yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1743791] [NEW] Router gateway ip can be changed while being used by a VPN IPsec site connection

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Hunt Xu <1743791@xxxxxxxxxxxxxxxxxx>
Date: Wed, 17 Jan 2018 14:25:39 -0000
Reply-to: Bug 1743791 <1743791@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

* Summary
When an IPsec site connection is using the IP address of the router gateway port as the local IP, user can change the IP address of the router gateway port, then the IPsec site connection will malfunction.

* Environment

devstack with vpnaas

* Step-by-step reproduction steps:
  1. create two networks and two subnets respectively (left and right for VPN connection)
  2. create two routers, connect subnets of step 1 to each of them
  3. create a public network and subnet, connect two routers of step 2 to this public network
  4. setup IPsec VPN site connection between the two routers, wait for their status being ACTIVE
  5. change the router gateway port's fixed IP address of one of the routers:
    - openstack router set <ROUTER_NAME> --external-gateway <PUBLIC_NETWORK> --fixed-ip subnet=<SUBNET>,ip-address=<NEW_IP_ADDRESS>

* Expected output:
  - Users cannot change the IP address of the router gateway port as it is being used by an active VPN IPsec site connection

* Actual output:
  - IP address of router gateway port is successfully changed
  - statuses of both IPsec VPN site connections will change to DOWN

** Affects: neutron
     Importance: Undecided
     Assignee: Hunt Xu (huntxu)
         Status: New


** Tags: vpnaas

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1743791

Title:
  Router gateway ip can be changed while being used by a VPN IPsec site
  connection

Status in neutron:
  New

Bug description:
  * Summary
  When an IPsec site connection is using the IP address of the router gateway port as the local IP, user can change the IP address of the router gateway port, then the IPsec site connection will malfunction.

  * Environment

  devstack with vpnaas

  * Step-by-step reproduction steps:
    1. create two networks and two subnets respectively (left and right for VPN connection)
    2. create two routers, connect subnets of step 1 to each of them
    3. create a public network and subnet, connect two routers of step 2 to this public network
    4. setup IPsec VPN site connection between the two routers, wait for their status being ACTIVE
    5. change the router gateway port's fixed IP address of one of the routers:
      - openstack router set <ROUTER_NAME> --external-gateway <PUBLIC_NETWORK> --fixed-ip subnet=<SUBNET>,ip-address=<NEW_IP_ADDRESS>

  * Expected output:
    - Users cannot change the IP address of the router gateway port as it is being used by an active VPN IPsec site connection

  * Actual output:
    - IP address of router gateway port is successfully changed
    - statuses of both IPsec VPN site connections will change to DOWN

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1743791/+subscriptions