← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #29829

[Bug 1405413] Re: VPN IPSec connection with fqdn not possible

  Thread PreviousDate PreviousThread Next 
** Changed in: neutron
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1405413

Title:
  VPN IPSec connection with fqdn not possible

Status in OpenStack Neutron (virtual network service):
  Fix Released

Bug description:
  Hi all

  as of https://wiki.openstack.org/wiki/Neutron/VPNaaS#ipsec-site-
  connection_Resource it should be possible to create ipsec site
  connections with a peer fqdn.

  When adding a new IPSec site connection with --peer-address <fqdn> I
  get the an error in vpn-agent logs on network node and VPN for that
  router wont be enabled.

  
  I'm adding the connection like this:
  neutron ipsec-site-connection-create --psk 'XXXX' --peer-id "@tobi.dyndns.org" --peer-cidr 192.168.178.0/24 --peer-address "tobi.dyndns.org" --vpnservice-id     af2979de-4800-43b3-ae8a-e85ede71bf8c --ikepolicy-id     ed4726b7-cc1a-4c3d-af4d-d4fd736f20b1 --ipsecpolicy-id     4daba6a6-ac7f-4e37-b8ce-441c043b8285  --name "Tobi Home" 

  Created a new ipsec_site_connection:
  +----------------+----------------------------------------------------+
  | Field          | Value                                              |
  +----------------+----------------------------------------------------+
  | admin_state_up | True                                               |
  | auth_mode      | psk                                                |
  | description    |                                                    |
  | dpd            | {"action": "hold", "interval": 30, "timeout": 120} |
  | id             | 1c57278b-1633-4637-ae8d-f9dfc57cddcc               |
  | ikepolicy_id   | ed4726b7-cc1a-4c3d-af4d-d4fd736f20b1               |
  | initiator      | bi-directional                                     |
  | ipsecpolicy_id | 4daba6a6-ac7f-4e37-b8ce-441c043b8285               |
  | mtu            | 1500                                               |
  | name           | Tobi Home                                          |
  | peer_address   | tobi.dyndns.org                                   |
  | peer_cidrs     | 192.168.178.0/24                                   |
  | peer_id        | tobi.dyndns.org                                   |
  | psk            | XXX                     |
  | route_mode     | static                                             |
  | status         | PENDING_CREATE                                     |
  | tenant_id      | 46fcbd40f9b34a1b96fcf91ae84c9bba                   |
  | vpnservice_id  | af2979de-4800-43b3-ae8a-e85ede71bf8c               |
  +----------------+----------------------------------------------------+

  Log:

  2014-12-24 13:30:22.807 24920 ERROR neutron.services.vpn.device_drivers.ipsec [-] Failed to enable vpn process on router 0b4c88fa-4944-45a7-b1b3-fbee1d7fc2ac
  2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec Traceback (most recent call last):
  2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/dist-packages/neutron/services/vpn/device_drivers/ipsec.py", line 242, in enable
  2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec     self.restart()
  2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/dist-packages/neutron/services/vpn/device_drivers/ipsec.py", line 342, in restart
  2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec     self.start()
  2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/dist-packages/neutron/services/vpn/device_drivers/ipsec.py", line 389, in start
  2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec     nexthop = self._get_nexthop(ipsec_site_conn['peer_address'])
  2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/dist-packages/neutron/services/vpn/device_drivers/ipsec.py", line 347, in _get_nexthop
  2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec     ['ip', 'route', 'get', address])
  2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/dist-packages/neutron/services/vpn/device_drivers/ipsec.py", line 314, in _execute
  2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec     check_exit_code=check_exit_code)
  2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/dist-packages/neutron/agent/linux/ip_lib.py", line 550, in execute
  2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec     check_exit_code=check_exit_code, extra_ok_codes=extra_ok_codes)
  2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/dist-packages/neutron/agent/linux/utils.py", line 84, in execute
  2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec     raise RuntimeError(m)
  2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec RuntimeError:
  2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-0b4c88fa-4944-45a7-b1b3-fbee1d7fc2ac', 'ip', 'route', 'get', 'tobi.dyndns.org']
  2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec Exit code: 1
  2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec Stdout: ''
  2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec Stderr: 'Error: an inet prefix is expected rather than "tobi.dyndns.org".\n'
  2014-12-24 13:30:22.807 24920 TRACE neutron.services.vpn.device_drivers.ipsec
  2014-12-24 13:30:22.965 24920 ERROR neutron.agent.linux.utils [-]
  Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-fd8e2460-6542-40ab-bf41-6d2e403dce74', 'ipsec', 'whack', '--ctlbase', '/var/lib/neutron/ipsec/fd8e2460-6542-40ab-bf41-6d2e403dce74/var/run/pluto', '--status']
  Exit code: 1
  Stdout: ''
  Stderr: 'whack: Pluto is not running (no "/var/lib/neutron/ipsec/fd8e2460-6542-40ab-bf41-6d2e403dce74/var/run/pluto.ctl")\n'
  2014-12-24 13:30:23.751 24920 ERROR neutron.agent.linux.utils [req-be9b2275-a022-4f03-aa4c-65fc187046a9 None]
  Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-0b4c88fa-4944-45a7-b1b3-fbee1d7fc2ac', 'ip', 'route', 'get', 'tobi.dyndns.org']
  Exit code: 1
  Stdout: ''
  Stderr: 'Error: an inet prefix is expected rather than "tobi.dyndns.org".\n'
  2014-12-24

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1405413/+subscriptions

References

  Thread PreviousDate PreviousThread Next