logging enabled.
Steps to reproduce the problem:
1. Create a new router.
2. Create a VPN service associated with new router.
3. Create a IPsec Site Connection and associate it with VPN service.
4. Create another IPsec Site Connection, with different PSK in the same VPN service.
Expected behavior:
New IPsec Site Connection should be in Active state.
Actual behavior:
New IPsec Site Connection does not start. Authentication errors can be seen on both sides. See the following log snippet which should be present in /var/log/
Discovered on OpenStack Rocky-based deployment, but this issue still seems to be present in master branch of neutron-vpnaas (see the opendev.org link above)
I am attaching a patch which should fix the issue, I have deployed it in a test environment and initial tests show that it works correctly.
description: | updated |
description: | updated |
Changed in neutron: | |
status: | New → Confirmed |
Changed in neutron-vpnaas (Ubuntu): | |
status: | Confirmed → In Progress |
Patch uploaded for review here: https:/ /review. opendev. org/c/openstack /neutron- vpnaas/ +/783331