yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #14268
[Bug 1316724] Re: IKE Policy on peer site mismatched parameter still the ipsec site connection shows in active state
This is a default behavior of openswan configuration.
Operator can customize detail configuration using ipsec_config_template parameters.
https://github.com/openstack/neutron/blob/master/neutron/services/vpn/device_drivers/template/openswan/ipsec.conf.template
** Changed in: neutron
Status: New => Won't Fix
** Changed in: neutron
Importance: Undecided => Wishlist
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1316724
Title:
IKE Policy on peer site mismatched parameter still the ipsec site
connection shows in active state
Status in OpenStack Neutron (virtual network service):
Won't Fix
Bug description:
Steps to Reproduce:
1. Create vpn site with one ike policy with encryption_algorithm aes-256 and other site as aes-128.
2. Create the ipsec-siteconnection and other operation like vpn-services and ipsec policy onto both the sites.
3. Check the status of vpn service
+--------------------------------------+------+--------------------------------------+--------+
| id | name | router_id | status |
+--------------------------------------+------+--------------------------------------+--------+
| 530c3dfb-9224-403c-b285-a224c9a7036d | vpn1 | cd288ec1-cad5-48e4-a402-882103ac6ec5 | ACTIVE |
| 77d0b36f-35e3-46d9-8d33-1b989092cecf | vpn2 | 224c35b8-01b3-4e9b-a148-2751840a1b18 | ACTIVE |
+--------------------------------------+------+--------------------------------------+--------+
4. Check the status of ipsec site connection.
+--------------------------------------+-------+--------------+----------------+------------+-----------+--------+
| id | name | peer_address | peer_cidrs | route_mode | auth_mode | status |
+--------------------------------------+-------+--------------+----------------+------------+-----------+--------+
| a158f5d5-128e-47ba-9260-34dc9ff315b0 | site1 | $peer_address2 | "$Peer_cidr2" | static | psk | ACTIVE |
| a9486296-bc36-439b-b0a8-4d4b0417486d | site2 | $Peer_address1 | "$Peer_cidr1" | static | psk | ACTIVE |
+--------------------------------------+-------+--------------+----------------+------------+-----------+--------+
5. List the ike policy
+--------------------------------------+------+----------------+----------------------+-------------+--------+
| id | name | auth_algorithm | encryption_algorithm | ike_version | pfs |
+--------------------------------------+------+----------------+----------------------+-------------+--------+
| b04d74ad-ec1f-44b0-8ae6-802872bf4ca0 | IKE1 | sha1 | aes-128 | v1 | group5 |
| e5be37ec-9888-46a7-b884-083b5b5336aa | IKE2 | sha1 | aes-256 | v1 | group5 |
+--------------------------------------+------+----------------+----------------------+-------------+--------+
6. List the ipsec-policy
+--------------------------------------+--------+----------------+----------------------+--------+
| id | name | auth_algorithm | encryption_algorithm | pfs |
+--------------------------------------+--------+----------------+----------------------+--------+
| 12c9db3b-8122-4e1e-9aad-8e6e87225a1f | IPSEC1 | sha1 | aes-256 | group5 |
| d38bba51-ecdd-43ef-822c-4f1c86507c9a | IPSEC2 | sha1 | aes-256 | group5 |
+--------------------------------------+--------+----------------+----------------------+--------+
Actual Results: Ipsec site connection show as active with mismatched
version of encryption algorithm in the ikepolicy
Expected Results: Ipsec site connection should show as down state
since mismatched version of encryption algorithm in the ikepolicy is
provided.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1316724/+subscriptions
References
