yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1316724] [NEW] IKE Policy on peer site mismatched parameter still the ipsec site connection shows in active state

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Ashish Kumar Gupta <ashish-kumar.gupta@xxxxxx>
Date: Tue, 06 May 2014 18:23:30 -0000
Reply-to: Bug 1316724 <1316724@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Steps to Reproduce: 
1. Create vpn site with one ike policy with encryption_algorithm  aes-256 and other site as aes-128.
2. Create the ipsec-siteconnection and other operation like vpn-services and ipsec policy onto both the sites.
3. Check the status of vpn service
 
+--------------------------------------+------+--------------------------------------+--------+
| id                                   | name | router_id                            | status |
+--------------------------------------+------+--------------------------------------+--------+
| 530c3dfb-9224-403c-b285-a224c9a7036d | vpn1 | cd288ec1-cad5-48e4-a402-882103ac6ec5 | ACTIVE |
| 77d0b36f-35e3-46d9-8d33-1b989092cecf | vpn2 | 224c35b8-01b3-4e9b-a148-2751840a1b18 | ACTIVE |
+--------------------------------------+------+--------------------------------------+--------+
4. Check the status of ipsec site connection.

+--------------------------------------+-------+--------------+----------------+------------+-----------+--------+
| id                                   | name  | peer_address | peer_cidrs     | route_mode | auth_mode | status |
+--------------------------------------+-------+--------------+----------------+------------+-----------+--------+
| a158f5d5-128e-47ba-9260-34dc9ff315b0 | site1 | $peer_address2 | "$Peer_cidr2" | static     | psk       | ACTIVE |
| a9486296-bc36-439b-b0a8-4d4b0417486d | site2 | $Peer_address1 | "$Peer_cidr1" | static     | psk       | ACTIVE |
+--------------------------------------+-------+--------------+----------------+------------+-----------+--------+
5. List the ike policy
+--------------------------------------+------+----------------+----------------------+-------------+--------+
| id                                   | name | auth_algorithm | encryption_algorithm | ike_version | pfs    |
+--------------------------------------+------+----------------+----------------------+-------------+--------+
| b04d74ad-ec1f-44b0-8ae6-802872bf4ca0 | IKE1 | sha1           | aes-128              | v1          | group5 |
| e5be37ec-9888-46a7-b884-083b5b5336aa | IKE2 | sha1           | aes-256              | v1          | group5 |
+--------------------------------------+------+----------------+----------------------+-------------+--------+
6. List the ipsec-policy
+--------------------------------------+--------+----------------+----------------------+--------+
| id                                   | name   | auth_algorithm | encryption_algorithm | pfs    |
+--------------------------------------+--------+----------------+----------------------+--------+
| 12c9db3b-8122-4e1e-9aad-8e6e87225a1f | IPSEC1 | sha1           | aes-256             | group5 |
| d38bba51-ecdd-43ef-822c-4f1c86507c9a | IPSEC2 | sha1           | aes-256              | group5 |
+--------------------------------------+--------+----------------+----------------------+--------+

Actual Results: Ipsec site connection show as active with mismatched
version of encryption algorithm in the ikepolicy

Expected Results: Ipsec site connection should show as down state since
mismatched version of encryption algorithm in the ikepolicy is provided.

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1316724

Title:
  IKE Policy on peer site mismatched parameter still the ipsec site
  connection shows in active state

Status in OpenStack Neutron (virtual network service):
  New

Bug description:
  Steps to Reproduce: 
  1. Create vpn site with one ike policy with encryption_algorithm  aes-256 and other site as aes-128.
  2. Create the ipsec-siteconnection and other operation like vpn-services and ipsec policy onto both the sites.
  3. Check the status of vpn service
   
  +--------------------------------------+------+--------------------------------------+--------+
  | id                                   | name | router_id                            | status |
  +--------------------------------------+------+--------------------------------------+--------+
  | 530c3dfb-9224-403c-b285-a224c9a7036d | vpn1 | cd288ec1-cad5-48e4-a402-882103ac6ec5 | ACTIVE |
  | 77d0b36f-35e3-46d9-8d33-1b989092cecf | vpn2 | 224c35b8-01b3-4e9b-a148-2751840a1b18 | ACTIVE |
  +--------------------------------------+------+--------------------------------------+--------+
  4. Check the status of ipsec site connection.

  +--------------------------------------+-------+--------------+----------------+------------+-----------+--------+
  | id                                   | name  | peer_address | peer_cidrs     | route_mode | auth_mode | status |
  +--------------------------------------+-------+--------------+----------------+------------+-----------+--------+
  | a158f5d5-128e-47ba-9260-34dc9ff315b0 | site1 | $peer_address2 | "$Peer_cidr2" | static     | psk       | ACTIVE |
  | a9486296-bc36-439b-b0a8-4d4b0417486d | site2 | $Peer_address1 | "$Peer_cidr1" | static     | psk       | ACTIVE |
  +--------------------------------------+-------+--------------+----------------+------------+-----------+--------+
  5. List the ike policy
  +--------------------------------------+------+----------------+----------------------+-------------+--------+
  | id                                   | name | auth_algorithm | encryption_algorithm | ike_version | pfs    |
  +--------------------------------------+------+----------------+----------------------+-------------+--------+
  | b04d74ad-ec1f-44b0-8ae6-802872bf4ca0 | IKE1 | sha1           | aes-128              | v1          | group5 |
  | e5be37ec-9888-46a7-b884-083b5b5336aa | IKE2 | sha1           | aes-256              | v1          | group5 |
  +--------------------------------------+------+----------------+----------------------+-------------+--------+
  6. List the ipsec-policy
  +--------------------------------------+--------+----------------+----------------------+--------+
  | id                                   | name   | auth_algorithm | encryption_algorithm | pfs    |
  +--------------------------------------+--------+----------------+----------------------+--------+
  | 12c9db3b-8122-4e1e-9aad-8e6e87225a1f | IPSEC1 | sha1           | aes-256             | group5 |
  | d38bba51-ecdd-43ef-822c-4f1c86507c9a | IPSEC2 | sha1           | aes-256              | group5 |
  +--------------------------------------+--------+----------------+----------------------+--------+

  Actual Results: Ipsec site connection show as active with mismatched
  version of encryption algorithm in the ikepolicy

  Expected Results: Ipsec site connection should show as down state
  since mismatched version of encryption algorithm in the ikepolicy is
  provided.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1316724/+subscriptions

Follow ups

[Bug 1316724] Re: IKE Policy on peer site mismatched parameter still the ipsec site connection shows in active state
From: Nachi Ueno, 2014-05-09
[Bug 1316724] [NEW] IKE Policy on peer site mismatched parameter still the ipsec site connection shows in active state
From: Ashish Kumar Gupta, 2014-05-06

References

[Bug 1316724] [NEW] IKE Policy on peer site mismatched parameter still the ipsec site connection shows in active state
From: Ashish Kumar Gupta, 2014-05-06