yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #73770
[Bug 1781354] [NEW] VPNaaS: IPsec siteconnection status DOWN while using IKE v2
Public bug reported:
While using IKE policy with version v2, the IPsec siteconnection status
always down, but the network traffic is OK.
>From the ipsec status we can see that the ipsec connection is
established:
# ip netns exec snat-a4d93552-c534-4a2c-96f7-c9b0ea918ba7 ipsec whack --ctlbase /var/lib/neutron/ipsec/a4d93552-c534-4a2c-96f7-c9b0ea918ba7/var/run/pluto --status
000 Total IPsec connections: loaded 3, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000
000 #2: "b42f6ee6-acf3-4d2d-beb9-f115d68fef55/0x1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 2364s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #2: "b42f6ee6-acf3-4d2d-beb9-f115d68fef55/0x1" esp.2d6840c8@172.16.2.130 esp.5d0c4043@172.16.2.123 tun.0@172.16.2.130 tun.0@172.16.2.123 ref=0 refhim=4294901761 Traffic: ESPin=0B ESPout=0B! ESPmax=0B
000 #1: "b42f6ee6-acf3-4d2d-beb9-f115d68fef55/0x1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 2574s; newest ISAKMP; isakmp#0; idle; import:admin initiate
000 #1: "b42f6ee6-acf3-4d2d-beb9-f115d68fef55/0x1" ref=0 refhim=0 Traffic:
000
000 Bare Shunt list:
000
I think we should match "PARENT SA" in IKE v2. [1]
[1] https://libreswan.org/wiki/How_to_read_status_output
** Affects: neutron
Importance: Undecided
Assignee: Dongcan Ye (hellochosen)
Status: New
** Tags: vpnaas
** Changed in: neutron
Assignee: (unassigned) => Dongcan Ye (hellochosen)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1781354
Title:
VPNaaS: IPsec siteconnection status DOWN while using IKE v2
Status in neutron:
New
Bug description:
While using IKE policy with version v2, the IPsec siteconnection
status always down, but the network traffic is OK.
From the ipsec status we can see that the ipsec connection is
established:
# ip netns exec snat-a4d93552-c534-4a2c-96f7-c9b0ea918ba7 ipsec whack --ctlbase /var/lib/neutron/ipsec/a4d93552-c534-4a2c-96f7-c9b0ea918ba7/var/run/pluto --status
000 Total IPsec connections: loaded 3, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000
000 #2: "b42f6ee6-acf3-4d2d-beb9-f115d68fef55/0x1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 2364s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #2: "b42f6ee6-acf3-4d2d-beb9-f115d68fef55/0x1" esp.2d6840c8@172.16.2.130 esp.5d0c4043@172.16.2.123 tun.0@172.16.2.130 tun.0@172.16.2.123 ref=0 refhim=4294901761 Traffic: ESPin=0B ESPout=0B! ESPmax=0B
000 #1: "b42f6ee6-acf3-4d2d-beb9-f115d68fef55/0x1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 2574s; newest ISAKMP; isakmp#0; idle; import:admin initiate
000 #1: "b42f6ee6-acf3-4d2d-beb9-f115d68fef55/0x1" ref=0 refhim=0 Traffic:
000
000 Bare Shunt list:
000
I think we should match "PARENT SA" in IKE v2. [1]
[1] https://libreswan.org/wiki/How_to_read_status_output
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1781354/+subscriptions
Follow ups