yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1605066] Re: [Neutron][VPNaaS] Failed to create ipsec site connection

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Miguel Lavalle <miguel@xxxxxxxxxxxx>
Date: Mon, 25 Jul 2016 20:46:58 -0000
Reply-to: Bug 1605066 <1605066@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Based on comment from Dongcan Ye, setting this bug to invalid since it
is caused by a libreswan bug

** Changed in: neutron
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1605066

Title:
  [Neutron][VPNaaS] Failed to create ipsec site connection

Status in neutron:
  Invalid

Bug description:
  Code repo: neutron-vpnaas master
  OS: Centos7
  ipsec device driver: libreswan-3.15-5.el7_1.x86_64

  In /etc/neutron/vpn_agent.ini, vpn_device_driver is
  neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver.

  Before running neutron-vpn-agent, I had checked ipsec status, it seems normal:
  # ipsec verify
  Verifying installed system and configuration files

  Version check and ipsec on-path                   	[OK]
  Libreswan 3.15 (netkey) on 3.10.0-123.el7.x86_64
  Checking for IPsec support in kernel              	[OK]
   NETKEY: Testing XFRM related proc values
           ICMP default/send_redirects              	[OK]
           ICMP default/accept_redirects            	[OK]
           XFRM larval drop                         	[OK]
  Pluto ipsec.conf syntax                           	[OK]
  Hardware random device                            	[N/A]
  Two or more interfaces found, checking IP forwarding	[OK]
  Checking rp_filter                                	[OK]
  Checking that pluto is running                    	[OK]
   Pluto listening for IKE on udp 500               	[OK]
   Pluto listening for IKE/NAT-T on udp 4500        	[OK]
   Pluto ipsec.secret syntax                        	[OK]
  Checking 'ip' command                             	[OK]
  Checking 'iptables' command                       	[OK]
  Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options          	[OK]
  Opportunistic Encryption                          	[DISABLED]

  After create ikepolicy, ipsecpolicy and vpn service, create an ipsec-site-connection failed,
  ipsec whack --ctlbase status code in vpn-agent.log returns 1 which means not running.

  Then I trace the code, I think the problem is in function enable(), call self.ensure_configs()[1] may have some problems.
  ensure_configs[2] in libreswan_ipsec.py will override, I'm not confirm the root cause is ipsec checknss (which create nssdb).
  If call self.ensure_configs() failed, we can't start ipsec pluto daemon.

  
  Here is the running ipsec process:
  # ps aux |grep ipsec
  root     22223  0.0  0.0   9648  1368 pts/17   S+   12:59   0:00 /bin/sh /sbin/ipsec checknss /opt/stack/data/neutron/ipsec/f75151f6-ef01-4a68-9747-eb52f4e629f5/etc
  root     22224  0.0  0.0  37400  3300 pts/17   S+   12:59   0:00 certutil -N -d sql:/etc/ipsec.d --empty-password
  root     25893  0.0  0.0   9040   668 pts/0    S+   13:40   0:00 grep --color=auto ipsec
  root     26396  0.0  0.1 335268  4588 ?        Ssl  08:58   0:00 /usr/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork

  [1] https://github.com/openstack/neutron-vpnaas/blob/master/neutron_vpnaas/services/vpn/device_drivers/ipsec.py#L304
  [2] https://github.com/openstack/neutron-vpnaas/blob/master/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py#L59

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1605066/+subscriptions

References

[Bug 1605066] [NEW] [Neutron][VPNaaS] Failed to create ipsec site connection
From: Dongcan Ye, 2016-07-21