← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1478778] Re: VPNaas: strongswan: cannnot add more than one subnet to ipsec

 

[Expired for neutron because there has been no activity for 60 days.]

** Changed in: neutron
       Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1478778

Title:
  VPNaas: strongswan: cannnot add more than one subnet to ipsec

Status in neutron:
  Expired

Bug description:
  I used this patch (VPNaaS: Fedora support for StrongSwan) for vpnaas on centos referring this bug
  https://bugs.launchpad.net/neutron/+bug/1441788

  1. I used a single node with 2 routers, create ike/ipsec/vpn-service/site vpn, the tunnels came
  up fine
  kilo-vpnaas-centos71

  
  10.10.10.x/24--------R1-------------R2-------------20.20.20.x/24

  R1 to R2 on 192.168.122.202, 192.168.122.203.

  2. When i added one more interface to r1 and r2, 30.30.30.x and 40.40.40.x respectively, created
  ike/ipsec/vpn-service/site-vpn, it did not create a new conn in ipsec.conf file, rather, it 
  over wrote the existing(10.10.10.x) conn in ipsec.conf file.

  [root@ceos71 ~]# cat /var/lib/neutron/ipsec/70e88c46-c6b2-4c8d-afad-76ebd77b55cb/etc/strongswan/ipsec.conf 
  # Configuration for vpn10
  config setup

  conn %default
          ikelifetime=60m
          keylife=20m
          rekeymargin=3m
          keyingtries=1
          authby=psk
          mobike=no

  conn 221c6d37-e7a1-4afc-8d0f-4de32df3818b  #### this for 10.10.10.x
      keyexchange=ikev2
      left=192.168.122.202
      leftsubnet=10.10.10.0/24
      leftid=192.168.122.202
      leftfirewall=yes
      right=192.168.122.203
      rightsubnet=20.20.20.0/24
      rightid=192.168.122.203
      auto=route

  ### added 1 more subnet 30.30.30.x

  [root@ceos71 ~]# cat /var/lib/neutron/ipsec/70e88c46-c6b2-4c8d-afad-76ebd77b55cb/etc/strongswan/ipsec.conf 
  # Configuration for vpn30
  config setup

  conn %default
          ikelifetime=60m
          keylife=20m
          rekeymargin=3m
          keyingtries=1
          authby=psk
          mobike=no

  conn 7b57fc83-3581-4e86-a193-e14474eef295 ### this is for 30.30.30.x, it over wrote the 10.10.10.x conn 
      keyexchange=ikev2
      left=192.168.122.202
      leftsubnet=30.30.30.0/24 <<<<<<<<<<<<<
      leftid=192.168.122.202
      leftfirewall=yes
      right=192.168.122.203
      rightsubnet=40.40.40.0/24
      rightid=192.168.122.203
      auto=route

  3. My understanding is that, it should add new conn to ipsec.conf
  file, than overwriting the existing conn. am i right ???

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1478778/+subscriptions


References