yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #82469
[Bug 1876040] [NEW] vpnaas single router not support multiple different peers
Public bug reported:
I have three routers(r1,r2,r3). there are two vpn connections,
connection1 between r1 and r2, connection2 between r1 and r3.
router external ip address:
r1: 10.142.254.169
r2: 10.142.254.175
r3: 10.142.254.34
It seems in the sant namespace of r1, the ipsec config template will
only generated to support single peer. so connection 1 & 2 will not be
both ACTIVE.
ipsec.conf in r1:
#########################################################################################
# Configuration for 40975e49-4102-4511-aba4-181ea40bf7c3
config setup
nat_traversal=yes
virtual_private=%v4:10.0.1.0/25,%v4:10.0.3.0/25
conn %default
keylife=60m
keyingtries=%forever
conn 5a56a354-7438-42ef-8fef-0c0bf743f38c
# NOTE: a default route is required for %defaultroute to work...
leftnexthop=%defaultroute
rightnexthop=%defaultroute
left=10.142.254.169
leftid=10.142.254.169
auto=start
# NOTE:REQUIRED
# [subnet]
leftsubnet=10.0.1.0/25
# [updown]
# What "updown" script to run to adjust routing and/or firewalling when
# the status of the connection changes (default "ipsec _updown").
# "--route yes" allows to specify such routing options as mtu and metric.
leftupdown="ipsec _updown --route yes"
######################
# ipsec_site_connections
######################
# [peer_address]
right=10.142.254.34
# [peer_id]
rightid=10.142.254.34
# [peer_cidrs]
rightsubnets={ 10.0.3.0/25 }
# rightsubnet=networkA/netmaskA, networkB/netmaskB (IKEv2 only)
# [mtu]
mtu=1500
# [dpd_action]
dpdaction=hold
# [dpd_interval]
dpddelay=30
# [dpd_timeout]
dpdtimeout=120
# [auth_mode]
authby=secret
######################
# IKEPolicy params
######################
#ike version
ikev2=never
# [encryption_algorithm]-[auth_algorithm]-[pfs]
ike=aes128-sha1;modp1536
# [lifetime_value]
ikelifetime=3600s
# NOTE: it looks lifetime_units=kilobytes can't be enforced (could be seconds, hours, days...)
##########################
# IPsecPolicys params
##########################
# [transform_protocol]
phase2=esp
# [encryption_algorithm]-[auth_algorithm]-[pfs]
phase2alg=aes128-sha1;modp1536
# [encapsulation_mode]
type=tunnel
# [lifetime_value]
lifetime=3600s
# lifebytes=100000 if lifetime_units=kilobytes (IKEv2 only)
#########################################################################################
Has anybody else experienced this problem?
** Affects: neutron
Importance: Undecided
Status: New
** Tags: vpnaas
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1876040
Title:
vpnaas single router not support multiple different peers
Status in neutron:
New
Bug description:
I have three routers(r1,r2,r3). there are two vpn connections,
connection1 between r1 and r2, connection2 between r1 and r3.
router external ip address:
r1: 10.142.254.169
r2: 10.142.254.175
r3: 10.142.254.34
It seems in the sant namespace of r1, the ipsec config template will
only generated to support single peer. so connection 1 & 2 will not be
both ACTIVE.
ipsec.conf in r1:
#########################################################################################
# Configuration for 40975e49-4102-4511-aba4-181ea40bf7c3
config setup
nat_traversal=yes
virtual_private=%v4:10.0.1.0/25,%v4:10.0.3.0/25
conn %default
keylife=60m
keyingtries=%forever
conn 5a56a354-7438-42ef-8fef-0c0bf743f38c
# NOTE: a default route is required for %defaultroute to work...
leftnexthop=%defaultroute
rightnexthop=%defaultroute
left=10.142.254.169
leftid=10.142.254.169
auto=start
# NOTE:REQUIRED
# [subnet]
leftsubnet=10.0.1.0/25
# [updown]
# What "updown" script to run to adjust routing and/or firewalling when
# the status of the connection changes (default "ipsec _updown").
# "--route yes" allows to specify such routing options as mtu and metric.
leftupdown="ipsec _updown --route yes"
######################
# ipsec_site_connections
######################
# [peer_address]
right=10.142.254.34
# [peer_id]
rightid=10.142.254.34
# [peer_cidrs]
rightsubnets={ 10.0.3.0/25 }
# rightsubnet=networkA/netmaskA, networkB/netmaskB (IKEv2 only)
# [mtu]
mtu=1500
# [dpd_action]
dpdaction=hold
# [dpd_interval]
dpddelay=30
# [dpd_timeout]
dpdtimeout=120
# [auth_mode]
authby=secret
######################
# IKEPolicy params
######################
#ike version
ikev2=never
# [encryption_algorithm]-[auth_algorithm]-[pfs]
ike=aes128-sha1;modp1536
# [lifetime_value]
ikelifetime=3600s
# NOTE: it looks lifetime_units=kilobytes can't be enforced (could be seconds, hours, days...)
##########################
# IPsecPolicys params
##########################
# [transform_protocol]
phase2=esp
# [encryption_algorithm]-[auth_algorithm]-[pfs]
phase2alg=aes128-sha1;modp1536
# [encapsulation_mode]
type=tunnel
# [lifetime_value]
lifetime=3600s
# lifebytes=100000 if lifetime_units=kilobytes (IKEv2 only)
#########################################################################################
Has anybody else experienced this problem?
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1876040/+subscriptions
Follow ups
