yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1570852] Re: vpn service can't be active again if the openswan process crash

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Armando Migliaccio <1570852@xxxxxxxxxxxxxxxxxx>
Date: Wed, 16 Nov 2016 23:49:18 -0000
Reply-to: Bug 1570852 <1570852@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

http://lists.openstack.org/pipermail/openstack-
dev/2016-November/107384.html

** Changed in: neutron
     Assignee: MingShuang Xian (xianms) => (unassigned)

** Changed in: neutron
       Status: Confirmed => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1570852

Title:
  vpn service can't be active again if the openswan process crash

Status in neutron:
  Won't Fix

Bug description:
  We are using VPNaaS with OpenSwan on Ubuntu and  found that the
  OpenSwan will crash when it receives some kinds of IKE2 attack
  packets. But I'm not very sure the format of the packet. After the
  OpenSwan crash, VPN-agent can't bring up it again and the VPN service
  status will be alway DOWN.

  We could use following steps to reproduce it.
  1. Bring up a VPN connection and show the VPN service status
  vpn-service-list
  +--------------------------------------+------+--------------------------------------+--------+
  | id                                   | name | router_id                            | status |
  +--------------------------------------+------+--------------------------------------+--------+
  | c354e5d7-aa81-44c0-9aa7-0f157a2c7b7d | s1   | dde4af28-31ff-4dff-bff9-8355998c5d0c | ACTIVE |
  | daa15ef8-3e99-4e37-a839-18dcf7910f9d | s2   | 0e8fb378-3e25-493c-9610-e48025b640ba | ACTIVE |
  +--------------------------------------+------+--------------------------------------+--------+

  2.  Kill the OpenSwan process

  3. Show the VPN service status again
  vpn-service-list
  +--------------------------------------+------+--------------------------------------+--------+
  | id                                   | name | router_id                            | status |
  +--------------------------------------+------+--------------------------------------+--------+
  | c354e5d7-aa81-44c0-9aa7-0f157a2c7b7d | s1   | dde4af28-31ff-4dff-bff9-8355998c5d0c | DOWN   |
  | daa15ef8-3e99-4e37-a839-18dcf7910f9d | s2   | 0e8fb378-3e25-493c-9610-e48025b640ba | ACTIVE |
  +--------------------------------------+------+--------------------------------------+--------+

  The VPN service will keep DOWN until the VPN-agent is restarted.

  So we expect the VPN-agent can bring the OpenSwan process again if it
  crashed.

  We found this issue with vpnaas-agent master

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1570852/+subscriptions

References

[Bug 1570852] [NEW] vpn service can't be active again if the openswan process crash
From: MingShuang Xian, 2016-04-15