yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #32020
[Bug 1316726] Re: VPNAAS :IPSEC Policy on peer site mismatched still the ipsec sitec connection shows active state
AFAIK, the IPSec connection is auto-negotiated and will use the IKE and
IPSec policy that is compatible with each end (in this case negotiating
down to aes-128.
This is not a bug, as far as I know. Will mark as invalid.
** Changed in: neutron
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1316726
Title:
VPNAAS :IPSEC Policy on peer site mismatched still the ipsec sitec
connection shows active state
Status in OpenStack Neutron (virtual network service):
Invalid
Bug description:
Steps to Reproduce:
1. Create vpn site with one ipsec policy with encryption_algorithm aes-256 and other site as aes-128.
2. Create the ipsec-siteconnection and other operation like vpn-services and ike policy onto both the sites.
3. Check the status of vpn service
+--------------------------------------+------+--------------------------------------+--------+
| id | name | router_id | status |
+--------------------------------------+------+--------------------------------------+--------+
| 530c3dfb-9224-403c-b285-a224c9a7036d | vpn1 | cd288ec1-cad5-48e4-a402-882103ac6ec5 | ACTIVE |
| 77d0b36f-35e3-46d9-8d33-1b989092cecf | vpn2 | 224c35b8-01b3-4e9b-a148-2751840a1b18 | ACTIVE |
+--------------------------------------+------+--------------------------------------+--------+
4. Check the status of ipsec site connection.
+--------------------------------------+-------+--------------+----------------+------------+-----------+--------+
| id | name | peer_address | peer_cidrs | route_mode | auth_mode | status |
+--------------------------------------+-------+--------------+----------------+------------+-----------+--------+
| a158f5d5-128e-47ba-9260-34dc9ff315b0 | site1 | $peer_address2 | "$peer_cidrs2" | static | psk | ACTIVE |
| a9486296-bc36-439b-b0a8-4d4b0417486d | site2 | $peer_address1 | "$peer_cidrs1" | static | psk | ACTIVE |
+--------------------------------------+-------+--------------+----------------+------------+-----------+--------+
5. List the ike policy
+--------------------------------------+------+----------------+----------------------+-------------+--------+
| id | name | auth_algorithm | encryption_algorithm | ike_version | pfs |
+--------------------------------------+------+----------------+----------------------+-------------+--------+
| b04d74ad-ec1f-44b0-8ae6-802872bf4ca0 | IKE1 | sha1 | aes-256 | v1 | group5 |
| e5be37ec-9888-46a7-b884-083b5b5336aa | IKE2 | sha1 | aes-256 | v1 | group5 |
+--------------------------------------+------+----------------+----------------------+-------------+--------+
6. List the ipsec-policy
+--------------------------------------+--------+----------------+----------------------+--------+
| id | name | auth_algorithm | encryption_algorithm | pfs |
+--------------------------------------+--------+----------------+----------------------+--------+
| 12c9db3b-8122-4e1e-9aad-8e6e87225a1f | IPSEC1 | sha1 | aes-128 | group5 |
| d38bba51-ecdd-43ef-822c-4f1c86507c9a | IPSEC2 | sha1 | aes-256 | group5 |
+--------------------------------------+--------+----------------+----------------------+--------+
Actual Results: Ipsec site connection show as active with mismatched version of encryption algorithm in the ipsecpolicy
Ping across the sites also happening
Expected Results: Ipsec site connection should show as down state
since mismatched version of encryption algorithm in the ipsecpolicy is
provide
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1316726/+subscriptions
References
