← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #38091

[Bug 1476681] Re: VPNaaS: Fix phase2alg for AH in ipsec.conf.template

  Thread PreviousDate PreviousThread Next 
** Changed in: neutron
       Status: Fix Committed => Fix Released

** Changed in: neutron
    Milestone: None => liberty-3

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1476681

Title:
  VPNaaS: Fix phase2alg for AH in ipsec.conf.template

Status in neutron:
  Fix Released

Bug description:
  Any attempt to create IPSec site connection with policy that specifies
  AH protocol instead of ESP leads to the following error:

  2015-07-21 13:41:28.948 ERROR neutron.agent.linux.utils [req-e3237103-fb81-4c23-8a69-98c755c177c9 admin 4733f78a7cd749f38b20bc134b9675a0] 
  Command: ['ip', 'netns', 'exec', u'qrouter-3d68e902-ce44-411a-bd4e-6ff9a33d8a85', 'ipsec', 'addconn', '--ctlbase', u'/opt/stack/data/neutron/ipsec/3d68e902-ce44-411a-bd4e-6ff9a33d8a85/var/run/pluto.ctl', '--defaultroutenexthop', u'172.24.4.3', '--config', u'/opt/stack/data/neutron/ipsec/3d68e902-ce44-411a-bd4e-6ff9a33d8a85/etc/ipsec.conf', u'd0fa8bac-b8eb-4c33-a023-8c96560c99ec']
  Exit code: 34
  Stdin: 
  Stdout: 034 esp string error: Non initial digit found for auth keylen, just after "aes128-" (old_state=ST_AA_END)

  Stderr: 
  2015-07-21 13:41:28.949 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec [req-e3237103-fb81-4c23-8a69-98c755c177c9 admin 4733f78a7cd749f38b20bc134b9675a0] Failed to enable vpn process on router 3d68e902-ce44-411a-bd4e-6ff9a33d8a85
  2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Traceback (most recent call last):
  2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 255, in enable
  2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec     self.start()
  2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 437, in start
  2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec     ipsec_site_conn['id']
  2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 336, in _execute
  2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec     extra_ok_codes=extra_ok_codes)
  2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/opt/stack/neutron/neutron/agent/linux/ip_lib.py", line 701, in execute
  2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec     extra_ok_codes=extra_ok_codes, **kwargs)
  2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/opt/stack/neutron/neutron/agent/linux/utils.py", line 138, in execute
  2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec     raise RuntimeError(m)
  2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec RuntimeError:
  2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Command: ['ip', 'netns', 'exec', u'qrouter-3d68e902-ce44-411a-bd4e-6ff9a33d8a85', 'ipsec', 'addconn', '--ctlbase', u'/opt/stack/data/neutron/ipsec/3d68e902-ce44-411a-bd4e-6ff9a33d8a85/var/run/pluto.ctl', '--defaultroutenexthop', u'172.24.4.3', '--config', u'/opt/stack/data/neutron/ipsec/3d68e902-ce44-411a-bd4e-6ff9a33d8a85/etc/ipsec.conf', u'd0fa8bac-b8eb-4c33-a023-8c96560c99ec']
  2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Exit code: 34
  2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdin:
  2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdout: 034 esp string error: Non initial digit found for auth keylen, just after "aes128-" (old_state=ST_AA_END)
  2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec 
  2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stderr:
  2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec 

  
  The reason is that AH protocol doesn't have any encryption. That is why phase2alg in ipsec.conf template should be modified to exclude encryption for AH.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1476681/+subscriptions

References

  Thread PreviousDate PreviousThread Next