yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1717266] Re: VPNaaS: VPN creation not working in case of distributed virtual routers (Pike)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1717266@xxxxxxxxxxxxxxxxxx>
Date: Tue, 19 Jan 2021 04:17:51 -0000
Reply-to: Bug 1717266 <1717266@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

[Expired for neutron because there has been no activity for 60 days.]

** Changed in: neutron
       Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1717266

Title:
  VPNaaS: VPN creation not working in case of distributed virtual
  routers (Pike)

Status in neutron:
  Expired

Bug description:
  I have manually setup a fresh OpenStack Pike HA environment based on
  Ubuntu 16.04.3 in conjunction with DVR. VPN creation works fine in
  case of centralized routers, but when a VPN gets created in the
  context of distributed routers, all VPN services and connections turn
  their state to ACTIVE, but a connection between different clients
  connected via VPN is not possible. The error log does not contain any
  errors.

  My environment comprises 2 controller nodes (also functioning as
  network nodes) and 3 compute node. Each controller node runs a
  neutron-vpn-agent, whereas each compute node runs a neutron-l3-agent
  which is unaware of any VPN settings.

  Controller/Network node:

  #############
  vpn_agent.ini
  #############

  [ipsec]
  enable_detailed_logging = true
  ipsec_status_check_interval = 60

  [vpnagent]
  vpn_device_driver = neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver

  ############
  neutron.conf
  ############

  [DEFAULT]
  allow_overlapping_ips = true
  auth_strategy = keystone
  base_mac = 02:05:69:00:00:00
  bind_host = 10.30.200.101
  bind_port = 9696
  core_plugin = ml2
  debug = true
  dhcp_agents_per_network = 2
  dns_domain = openstack.mycompany.com.
  dvr_base_mac = 0A:05:69:00:00:00
  endpoint_type = internalURL
  host = os-network01
  interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
  l3_ha = true
  l3_ha_net_cidr = 169.254.192.0/18
  log_dir = /var/log/neutron
  max_l3_agents_per_router = 2
  min_l3_agents_per_router = 2
  notify_nova_on_port_data_changes = true
  notify_nova_on_port_status_changes = true
  router_distributed = true
  service_plugins = router,firewall,qos,lbaasv2,vpnaas
  state_path = /var/lib/neutron
  transport_url = rabbit://neutron:neutronpass@os-rabbit01:5672,neutron:neutronpass@os-rabbit02:5672/openstack

  [agent]
  root_helper = sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf

  [database]
  connection = mysql+pymysql://neutron:neutronDBpass@os-controller/neutron
  max_retries = -1

  [keystone_authtoken]
  auth_type = password
  auth_uri = https://os-cloud.mycompany.com:5000
  auth_url = http://os-identity:35357
  memcached_servers = os-memcache:11211
  password = neutronpass
  project_domain_name = default
  project_name = service
  user_domain_name = default
  username = neutron

  [nova]
  auth_type = password
  auth_url = http://os-identity:35357
  endpoint_type = internal
  password = novapass
  project_domain_name = default
  project_name = service
  region_name = RegionOne
  user_domain_name = default
  username = nova

  [oslo_concurrency]
  lock_path = /var/lock/neutron

  [oslo_messaging_notifications]
  driver = messagingv2

  [oslo_messaging_rabbit]
  amqp_durable_queues = true
  rabbit_ha_queues = true
  rabbit_retry_backoff = 2
  rabbit_retry_interval = 1

  [oslo_middleware]
  enable_proxy_headers_parsing = true

  [service_providers]
  service_provider = FIREWALL:Iptables:neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver:default
  service_provider = LOADBALANCERV2:Haproxy:neutron_lbaas.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default
  service_provider = VPN:strongswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default

  $ ext-list | grep vpn
  neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
  | vpnaas                    | VPN service                                                                                  |
  | vpn-endpoint-groups       | VPN Endpoint Groups                                                                          |
  | vpn-flavors               | VPN Service Flavor Extension                                                                 |

  "usr.lib.ipsec.charon" and "usr.lib.ipsec.stroke" have been disabled:
  ln -sf /etc/apparmor.d/usr.lib.ipsec.charon /etc/apparmor.d/disable/
  ln -sf /etc/apparmor.d/usr.lib.ipsec.stroke /etc/apparmor.d/disable/

  Any ideas?

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1717266/+subscriptions

References

[Bug 1717266] [NEW] VPNaaS: VPN creation not working in case of distributed virtual routers (Pike)
From: Christoph Fiehe, 2017-09-14