← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1549295] [NEW] Strongswan Driver is not getting invoked 1+1 Node setup on Liberty/ Ubuntu 14.04

 

Public bug reported:

We are trying to configure the vpn tunnels with strongswan. We are
getting the following error :

2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -] Failed to enable vpn process on router 224f2a11-affc-48cb-beb8-93dceb8d7a3e
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Traceback (most recent call last):
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/dist-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 260, in enable
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec     self.start()
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/dist-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 436, in start
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec     self._execute(cmd)
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/dist-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 341, in _execute
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec     extra_ok_codes=extra_ok_codes)
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/dist-packages/neutron/agent/linux/ip_lib.py", line 816, in execute
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec     extra_ok_codes=extra_ok_codes, **kwargs)
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/dist-packages/neutron/agent/linux/utils.py", line 159, in execute
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec     raise RuntimeError(m)
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec RuntimeError:
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'pluto', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--ipsecdir', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/etc/ipsec.secrets', '--virtual_private', '%v4:192.18.10.0/24,%v4:192.18.8.0/24']
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Exit code: 2
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Stdin:
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Stdout:
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Stderr: /usr/sbin/ipsec: unknown IPsec command `pluto' (`ipsec --help' for list)
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec
2016-02-24 10:02:13.700 4700 ERROR neutron.agent.linux.utils [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -]
Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'whack', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--status']
Exit code: 2 

We were able to configure the tunnels with openswan(after uninstalling
strongswan and making configuration changes for openswan) with the same
setup. With strongswan(after uninstalling Openswan and making
configuration changes for strongswan driver) , the tunnels remain in
PENDING_CREATE state and do not become ACTIVE.


We have the following configuration:

1.	We have openstack (liberty) installed on the ubuntu 14.04LTS on 1+1 node setup and we are trying to create IKEv1 and IKEv2 tunnels between 2 openstack public clouds. 
2.	We have installed neutron_vpn-agent along with strongswan package

Output of dpkg list for strongswan pakages.
-------------------------------------------------------------------------
root@controller:/var/log/neutron# dpkg -l | grep -i strongswan
ii  libstrongswan                                         5.1.2-0ubuntu2.4                                    amd64        strongSwan utility and crypto library
ii  strongswan                                            5.1.2-0ubuntu2.4                                    all          IPsec VPN solution metapackage
ii  strongswan-ike                                        5.1.2-0ubuntu2.4                                    amd64        strongSwan Internet Key Exchange (v2) daemon
ii  strongswan-plugin-openssl                             5.1.2-0ubuntu2.4                                    amd64        strongSwan plugin for OpenSSL
ii  strongswan-starter                                    5.1.2-0ubuntu2.4                                    amd64        strongSwan daemon starter and configuration file parser

Output of dpkg list for neutron-vpn-agent
-----------------------------------------------------------------------
root@controller:/var/log/neutron# dpkg -l | grep -i vpn-agent
ii  neutron-vpn-agent                                     2:7.0.0-0ubuntu1~cloud0                             all          Neutron is a virtual network service for Openstack - VPN agent

3.	The nova-service list and neutron service list are all up and running. 
	Output of nova service-list 
root@controller:/var/log/neutron# nova service-list
+----+------------------+------------+----------+---------+-------+----------------------------+-----------------+
| Id | Binary           | Host       | Zone     | Status  | State | Updated_at                 | Disabled Reason |
+----+------------------+------------+----------+---------+-------+----------------------------+-----------------+
| 1  | nova-cert        | controller | internal | enabled | up    | 2016-02-24T05:42:34.000000 | -               |
| 2  | nova-consoleauth | controller | internal | enabled | up    | 2016-02-24T05:42:34.000000 | -               |
| 3  | nova-scheduler   | controller | internal | enabled | up    | 2016-02-24T05:42:38.000000 | -               |
| 4  | nova-conductor   | controller | internal | enabled | up    | 2016-02-24T05:42:41.000000 | -               |
| 7  | nova-compute     | compute    | nova     | enabled | up    | 2016-02-24T05:42:35.000000 | -               |
+----+------------------+------------+----------+---------+-------+----------------------------+-----------------+
	Output of neutron agent-list  
root@controller:/var/log/neutron# neutron agent-list
+--------------------------------------+--------------------+------------+-------+----------------+---------------------------+
| id                                   | agent_type         | host       | alive | admin_state_up | binary                    |
+--------------------------------------+--------------------+------------+-------+----------------+---------------------------+
| 0b2327b7-12b6-425f-af8d-3fe637106d19 | DHCP agent         | controller | :-)   | True           | neutron-dhcp-agent        |
| 21acf20a-7c20-48ee-b79a-fe6df7c84c69 | Linux bridge agent | controller | :-)   | True           | neutron-linuxbridge-agent |
| 8878cfd5-81e6-4094-94d0-c54930f04acb | Metadata agent     | controller | :-)   | True           | neutron-metadata-agent    |
| c1a819d8-81be-423c-a60e-ac4b36cf7d4f | L3 agent           | controller | :-)   | True           | neutron-vpn-agent         |
| c59f8895-082d-4f41-a1d9-71fb74ec81ff | Loadbalancer agent | controller | :-)   | True           | neutron-lbaas-agent       |
| e4bf21cf-48c9-4cdd-a02c-b63e02ec740c | Linux bridge agent | compute    | :-)   | True           | neutron-linuxbridge-agent |
+--------------------------------------+--------------------+------------+-------+----------------+---------------------------+

Note:

As per our observation, strongswan 5.1.x does not have separate pluto interface for IKEv1 policies. It's single binary Charon takes cares of
both IKEv1 and IKEv2 policies. However, it appears to us, that somehow strongswan driver(despite the 5.1.X) is still dependent on pluto interface.
This is the reason we are getiing message "unknown IPsec command `pluto'" since no pluto is present in 5.1.x.

Ideally both IKEv1 and IKEv2 policies should be allowed to be processed independently by strongswan driver with any dependency on openswan.
Please let us know if we are missing something and configuring something wrong. 


Other configuration/logs information given below
======================================================================================================
vpn_agent.ini Configuration file given as follows
----------------------------------------------------
[DEFAULT]
# VPN-Agent configuration file
# Note vpn-agent inherits l3-agent, so you can use configs on l3-agent also
debug=True
[vpnagent]
# vpn device drivers which vpn agent will use
# If we want to use multiple drivers,  we need to define this option multiple times.
# NOTE: StrongSwan and openSwan cannot be installed at the same time. Thus, both cannot
#       be enabled for use. In the future when flavors/STF support is available,
#       this will still constrain the flavors which can be used together.
# vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.ipsec.OpenSwanDriver
# vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.cisco_ipsec.CiscoCsrIPsecDriver
# vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.vyatta_ipsec.VyattaIPSecDriver
vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver
# vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.fedora_strongswan_ipsec.FedoraStrongSwanDriver
# vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver
# vpn_device_driver=another_driver

[ipsec]
# Status check interval
# ipsec_status_check_interval=60

# Enable detail logging for ipsec pluto process.
# If the flag set to True, the detailed logging will
# be written into config_base_dir/<pid>/logs."
# NOTE: this applies to OpenSwan and Libraswan, and
# that StrongSwan has logging that logs to syslog.
# enable_detailed_logging=False

[strongswan]
# For fedora use:
# default_config_area=/usr/share/strongswan/templates/config/strongswan.d
# Default is for ubuntu use, /etc/strongswan.d
# default_config_area=/etc/strongswan.d

[libreswan]
# Initial interval in seconds for checking if pluto daemon is shutdown
# shutdown_check_timeout=1
#
# The maximum number of retries for checking for pluto daemon shutdown
# shutdown_check_retries=5
#
# A factor to increase the retry interval for each retry
# shutdown_check_back_off=1.5

============================================================================================================================
vpnaas_filter file given as follows
-----------------------------------------------------------------------------
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user

# format seems to be
# cmd-name: filter-name, raw-command, user, args

[Filters]

ip: IpFilter, ip, root
ip_exec: IpNetnsExecFilter, ip, root
strongswan: CommandFilter, strongswan, root
ipsec: CommandFilter, ipsec, root
neutron_netns_wrapper: CommandFilter, neutron-vpn-netns-wrapper, root
neutron_netns_wrapper_local: CommandFilter, /usr/local/bin/neutron-vpn-netns-wrapper, root
chown: RegExpFilter, chown, root, chown, --from=.*, root.root, .*/ipsec.secrets
============================================================================================================================
vpn_agent logs given as follows
-----------------------------------------------------------------------------
2016-02-24 10:02:13.567 4700 ERROR neutron.agent.linux.utils [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -] 
Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'whack', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--status']
Exit code: 2
Stdin: 
Stdout: 
Stderr: /usr/sbin/ipsec: unknown IPsec command `whack' (`ipsec --help' for list)

2016-02-24 10:02:13.632 4700 ERROR neutron.agent.linux.utils [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -] 
Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'pluto', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--ipsecdir', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/etc/ipsec.secrets', '--virtual_private', '%v4:192.18.10.0/24,%v4:192.18.8.0/24']
Exit code: 2
Stdin: 
Stdout: 
Stderr: /usr/sbin/ipsec: unknown IPsec command `pluto' (`ipsec --help' for list)

2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -] Failed to enable vpn process on router 224f2a11-affc-48cb-beb8-93dceb8d7a3e
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Traceback (most recent call last):
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/dist-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 260, in enable
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec     self.start()
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/dist-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 436, in start
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec     self._execute(cmd)
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/dist-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 341, in _execute
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec     extra_ok_codes=extra_ok_codes)
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/dist-packages/neutron/agent/linux/ip_lib.py", line 816, in execute
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec     extra_ok_codes=extra_ok_codes, **kwargs)
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/dist-packages/neutron/agent/linux/utils.py", line 159, in execute
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec     raise RuntimeError(m)
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec RuntimeError: 
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'pluto', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--ipsecdir', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/etc/ipsec.secrets', '--virtual_private', '%v4:192.18.10.0/24,%v4:192.18.8.0/24']
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Exit code: 2
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Stdin: 
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Stdout: 
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Stderr: /usr/sbin/ipsec: unknown IPsec command `pluto' (`ipsec --help' for list)
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec 
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec 
2016-02-24 10:02:13.700 4700 ERROR neutron.agent.linux.utils [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -] 
Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'whack', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--status']
Exit code: 2
Stdin: 
Stdout: 
Stderr: /usr/sbin/ipsec: unknown IPsec command `whack' (`ipsec --help' for list)

2016-02-24 10:02:13.760 4700 ERROR neutron.agent.linux.utils [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -] 
Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'whack', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--status']
Exit code: 2
Stdin: 
Stdout: 
Stderr: /usr/sbin/ipsec: unknown IPsec command `whack' (`ipsec --help' for list)

2016-02-24 10:02:13.840 4700 ERROR neutron.agent.linux.utils [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -] 
Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'whack', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--status']
Exit code: 2
Stdin: 
Stdout: 
Stderr: /usr/sbin/ipsec: unknown IPsec command `whack' (`ipsec --help' for list)

2016-02-24 10:02:13.921 4700 ERROR neutron.agent.linux.utils [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -] 
Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-7861b7af-e95f-4fe2-9739-068a9aab1022', 'ipsec', 'whack', '--ctlbase', '/var/lib/neutron/ipsec/7861b7af-e95f-4fe2-9739-068a9aab1022/var/run/pluto', '--status']
Exit code: 2
Stdin: 
Stdout: 
Stderr: /usr/sbin/ipsec: unknown IPsec command `whack' (`ipsec --help' for list)

-------------Keeps on repeating--------------------------

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1549295

Title:
  Strongswan Driver is not getting invoked 1+1 Node setup on Liberty/
  Ubuntu 14.04

Status in neutron:
  New

Bug description:
  We are trying to configure the vpn tunnels with strongswan. We are
  getting the following error :

  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -] Failed to enable vpn process on router 224f2a11-affc-48cb-beb8-93dceb8d7a3e
  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Traceback (most recent call last):
  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/dist-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 260, in enable
  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec     self.start()
  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/dist-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 436, in start
  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec     self._execute(cmd)
  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/dist-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 341, in _execute
  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec     extra_ok_codes=extra_ok_codes)
  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/dist-packages/neutron/agent/linux/ip_lib.py", line 816, in execute
  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec     extra_ok_codes=extra_ok_codes, **kwargs)
  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/dist-packages/neutron/agent/linux/utils.py", line 159, in execute
  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec     raise RuntimeError(m)
  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec RuntimeError:
  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'pluto', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--ipsecdir', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/etc/ipsec.secrets', '--virtual_private', '%v4:192.18.10.0/24,%v4:192.18.8.0/24']
  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Exit code: 2
  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Stdin:
  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Stdout:
  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Stderr: /usr/sbin/ipsec: unknown IPsec command `pluto' (`ipsec --help' for list)
  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec
  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec
  2016-02-24 10:02:13.700 4700 ERROR neutron.agent.linux.utils [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -]
  Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'whack', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--status']
  Exit code: 2 

  We were able to configure the tunnels with openswan(after uninstalling
  strongswan and making configuration changes for openswan) with the
  same setup. With strongswan(after uninstalling Openswan and making
  configuration changes for strongswan driver) , the tunnels remain in
  PENDING_CREATE state and do not become ACTIVE.

  
  We have the following configuration:

  1.	We have openstack (liberty) installed on the ubuntu 14.04LTS on 1+1 node setup and we are trying to create IKEv1 and IKEv2 tunnels between 2 openstack public clouds. 
  2.	We have installed neutron_vpn-agent along with strongswan package

  Output of dpkg list for strongswan pakages.
  -------------------------------------------------------------------------
  root@controller:/var/log/neutron# dpkg -l | grep -i strongswan
  ii  libstrongswan                                         5.1.2-0ubuntu2.4                                    amd64        strongSwan utility and crypto library
  ii  strongswan                                            5.1.2-0ubuntu2.4                                    all          IPsec VPN solution metapackage
  ii  strongswan-ike                                        5.1.2-0ubuntu2.4                                    amd64        strongSwan Internet Key Exchange (v2) daemon
  ii  strongswan-plugin-openssl                             5.1.2-0ubuntu2.4                                    amd64        strongSwan plugin for OpenSSL
  ii  strongswan-starter                                    5.1.2-0ubuntu2.4                                    amd64        strongSwan daemon starter and configuration file parser

  Output of dpkg list for neutron-vpn-agent
  -----------------------------------------------------------------------
  root@controller:/var/log/neutron# dpkg -l | grep -i vpn-agent
  ii  neutron-vpn-agent                                     2:7.0.0-0ubuntu1~cloud0                             all          Neutron is a virtual network service for Openstack - VPN agent

  3.	The nova-service list and neutron service list are all up and running. 
  	Output of nova service-list 
  root@controller:/var/log/neutron# nova service-list
  +----+------------------+------------+----------+---------+-------+----------------------------+-----------------+
  | Id | Binary           | Host       | Zone     | Status  | State | Updated_at                 | Disabled Reason |
  +----+------------------+------------+----------+---------+-------+----------------------------+-----------------+
  | 1  | nova-cert        | controller | internal | enabled | up    | 2016-02-24T05:42:34.000000 | -               |
  | 2  | nova-consoleauth | controller | internal | enabled | up    | 2016-02-24T05:42:34.000000 | -               |
  | 3  | nova-scheduler   | controller | internal | enabled | up    | 2016-02-24T05:42:38.000000 | -               |
  | 4  | nova-conductor   | controller | internal | enabled | up    | 2016-02-24T05:42:41.000000 | -               |
  | 7  | nova-compute     | compute    | nova     | enabled | up    | 2016-02-24T05:42:35.000000 | -               |
  +----+------------------+------------+----------+---------+-------+----------------------------+-----------------+
  	Output of neutron agent-list  
  root@controller:/var/log/neutron# neutron agent-list
  +--------------------------------------+--------------------+------------+-------+----------------+---------------------------+
  | id                                   | agent_type         | host       | alive | admin_state_up | binary                    |
  +--------------------------------------+--------------------+------------+-------+----------------+---------------------------+
  | 0b2327b7-12b6-425f-af8d-3fe637106d19 | DHCP agent         | controller | :-)   | True           | neutron-dhcp-agent        |
  | 21acf20a-7c20-48ee-b79a-fe6df7c84c69 | Linux bridge agent | controller | :-)   | True           | neutron-linuxbridge-agent |
  | 8878cfd5-81e6-4094-94d0-c54930f04acb | Metadata agent     | controller | :-)   | True           | neutron-metadata-agent    |
  | c1a819d8-81be-423c-a60e-ac4b36cf7d4f | L3 agent           | controller | :-)   | True           | neutron-vpn-agent         |
  | c59f8895-082d-4f41-a1d9-71fb74ec81ff | Loadbalancer agent | controller | :-)   | True           | neutron-lbaas-agent       |
  | e4bf21cf-48c9-4cdd-a02c-b63e02ec740c | Linux bridge agent | compute    | :-)   | True           | neutron-linuxbridge-agent |
  +--------------------------------------+--------------------+------------+-------+----------------+---------------------------+

  Note:

  As per our observation, strongswan 5.1.x does not have separate pluto interface for IKEv1 policies. It's single binary Charon takes cares of
  both IKEv1 and IKEv2 policies. However, it appears to us, that somehow strongswan driver(despite the 5.1.X) is still dependent on pluto interface.
  This is the reason we are getiing message "unknown IPsec command `pluto'" since no pluto is present in 5.1.x.

  Ideally both IKEv1 and IKEv2 policies should be allowed to be processed independently by strongswan driver with any dependency on openswan.
  Please let us know if we are missing something and configuring something wrong. 

  
  Other configuration/logs information given below
  ======================================================================================================
  vpn_agent.ini Configuration file given as follows
  ----------------------------------------------------
  [DEFAULT]
  # VPN-Agent configuration file
  # Note vpn-agent inherits l3-agent, so you can use configs on l3-agent also
  debug=True
  [vpnagent]
  # vpn device drivers which vpn agent will use
  # If we want to use multiple drivers,  we need to define this option multiple times.
  # NOTE: StrongSwan and openSwan cannot be installed at the same time. Thus, both cannot
  #       be enabled for use. In the future when flavors/STF support is available,
  #       this will still constrain the flavors which can be used together.
  # vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.ipsec.OpenSwanDriver
  # vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.cisco_ipsec.CiscoCsrIPsecDriver
  # vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.vyatta_ipsec.VyattaIPSecDriver
  vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver
  # vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.fedora_strongswan_ipsec.FedoraStrongSwanDriver
  # vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver
  # vpn_device_driver=another_driver

  [ipsec]
  # Status check interval
  # ipsec_status_check_interval=60

  # Enable detail logging for ipsec pluto process.
  # If the flag set to True, the detailed logging will
  # be written into config_base_dir/<pid>/logs."
  # NOTE: this applies to OpenSwan and Libraswan, and
  # that StrongSwan has logging that logs to syslog.
  # enable_detailed_logging=False

  [strongswan]
  # For fedora use:
  # default_config_area=/usr/share/strongswan/templates/config/strongswan.d
  # Default is for ubuntu use, /etc/strongswan.d
  # default_config_area=/etc/strongswan.d

  [libreswan]
  # Initial interval in seconds for checking if pluto daemon is shutdown
  # shutdown_check_timeout=1
  #
  # The maximum number of retries for checking for pluto daemon shutdown
  # shutdown_check_retries=5
  #
  # A factor to increase the retry interval for each retry
  # shutdown_check_back_off=1.5

  ============================================================================================================================
  vpnaas_filter file given as follows
  -----------------------------------------------------------------------------
  # neutron-rootwrap command filters for nodes on which neutron is
  # expected to control network
  #
  # This file should be owned by (and only-writeable by) the root user

  # format seems to be
  # cmd-name: filter-name, raw-command, user, args

  [Filters]

  ip: IpFilter, ip, root
  ip_exec: IpNetnsExecFilter, ip, root
  strongswan: CommandFilter, strongswan, root
  ipsec: CommandFilter, ipsec, root
  neutron_netns_wrapper: CommandFilter, neutron-vpn-netns-wrapper, root
  neutron_netns_wrapper_local: CommandFilter, /usr/local/bin/neutron-vpn-netns-wrapper, root
  chown: RegExpFilter, chown, root, chown, --from=.*, root.root, .*/ipsec.secrets
  ============================================================================================================================
  vpn_agent logs given as follows
  -----------------------------------------------------------------------------
  2016-02-24 10:02:13.567 4700 ERROR neutron.agent.linux.utils [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -] 
  Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'whack', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--status']
  Exit code: 2
  Stdin: 
  Stdout: 
  Stderr: /usr/sbin/ipsec: unknown IPsec command `whack' (`ipsec --help' for list)

  2016-02-24 10:02:13.632 4700 ERROR neutron.agent.linux.utils [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -] 
  Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'pluto', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--ipsecdir', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/etc/ipsec.secrets', '--virtual_private', '%v4:192.18.10.0/24,%v4:192.18.8.0/24']
  Exit code: 2
  Stdin: 
  Stdout: 
  Stderr: /usr/sbin/ipsec: unknown IPsec command `pluto' (`ipsec --help' for list)

  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -] Failed to enable vpn process on router 224f2a11-affc-48cb-beb8-93dceb8d7a3e
  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Traceback (most recent call last):
  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/dist-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 260, in enable
  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec     self.start()
  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/dist-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 436, in start
  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec     self._execute(cmd)
  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/dist-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 341, in _execute
  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec     extra_ok_codes=extra_ok_codes)
  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/dist-packages/neutron/agent/linux/ip_lib.py", line 816, in execute
  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec     extra_ok_codes=extra_ok_codes, **kwargs)
  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/dist-packages/neutron/agent/linux/utils.py", line 159, in execute
  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec     raise RuntimeError(m)
  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec RuntimeError: 
  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'pluto', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--ipsecdir', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/etc/ipsec.secrets', '--virtual_private', '%v4:192.18.10.0/24,%v4:192.18.8.0/24']
  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Exit code: 2
  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Stdin: 
  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Stdout: 
  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Stderr: /usr/sbin/ipsec: unknown IPsec command `pluto' (`ipsec --help' for list)
  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec 
  2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec 
  2016-02-24 10:02:13.700 4700 ERROR neutron.agent.linux.utils [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -] 
  Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'whack', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--status']
  Exit code: 2
  Stdin: 
  Stdout: 
  Stderr: /usr/sbin/ipsec: unknown IPsec command `whack' (`ipsec --help' for list)

  2016-02-24 10:02:13.760 4700 ERROR neutron.agent.linux.utils [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -] 
  Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'whack', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--status']
  Exit code: 2
  Stdin: 
  Stdout: 
  Stderr: /usr/sbin/ipsec: unknown IPsec command `whack' (`ipsec --help' for list)

  2016-02-24 10:02:13.840 4700 ERROR neutron.agent.linux.utils [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -] 
  Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'whack', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--status']
  Exit code: 2
  Stdin: 
  Stdout: 
  Stderr: /usr/sbin/ipsec: unknown IPsec command `whack' (`ipsec --help' for list)

  2016-02-24 10:02:13.921 4700 ERROR neutron.agent.linux.utils [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -] 
  Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-7861b7af-e95f-4fe2-9739-068a9aab1022', 'ipsec', 'whack', '--ctlbase', '/var/lib/neutron/ipsec/7861b7af-e95f-4fe2-9739-068a9aab1022/var/run/pluto', '--status']
  Exit code: 2
  Stdin: 
  Stdout: 
  Stderr: /usr/sbin/ipsec: unknown IPsec command `whack' (`ipsec --help' for list)

  -------------Keeps on repeating--------------------------

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1549295/+subscriptions


Follow ups