yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #67563
[Bug 1717266] [NEW] VPNaaS: VPN creation not working in case of distributed virtual routers (Pike)
Public bug reported:
I have manually setup a fresh OpenStack Pike HA environment based on
Ubuntu 16.04.3 in conjunction with DVR. VPN creation works fine in case
of centralized routers, but when a VPN gets created in the context of
distributed routers, all VPN services and connections turn their state
to ACTIVE, but a connection between different clients connected via VPN
is not possible. The error log does not contain any errors.
My environment comprises 2 controller nodes (also functioning as network
nodes) and 3 compute node. Each controller node runs a neutron-vpn-
agent, whereas each compute node runs a neutron-l3-agent which is
unaware of any VPN settings.
Controller/Network node:
#############
vpn_agent.ini
#############
[ipsec]
enable_detailed_logging = true
ipsec_status_check_interval = 60
[vpnagent]
vpn_device_driver = neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver
############
neutron.conf
############
[DEFAULT]
allow_overlapping_ips = true
auth_strategy = keystone
base_mac = 02:05:69:00:00:00
bind_host = 10.30.200.101
bind_port = 9696
core_plugin = ml2
debug = true
dhcp_agents_per_network = 2
dns_domain = openstack.mycompany.com.
dvr_base_mac = 0A:05:69:00:00:00
endpoint_type = internalURL
host = os-network01
interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
l3_ha = true
l3_ha_net_cidr = 169.254.192.0/18
log_dir = /var/log/neutron
max_l3_agents_per_router = 2
min_l3_agents_per_router = 2
notify_nova_on_port_data_changes = true
notify_nova_on_port_status_changes = true
router_distributed = true
service_plugins = router,firewall,qos,lbaasv2,vpnaas
state_path = /var/lib/neutron
transport_url = rabbit://neutron:neutronpass@os-rabbit01:5672,neutron:neutronpass@os-rabbit02:5672/openstack
[agent]
root_helper = sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
[database]
connection = mysql+pymysql://neutron:neutronDBpass@os-controller/neutron
max_retries = -1
[keystone_authtoken]
auth_type = password
auth_uri = https://os-cloud.mycompany.com:5000
auth_url = http://os-identity:35357
memcached_servers = os-memcache:11211
password = neutronpass
project_domain_name = default
project_name = service
user_domain_name = default
username = neutron
[nova]
auth_type = password
auth_url = http://os-identity:35357
endpoint_type = internal
password = novapass
project_domain_name = default
project_name = service
region_name = RegionOne
user_domain_name = default
username = nova
[oslo_concurrency]
lock_path = /var/lock/neutron
[oslo_messaging_notifications]
driver = messagingv2
[oslo_messaging_rabbit]
amqp_durable_queues = true
rabbit_ha_queues = true
rabbit_retry_backoff = 2
rabbit_retry_interval = 1
[oslo_middleware]
enable_proxy_headers_parsing = true
[service_providers]
service_provider = FIREWALL:Iptables:neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver:default
service_provider = LOADBALANCERV2:Haproxy:neutron_lbaas.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default
service_provider = VPN:strongswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default
$ ext-list | grep vpn
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
| vpnaas | VPN service |
| vpn-endpoint-groups | VPN Endpoint Groups |
| vpn-flavors | VPN Service Flavor Extension |
"usr.lib.ipsec.charon" and "usr.lib.ipsec.stroke" have been disabled:
ln -sf /etc/apparmor.d/usr.lib.ipsec.charon /etc/apparmor.d/disable/
ln -sf /etc/apparmor.d/usr.lib.ipsec.stroke /etc/apparmor.d/disable/
Any ideas?
** Affects: neutron
Importance: Undecided
Status: New
** Tags: vpnaas
** Summary changed:
- VPNaaS: VPN creating not working in case of distributed routers (Pike)
+ VPNaaS: VPN creation not working in case of distributed virtual routers (Pike)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1717266
Title:
VPNaaS: VPN creation not working in case of distributed virtual
routers (Pike)
Status in neutron:
New
Bug description:
I have manually setup a fresh OpenStack Pike HA environment based on
Ubuntu 16.04.3 in conjunction with DVR. VPN creation works fine in
case of centralized routers, but when a VPN gets created in the
context of distributed routers, all VPN services and connections turn
their state to ACTIVE, but a connection between different clients
connected via VPN is not possible. The error log does not contain any
errors.
My environment comprises 2 controller nodes (also functioning as
network nodes) and 3 compute node. Each controller node runs a
neutron-vpn-agent, whereas each compute node runs a neutron-l3-agent
which is unaware of any VPN settings.
Controller/Network node:
#############
vpn_agent.ini
#############
[ipsec]
enable_detailed_logging = true
ipsec_status_check_interval = 60
[vpnagent]
vpn_device_driver = neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver
############
neutron.conf
############
[DEFAULT]
allow_overlapping_ips = true
auth_strategy = keystone
base_mac = 02:05:69:00:00:00
bind_host = 10.30.200.101
bind_port = 9696
core_plugin = ml2
debug = true
dhcp_agents_per_network = 2
dns_domain = openstack.mycompany.com.
dvr_base_mac = 0A:05:69:00:00:00
endpoint_type = internalURL
host = os-network01
interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
l3_ha = true
l3_ha_net_cidr = 169.254.192.0/18
log_dir = /var/log/neutron
max_l3_agents_per_router = 2
min_l3_agents_per_router = 2
notify_nova_on_port_data_changes = true
notify_nova_on_port_status_changes = true
router_distributed = true
service_plugins = router,firewall,qos,lbaasv2,vpnaas
state_path = /var/lib/neutron
transport_url = rabbit://neutron:neutronpass@os-rabbit01:5672,neutron:neutronpass@os-rabbit02:5672/openstack
[agent]
root_helper = sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
[database]
connection = mysql+pymysql://neutron:neutronDBpass@os-controller/neutron
max_retries = -1
[keystone_authtoken]
auth_type = password
auth_uri = https://os-cloud.mycompany.com:5000
auth_url = http://os-identity:35357
memcached_servers = os-memcache:11211
password = neutronpass
project_domain_name = default
project_name = service
user_domain_name = default
username = neutron
[nova]
auth_type = password
auth_url = http://os-identity:35357
endpoint_type = internal
password = novapass
project_domain_name = default
project_name = service
region_name = RegionOne
user_domain_name = default
username = nova
[oslo_concurrency]
lock_path = /var/lock/neutron
[oslo_messaging_notifications]
driver = messagingv2
[oslo_messaging_rabbit]
amqp_durable_queues = true
rabbit_ha_queues = true
rabbit_retry_backoff = 2
rabbit_retry_interval = 1
[oslo_middleware]
enable_proxy_headers_parsing = true
[service_providers]
service_provider = FIREWALL:Iptables:neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver:default
service_provider = LOADBALANCERV2:Haproxy:neutron_lbaas.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default
service_provider = VPN:strongswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default
$ ext-list | grep vpn
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
| vpnaas | VPN service |
| vpn-endpoint-groups | VPN Endpoint Groups |
| vpn-flavors | VPN Service Flavor Extension |
"usr.lib.ipsec.charon" and "usr.lib.ipsec.stroke" have been disabled:
ln -sf /etc/apparmor.d/usr.lib.ipsec.charon /etc/apparmor.d/disable/
ln -sf /etc/apparmor.d/usr.lib.ipsec.stroke /etc/apparmor.d/disable/
Any ideas?
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1717266/+subscriptions
Follow ups
