yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #35523
[Bug 1476681] [NEW] VPNaaS: Fix phase2alg for AH in ipsec.conf.template
Public bug reported:
Any attempt to create IPSec site connection with policy that specifies
AH protocol instead of ESP leads to the following error:
2015-07-21 13:41:28.948 ERROR neutron.agent.linux.utils [req-e3237103-fb81-4c23-8a69-98c755c177c9 admin 4733f78a7cd749f38b20bc134b9675a0]
Command: ['ip', 'netns', 'exec', u'qrouter-3d68e902-ce44-411a-bd4e-6ff9a33d8a85', 'ipsec', 'addconn', '--ctlbase', u'/opt/stack/data/neutron/ipsec/3d68e902-ce44-411a-bd4e-6ff9a33d8a85/var/run/pluto.ctl', '--defaultroutenexthop', u'172.24.4.3', '--config', u'/opt/stack/data/neutron/ipsec/3d68e902-ce44-411a-bd4e-6ff9a33d8a85/etc/ipsec.conf', u'd0fa8bac-b8eb-4c33-a023-8c96560c99ec']
Exit code: 34
Stdin:
Stdout: 034 esp string error: Non initial digit found for auth keylen, just after "aes128-" (old_state=ST_AA_END)
Stderr:
2015-07-21 13:41:28.949 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec [req-e3237103-fb81-4c23-8a69-98c755c177c9 admin 4733f78a7cd749f38b20bc134b9675a0] Failed to enable vpn process on router 3d68e902-ce44-411a-bd4e-6ff9a33d8a85
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Traceback (most recent call last):
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec File "/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 255, in enable
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec self.start()
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec File "/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 437, in start
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec ipsec_site_conn['id']
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec File "/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 336, in _execute
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec extra_ok_codes=extra_ok_codes)
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/agent/linux/ip_lib.py", line 701, in execute
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec extra_ok_codes=extra_ok_codes, **kwargs)
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/agent/linux/utils.py", line 138, in execute
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec raise RuntimeError(m)
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec RuntimeError:
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Command: ['ip', 'netns', 'exec', u'qrouter-3d68e902-ce44-411a-bd4e-6ff9a33d8a85', 'ipsec', 'addconn', '--ctlbase', u'/opt/stack/data/neutron/ipsec/3d68e902-ce44-411a-bd4e-6ff9a33d8a85/var/run/pluto.ctl', '--defaultroutenexthop', u'172.24.4.3', '--config', u'/opt/stack/data/neutron/ipsec/3d68e902-ce44-411a-bd4e-6ff9a33d8a85/etc/ipsec.conf', u'd0fa8bac-b8eb-4c33-a023-8c96560c99ec']
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Exit code: 34
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdin:
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdout: 034 esp string error: Non initial digit found for auth keylen, just after "aes128-" (old_state=ST_AA_END)
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stderr:
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec
The reason is that AH protocol doesn't have any encryption. That is why phase2alg in ipsec.conf template should be modified to exclude encryption for AH.
** Affects: neutron
Importance: Undecided
Assignee: Elena Ezhova (eezhova)
Status: New
** Tags: vpnaas
** Tags added: vpnaas
** Changed in: neutron
Assignee: (unassigned) => Elena Ezhova (eezhova)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1476681
Title:
VPNaaS: Fix phase2alg for AH in ipsec.conf.template
Status in neutron:
New
Bug description:
Any attempt to create IPSec site connection with policy that specifies
AH protocol instead of ESP leads to the following error:
2015-07-21 13:41:28.948 ERROR neutron.agent.linux.utils [req-e3237103-fb81-4c23-8a69-98c755c177c9 admin 4733f78a7cd749f38b20bc134b9675a0]
Command: ['ip', 'netns', 'exec', u'qrouter-3d68e902-ce44-411a-bd4e-6ff9a33d8a85', 'ipsec', 'addconn', '--ctlbase', u'/opt/stack/data/neutron/ipsec/3d68e902-ce44-411a-bd4e-6ff9a33d8a85/var/run/pluto.ctl', '--defaultroutenexthop', u'172.24.4.3', '--config', u'/opt/stack/data/neutron/ipsec/3d68e902-ce44-411a-bd4e-6ff9a33d8a85/etc/ipsec.conf', u'd0fa8bac-b8eb-4c33-a023-8c96560c99ec']
Exit code: 34
Stdin:
Stdout: 034 esp string error: Non initial digit found for auth keylen, just after "aes128-" (old_state=ST_AA_END)
Stderr:
2015-07-21 13:41:28.949 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec [req-e3237103-fb81-4c23-8a69-98c755c177c9 admin 4733f78a7cd749f38b20bc134b9675a0] Failed to enable vpn process on router 3d68e902-ce44-411a-bd4e-6ff9a33d8a85
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Traceback (most recent call last):
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec File "/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 255, in enable
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec self.start()
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec File "/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 437, in start
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec ipsec_site_conn['id']
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec File "/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 336, in _execute
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec extra_ok_codes=extra_ok_codes)
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/agent/linux/ip_lib.py", line 701, in execute
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec extra_ok_codes=extra_ok_codes, **kwargs)
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/agent/linux/utils.py", line 138, in execute
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec raise RuntimeError(m)
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec RuntimeError:
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Command: ['ip', 'netns', 'exec', u'qrouter-3d68e902-ce44-411a-bd4e-6ff9a33d8a85', 'ipsec', 'addconn', '--ctlbase', u'/opt/stack/data/neutron/ipsec/3d68e902-ce44-411a-bd4e-6ff9a33d8a85/var/run/pluto.ctl', '--defaultroutenexthop', u'172.24.4.3', '--config', u'/opt/stack/data/neutron/ipsec/3d68e902-ce44-411a-bd4e-6ff9a33d8a85/etc/ipsec.conf', u'd0fa8bac-b8eb-4c33-a023-8c96560c99ec']
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Exit code: 34
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdin:
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdout: 034 esp string error: Non initial digit found for auth keylen, just after "aes128-" (old_state=ST_AA_END)
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stderr:
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec
The reason is that AH protocol doesn't have any encryption. That is why phase2alg in ipsec.conf template should be modified to exclude encryption for AH.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1476681/+subscriptions
Follow ups
