← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1394890] [NEW] Can't add new VM to a router which has been used for vpn service

 

Public bug reported:

Hi, I tried to follow this guide to use VPNaas:
https://wiki.openstack.org/wiki/Neutron/VPNaaS/HowToInstall

I have two openstack regions which has their own private net/subnet,
public net/subnet and router configured. Then I created two servers
individually at two regions with floatingip. After that, I can correctly
access those two VMs using both private ip address and floatingips.

Then I tried to create VPN connection between these two VMs:

Step1:  Create VPN service in RegionOne:
------------------
$ neutron vpn-ikepolicy-create ikepolicy1
$ neutron vpn-ipsecpolicy-create ipsecpolicy1
$ neutron vpn-service-create --name myvpn --description "My vpn service" router1 private-subnet
$ neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address 172.24.4.133 --peer-id 172.24.4.133 --peer-cidr 10.2.0.0/24 --psk secret

Step2: Create VPN service in RegionTwo:
------------------
$ neutron vpn-ikepolicy-create ikepolicy1
$ neutron vpn-ipsecpolicy-create ipsecpolicy1
$ neutron vpn-service-create --name myvpn --description "My vpn service" router1 private-subnet
$ neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address 172.24.4.26 --peer-id 172.24.4.26 --peer-cidr 10.1.0.0/24 --psk secret

After these two steps, I can successfully connect these two VMs through their private ip addresses.
e.g. VM1: 10.1.0.5, VM2: 10.2.0.5

When I tried to check the ipsec status, it was also correct:
-------------------
$ sudo service ipsec status
IPsec stopped
but...
An orphaned Pluto is active?

And I can found the process info in the following directory:
e.g. /opt/stack/data/neutron/ipsec/c39744d5-639a-4f59-b787-ca3797d22400/var/run/
Here, *c39744d5-639a-4f59-b787-ca3797d22400* is my router's id.

However, when I tried to create another VM in the same private net and allocate a floatingip address to it, I always got the following error from VPN-agent:
-------------------
2014-11-21 02:32:25.713 ERROR neutron.agent.linux.utils [-]
Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1', 'ipsec', 'pluto', '--ctlbase', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto', '--ipsecdir', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc/ipsec.secrets', '--virtual_private', '%v4:10.1.0.0/24,%v4:10.2.0.0/24']
Exit code: 10
Stdout: ''
Stderr: 'adjusting ipsec.d to /opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc\npluto: lock file "/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto.pid" already exists\n'
2014-11-21 02:32:25.714 ERROR neutron.services.vpn.device_drivers.ipsec [-] Failed to enable vpn process on router 2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1
2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Traceback (most recent call last):
2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec   File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 243, in enable
2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec     self.restart()
2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec   File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 343, in restart
2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec     self.start()
2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec   File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 386, in start
2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec     '--virtual_private', virtual_private
2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec   File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 315, in _execute
2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec     check_exit_code=check_exit_code)
2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec   File "/opt/stack/neutron/neutron/agent/linux/ip_lib.py", line 550, in execute
2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec     check_exit_code=check_exit_code, extra_ok_codes=extra_ok_codes)
2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec   File "/opt/stack/neutron/neutron/agent/linux/utils.py", line 84, in execute
2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec     raise RuntimeError(m)
2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec RuntimeError:
2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1', 'ipsec', 'pluto', '--ctlbase', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto', '--ipsecdir', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc/ipsec.secrets', '--virtual_private', '%v4:10.1.0.0/24,%v4:10.2.0.0/24']
2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Exit code: 10
2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Stdout: ''
2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Stderr: 'adjusting ipsec.d to /opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc\npluto: lock file "/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto.pid" already exists\n'
2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec

Then the vpn service died and when I checked the ipsec service status, I got the following info:
$ sudo service ipsec status
IPsec stopped

In this case, I have to delete the ipsec-site-connection I created
before and then restart vpn-agent and recreat the ipsec-site-connection.
After that, the connection between two VMs will recover.

This error will not happen if I don't assign floatingip to the new VM
when create it.

What I'm using is a devstack environment built in 2014-11-20.  Thanks.

** Affects: neutron
     Importance: Undecided
         Status: New

** Description changed:

  Hi, I tried to follow this guide to use VPNaas:
  https://wiki.openstack.org/wiki/Neutron/VPNaaS/HowToInstall
  
  I have two openstack regions which has their own private net/subnet,
  public net/subnet and router configured. Then I created two servers
  individually at two regions with floatingip. After that, I can correctly
  access those two VMs using both private ip address and floatingips.
  
  Then I tried to create VPN connection between these two VMs:
  
  Step1:  Create VPN service in RegionOne:
  ------------------
  $ neutron vpn-ikepolicy-create ikepolicy1
  $ neutron vpn-ipsecpolicy-create ipsecpolicy1
  $ neutron vpn-service-create --name myvpn --description "My vpn service" router1 private-subnet
  $ neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address 172.24.4.133 --peer-id 172.24.4.133 --peer-cidr 10.2.0.0/24 --psk secret
  
  Step2: Create VPN service in RegionTwo:
  ------------------
  $ neutron vpn-ikepolicy-create ikepolicy1
  $ neutron vpn-ipsecpolicy-create ipsecpolicy1
  $ neutron vpn-service-create --name myvpn --description "My vpn service" router1 private-subnet
  $ neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address 172.24.4.26 --peer-id 172.24.4.26 --peer-cidr 10.1.0.0/24 --psk secret
  
- After these two steps, now I can successfully connect these two VMs through their private ip addresses. 
+ After these two steps, I can successfully connect these two VMs through their private ip addresses.
  e.g. VM1: 10.1.0.5, VM2: 10.2.0.5
  
  When I tried to check the ipsec status, it was also correct:
  -------------------
  $ sudo service ipsec status
  IPsec stopped
  but...
  An orphaned Pluto is active?
  
  And I can found the process info in the following directory:
  e.g. /opt/stack/data/neutron/ipsec/c39744d5-639a-4f59-b787-ca3797d22400/var/run/
  Here, *c39744d5-639a-4f59-b787-ca3797d22400* is my router's id.
  
  However, when I tried to create another VM in the same private net and allocate a floatingip address to it, I always got the following error from VPN-agent:
  -------------------
  2014-11-21 02:32:25.713 ERROR neutron.agent.linux.utils [-]
  Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1', 'ipsec', 'pluto', '--ctlbase', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto', '--ipsecdir', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc/ipsec.secrets', '--virtual_private', '%v4:10.1.0.0/24,%v4:10.2.0.0/24']
  Exit code: 10
  Stdout: ''
  Stderr: 'adjusting ipsec.d to /opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc\npluto: lock file "/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto.pid" already exists\n'
  2014-11-21 02:32:25.714 ERROR neutron.services.vpn.device_drivers.ipsec [-] Failed to enable vpn process on router 2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Traceback (most recent call last):
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec   File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 243, in enable
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec     self.restart()
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec   File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 343, in restart
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec     self.start()
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec   File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 386, in start
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec     '--virtual_private', virtual_private
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec   File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 315, in _execute
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec     check_exit_code=check_exit_code)
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec   File "/opt/stack/neutron/neutron/agent/linux/ip_lib.py", line 550, in execute
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec     check_exit_code=check_exit_code, extra_ok_codes=extra_ok_codes)
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec   File "/opt/stack/neutron/neutron/agent/linux/utils.py", line 84, in execute
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec     raise RuntimeError(m)
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec RuntimeError:
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1', 'ipsec', 'pluto', '--ctlbase', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto', '--ipsecdir', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc/ipsec.secrets', '--virtual_private', '%v4:10.1.0.0/24,%v4:10.2.0.0/24']
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Exit code: 10
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Stdout: ''
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Stderr: 'adjusting ipsec.d to /opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc\npluto: lock file "/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto.pid" already exists\n'
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec
  
- 
  Then the vpn service died and when I checked the ipsec service status, I got the following info:
  $ sudo service ipsec status
  IPsec stopped
  
  In this case, I have to delete the ipsec-site-connection I created first
  and then stop the vpn-agent and manually clean the
  */opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/*
  directory. Then after I restarted the vpn-agent and recreated the ipsec-
  site-connection, the connection between two VMs recovered.
  
  So is this the correct way to add VM when using VPNaaS or there is
  really a bug here? What I'm using is a devstack environment built in
  2014-11-20.  Thanks.

** Description changed:

  Hi, I tried to follow this guide to use VPNaas:
  https://wiki.openstack.org/wiki/Neutron/VPNaaS/HowToInstall
  
  I have two openstack regions which has their own private net/subnet,
  public net/subnet and router configured. Then I created two servers
  individually at two regions with floatingip. After that, I can correctly
  access those two VMs using both private ip address and floatingips.
  
  Then I tried to create VPN connection between these two VMs:
  
  Step1:  Create VPN service in RegionOne:
  ------------------
  $ neutron vpn-ikepolicy-create ikepolicy1
  $ neutron vpn-ipsecpolicy-create ipsecpolicy1
  $ neutron vpn-service-create --name myvpn --description "My vpn service" router1 private-subnet
  $ neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address 172.24.4.133 --peer-id 172.24.4.133 --peer-cidr 10.2.0.0/24 --psk secret
  
  Step2: Create VPN service in RegionTwo:
  ------------------
  $ neutron vpn-ikepolicy-create ikepolicy1
  $ neutron vpn-ipsecpolicy-create ipsecpolicy1
  $ neutron vpn-service-create --name myvpn --description "My vpn service" router1 private-subnet
  $ neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address 172.24.4.26 --peer-id 172.24.4.26 --peer-cidr 10.1.0.0/24 --psk secret
  
  After these two steps, I can successfully connect these two VMs through their private ip addresses.
  e.g. VM1: 10.1.0.5, VM2: 10.2.0.5
  
  When I tried to check the ipsec status, it was also correct:
  -------------------
  $ sudo service ipsec status
  IPsec stopped
  but...
  An orphaned Pluto is active?
  
  And I can found the process info in the following directory:
  e.g. /opt/stack/data/neutron/ipsec/c39744d5-639a-4f59-b787-ca3797d22400/var/run/
  Here, *c39744d5-639a-4f59-b787-ca3797d22400* is my router's id.
  
  However, when I tried to create another VM in the same private net and allocate a floatingip address to it, I always got the following error from VPN-agent:
  -------------------
  2014-11-21 02:32:25.713 ERROR neutron.agent.linux.utils [-]
  Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1', 'ipsec', 'pluto', '--ctlbase', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto', '--ipsecdir', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc/ipsec.secrets', '--virtual_private', '%v4:10.1.0.0/24,%v4:10.2.0.0/24']
  Exit code: 10
  Stdout: ''
  Stderr: 'adjusting ipsec.d to /opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc\npluto: lock file "/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto.pid" already exists\n'
  2014-11-21 02:32:25.714 ERROR neutron.services.vpn.device_drivers.ipsec [-] Failed to enable vpn process on router 2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Traceback (most recent call last):
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec   File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 243, in enable
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec     self.restart()
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec   File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 343, in restart
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec     self.start()
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec   File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 386, in start
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec     '--virtual_private', virtual_private
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec   File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 315, in _execute
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec     check_exit_code=check_exit_code)
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec   File "/opt/stack/neutron/neutron/agent/linux/ip_lib.py", line 550, in execute
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec     check_exit_code=check_exit_code, extra_ok_codes=extra_ok_codes)
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec   File "/opt/stack/neutron/neutron/agent/linux/utils.py", line 84, in execute
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec     raise RuntimeError(m)
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec RuntimeError:
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1', 'ipsec', 'pluto', '--ctlbase', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto', '--ipsecdir', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc/ipsec.secrets', '--virtual_private', '%v4:10.1.0.0/24,%v4:10.2.0.0/24']
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Exit code: 10
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Stdout: ''
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Stderr: 'adjusting ipsec.d to /opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc\npluto: lock file "/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto.pid" already exists\n'
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec
  
  Then the vpn service died and when I checked the ipsec service status, I got the following info:
  $ sudo service ipsec status
  IPsec stopped
  
- In this case, I have to delete the ipsec-site-connection I created first
- and then stop the vpn-agent and manually clean the
+ In this case, I have to delete the ipsec-site-connection I created
+ before and then stop the vpn-agent and manually clean the
  */opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/*
  directory. Then after I restarted the vpn-agent and recreated the ipsec-
  site-connection, the connection between two VMs recovered.
  
  So is this the correct way to add VM when using VPNaaS or there is
  really a bug here? What I'm using is a devstack environment built in
  2014-11-20.  Thanks.

** Description changed:

  Hi, I tried to follow this guide to use VPNaas:
  https://wiki.openstack.org/wiki/Neutron/VPNaaS/HowToInstall
  
  I have two openstack regions which has their own private net/subnet,
  public net/subnet and router configured. Then I created two servers
  individually at two regions with floatingip. After that, I can correctly
  access those two VMs using both private ip address and floatingips.
  
  Then I tried to create VPN connection between these two VMs:
  
  Step1:  Create VPN service in RegionOne:
  ------------------
  $ neutron vpn-ikepolicy-create ikepolicy1
  $ neutron vpn-ipsecpolicy-create ipsecpolicy1
  $ neutron vpn-service-create --name myvpn --description "My vpn service" router1 private-subnet
  $ neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address 172.24.4.133 --peer-id 172.24.4.133 --peer-cidr 10.2.0.0/24 --psk secret
  
  Step2: Create VPN service in RegionTwo:
  ------------------
  $ neutron vpn-ikepolicy-create ikepolicy1
  $ neutron vpn-ipsecpolicy-create ipsecpolicy1
  $ neutron vpn-service-create --name myvpn --description "My vpn service" router1 private-subnet
  $ neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address 172.24.4.26 --peer-id 172.24.4.26 --peer-cidr 10.1.0.0/24 --psk secret
  
  After these two steps, I can successfully connect these two VMs through their private ip addresses.
  e.g. VM1: 10.1.0.5, VM2: 10.2.0.5
  
  When I tried to check the ipsec status, it was also correct:
  -------------------
  $ sudo service ipsec status
  IPsec stopped
  but...
  An orphaned Pluto is active?
  
  And I can found the process info in the following directory:
  e.g. /opt/stack/data/neutron/ipsec/c39744d5-639a-4f59-b787-ca3797d22400/var/run/
  Here, *c39744d5-639a-4f59-b787-ca3797d22400* is my router's id.
  
  However, when I tried to create another VM in the same private net and allocate a floatingip address to it, I always got the following error from VPN-agent:
  -------------------
  2014-11-21 02:32:25.713 ERROR neutron.agent.linux.utils [-]
  Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1', 'ipsec', 'pluto', '--ctlbase', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto', '--ipsecdir', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc/ipsec.secrets', '--virtual_private', '%v4:10.1.0.0/24,%v4:10.2.0.0/24']
  Exit code: 10
  Stdout: ''
  Stderr: 'adjusting ipsec.d to /opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc\npluto: lock file "/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto.pid" already exists\n'
  2014-11-21 02:32:25.714 ERROR neutron.services.vpn.device_drivers.ipsec [-] Failed to enable vpn process on router 2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Traceback (most recent call last):
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec   File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 243, in enable
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec     self.restart()
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec   File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 343, in restart
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec     self.start()
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec   File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 386, in start
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec     '--virtual_private', virtual_private
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec   File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 315, in _execute
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec     check_exit_code=check_exit_code)
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec   File "/opt/stack/neutron/neutron/agent/linux/ip_lib.py", line 550, in execute
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec     check_exit_code=check_exit_code, extra_ok_codes=extra_ok_codes)
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec   File "/opt/stack/neutron/neutron/agent/linux/utils.py", line 84, in execute
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec     raise RuntimeError(m)
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec RuntimeError:
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1', 'ipsec', 'pluto', '--ctlbase', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto', '--ipsecdir', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc/ipsec.secrets', '--virtual_private', '%v4:10.1.0.0/24,%v4:10.2.0.0/24']
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Exit code: 10
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Stdout: ''
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Stderr: 'adjusting ipsec.d to /opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc\npluto: lock file "/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto.pid" already exists\n'
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec
  
  Then the vpn service died and when I checked the ipsec service status, I got the following info:
  $ sudo service ipsec status
  IPsec stopped
  
  In this case, I have to delete the ipsec-site-connection I created
- before and then stop the vpn-agent and manually clean the
- */opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/*
- directory. Then after I restarted the vpn-agent and recreated the ipsec-
- site-connection, the connection between two VMs recovered.
+ before and then restart vpn-agent and recreat the ipsec-site-connection.
+ After that, the connection between two VMs will recover.
  
  So is this the correct way to add VM when using VPNaaS or there is
  really a bug here? What I'm using is a devstack environment built in
  2014-11-20.  Thanks.

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1394890

Title:
  Can't add new VM to a router which has been used for vpn service

Status in OpenStack Neutron (virtual network service):
  New

Bug description:
  Hi, I tried to follow this guide to use VPNaas:
  https://wiki.openstack.org/wiki/Neutron/VPNaaS/HowToInstall

  I have two openstack regions which has their own private net/subnet,
  public net/subnet and router configured. Then I created two servers
  individually at two regions with floatingip. After that, I can
  correctly access those two VMs using both private ip address and
  floatingips.

  Then I tried to create VPN connection between these two VMs:

  Step1:  Create VPN service in RegionOne:
  ------------------
  $ neutron vpn-ikepolicy-create ikepolicy1
  $ neutron vpn-ipsecpolicy-create ipsecpolicy1
  $ neutron vpn-service-create --name myvpn --description "My vpn service" router1 private-subnet
  $ neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address 172.24.4.133 --peer-id 172.24.4.133 --peer-cidr 10.2.0.0/24 --psk secret

  Step2: Create VPN service in RegionTwo:
  ------------------
  $ neutron vpn-ikepolicy-create ikepolicy1
  $ neutron vpn-ipsecpolicy-create ipsecpolicy1
  $ neutron vpn-service-create --name myvpn --description "My vpn service" router1 private-subnet
  $ neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address 172.24.4.26 --peer-id 172.24.4.26 --peer-cidr 10.1.0.0/24 --psk secret

  After these two steps, I can successfully connect these two VMs through their private ip addresses.
  e.g. VM1: 10.1.0.5, VM2: 10.2.0.5

  When I tried to check the ipsec status, it was also correct:
  -------------------
  $ sudo service ipsec status
  IPsec stopped
  but...
  An orphaned Pluto is active?

  And I can found the process info in the following directory:
  e.g. /opt/stack/data/neutron/ipsec/c39744d5-639a-4f59-b787-ca3797d22400/var/run/
  Here, *c39744d5-639a-4f59-b787-ca3797d22400* is my router's id.

  However, when I tried to create another VM in the same private net and allocate a floatingip address to it, I always got the following error from VPN-agent:
  -------------------
  2014-11-21 02:32:25.713 ERROR neutron.agent.linux.utils [-]
  Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1', 'ipsec', 'pluto', '--ctlbase', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto', '--ipsecdir', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc/ipsec.secrets', '--virtual_private', '%v4:10.1.0.0/24,%v4:10.2.0.0/24']
  Exit code: 10
  Stdout: ''
  Stderr: 'adjusting ipsec.d to /opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc\npluto: lock file "/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto.pid" already exists\n'
  2014-11-21 02:32:25.714 ERROR neutron.services.vpn.device_drivers.ipsec [-] Failed to enable vpn process on router 2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Traceback (most recent call last):
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec   File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 243, in enable
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec     self.restart()
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec   File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 343, in restart
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec     self.start()
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec   File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 386, in start
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec     '--virtual_private', virtual_private
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec   File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 315, in _execute
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec     check_exit_code=check_exit_code)
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec   File "/opt/stack/neutron/neutron/agent/linux/ip_lib.py", line 550, in execute
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec     check_exit_code=check_exit_code, extra_ok_codes=extra_ok_codes)
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec   File "/opt/stack/neutron/neutron/agent/linux/utils.py", line 84, in execute
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec     raise RuntimeError(m)
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec RuntimeError:
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1', 'ipsec', 'pluto', '--ctlbase', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto', '--ipsecdir', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc/ipsec.secrets', '--virtual_private', '%v4:10.1.0.0/24,%v4:10.2.0.0/24']
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Exit code: 10
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Stdout: ''
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Stderr: 'adjusting ipsec.d to /opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc\npluto: lock file "/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto.pid" already exists\n'
  2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec

  Then the vpn service died and when I checked the ipsec service status, I got the following info:
  $ sudo service ipsec status
  IPsec stopped

  In this case, I have to delete the ipsec-site-connection I created
  before and then restart vpn-agent and recreat the ipsec-site-
  connection. After that, the connection between two VMs will recover.

  This error will not happen if I don't assign floatingip to the new VM
  when create it.

  What I'm using is a devstack environment built in 2014-11-20.  Thanks.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1394890/+subscriptions


Follow ups

References