← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #74873

[Bug 1781354] Re: VPNaaS: IPsec siteconnection status DOWN while using IKE v2

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.openstack.org/582113
Committed: https://git.openstack.org/cgit/openstack/neutron-vpnaas/commit/?id=321392b9a7d288167b0155284c0b7d30af44e5b3
Submitter: Zuul
Branch:    master

commit 321392b9a7d288167b0155284c0b7d30af44e5b3
Author: Dongcan Ye <hellochosen@xxxxxxxxx>
Date:   Thu Jul 12 09:00:13 2018 +0000

    Match IPSEC SA established state
    
    While using IKE policy with version v2,
    the IPsec siteconnection status always down.
    From librewan wiki[1], the "phase2" in IKEv2 mistakenly
    calls itself a PARENT SA which same as "phase1",
    This is a known bug for some versions of libreswan.
    
    For the newer versions of libreswan(3.20+),
    the "IPsec SA established" will successful output if
    phase2 state established.
    
    Here we match the "established" and "newest IPSEC" for
    an established IPSEC SA.
    
    [1] https://libreswan.org/wiki/How_to_read_status_output
    
    Change-Id: Iffff7d00f48e69fbc53bb45df17d6a5be6760a6d
    Closes-Bug: #1781354


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1781354

Title:
  VPNaaS: IPsec siteconnection status DOWN while using IKE v2

Status in neutron:
  Fix Released

Bug description:
  While using IKE policy with version v2, the IPsec siteconnection
  status always down, but the network traffic is OK.

  From the ipsec status we can see that the ipsec connection is
  established:

  # ip netns exec snat-a4d93552-c534-4a2c-96f7-c9b0ea918ba7 ipsec whack --ctlbase /var/lib/neutron/ipsec/a4d93552-c534-4a2c-96f7-c9b0ea918ba7/var/run/pluto --status
  000 Total IPsec connections: loaded 3, active 1
  000
  000 State Information: DDoS cookies not required, Accepting new IKE connections
  000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
  000 IPsec SAs: total(1), authenticated(1), anonymous(0)
  000
  000 #2: "b42f6ee6-acf3-4d2d-beb9-f115d68fef55/0x1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 2364s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
  000 #2: "b42f6ee6-acf3-4d2d-beb9-f115d68fef55/0x1" esp.2d6840c8@172.16.2.130 esp.5d0c4043@172.16.2.123 tun.0@172.16.2.130 tun.0@172.16.2.123 ref=0 refhim=4294901761 Traffic: ESPin=0B ESPout=0B! ESPmax=0B
  000 #1: "b42f6ee6-acf3-4d2d-beb9-f115d68fef55/0x1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 2574s; newest ISAKMP; isakmp#0; idle; import:admin initiate
  000 #1: "b42f6ee6-acf3-4d2d-beb9-f115d68fef55/0x1" ref=0 refhim=0 Traffic:
  000
  000 Bare Shunt list:
  000

  I think we should match "PARENT SA" in IKE v2. [1]

  [1] https://libreswan.org/wiki/How_to_read_status_output

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1781354/+subscriptions

References

  Thread PreviousDate PreviousThread Next