← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #95329

[Bug 2097610] [NEW] No connection from outside host to VPNaaS host after upgrading from Ussuri to Victoria/Wallaby

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Here's what I have (the update process to Wallaby is currently underway):
- Neutron controller v.Wallaby
- Neutron net-node1 v.Wallaby
- Neutron net-node2 v.Victoria
- Neutron net-node3 v.Ussuri

There is the following topology (10.5.4.0/24 - IPSec - 192.168.255.0/24):
"""
10.5.4.4 (VPNaaS host) -> 10.5.4.1 (VPNaaS) -> 192.168.255.21 (outside OPNsense/Mikrotik) -> 192.168.255.30 (outside host)
"""

When I move the project router to net-node v.Ussuri then:
i see next rules in namespace, FORWARD chain
"""
iptables -L FORWARD -n
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  192.168.255.0/24     10.5.4.0/24          policy match dir in pol ipsec reqid 1 proto 50
ACCEPT     all  --  10.5.4.0/24          192.168.255.0/24     policy match dir out pol ipsec reqid 1 proto 50
neutron-filter-top  all  --  0.0.0.0/0            0.0.0.0/0
neutron-l3-agent-FORWARD  all  --  0.0.0.0/0            0.0.0.0/0
"""
and
- ping from 10.5.4.4 to 192.168.255.30 - OK (0% loss)
- ping from 192.168.255.30 to 10.5.4.1 - OK (0% loss)
- ping from 192.168.255.30 to 10.5.4.4 - OK (0% loss)

When I move the project router to net-node v.Victoria or Wallaby then:
i see next rules in namespace, FORWARD chain
"""
iptables -L FORWARD -n
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
neutron-filter-top  all  --  0.0.0.0/0            0.0.0.0/0           
neutron-l3-agent-FORWARD  all  --  0.0.0.0/0            0.0.0.0/0
"""
and
- ping from 10.5.4.4 to 192.168.255.30 - OK (0% loss)
- ping from 192.168.255.30 to 10.5.4.1 - OK (0% loss)
- ping from 192.168.255.30 to 10.5.4.4 - not OK (100% loss)

To fix the situation, I need to add the following rule in the project namespace:
"""
iptables -I FORWARD 1 -s 192.168.255.0/24 -d 10.5.4.0/24 -m policy --dir in --pol ipsec -j ACCEPT

iptables -L FORWARD -n --line-numbers
Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  192.168.255.0/24     10.5.4.0/24          policy match dir in pol ipsec
2    neutron-filter-top  all  --  0.0.0.0/0            0.0.0.0/0           
3    neutron-l3-agent-FORWARD  all  --  0.0.0.0/0            0.0.0.0/0
"""
then i see that
- ping from 192.168.255.30 to 10.5.4.4 - OK (0% loss)


What could be the problem and how to fix it?

** Affects: neutron
     Importance: Undecided
         Status: New


** Tags: ipsec iptables neutron ussuri victoria vpnaas wallaby

** Tags added: vpnaas

** Tags added: neutron

** Tags added: ipsec

** Tags added: ussuri victoria wallaby

** Tags added: iptables

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2097610

Title:
  No connection from outside host to VPNaaS host after upgrading from
  Ussuri to Victoria/Wallaby

Status in neutron:
  New

Bug description:
  Here's what I have (the update process to Wallaby is currently underway):
  - Neutron controller v.Wallaby
  - Neutron net-node1 v.Wallaby
  - Neutron net-node2 v.Victoria
  - Neutron net-node3 v.Ussuri

  There is the following topology (10.5.4.0/24 - IPSec - 192.168.255.0/24):
  """
  10.5.4.4 (VPNaaS host) -> 10.5.4.1 (VPNaaS) -> 192.168.255.21 (outside OPNsense/Mikrotik) -> 192.168.255.30 (outside host)
  """

  When I move the project router to net-node v.Ussuri then:
  i see next rules in namespace, FORWARD chain
  """
  iptables -L FORWARD -n
  Chain FORWARD (policy ACCEPT)
  target     prot opt source               destination         
  ACCEPT     all  --  192.168.255.0/24     10.5.4.0/24          policy match dir in pol ipsec reqid 1 proto 50
  ACCEPT     all  --  10.5.4.0/24          192.168.255.0/24     policy match dir out pol ipsec reqid 1 proto 50
  neutron-filter-top  all  --  0.0.0.0/0            0.0.0.0/0
  neutron-l3-agent-FORWARD  all  --  0.0.0.0/0            0.0.0.0/0
  """
  and
  - ping from 10.5.4.4 to 192.168.255.30 - OK (0% loss)
  - ping from 192.168.255.30 to 10.5.4.1 - OK (0% loss)
  - ping from 192.168.255.30 to 10.5.4.4 - OK (0% loss)

  When I move the project router to net-node v.Victoria or Wallaby then:
  i see next rules in namespace, FORWARD chain
  """
  iptables -L FORWARD -n
  Chain FORWARD (policy ACCEPT)
  target     prot opt source               destination         
  neutron-filter-top  all  --  0.0.0.0/0            0.0.0.0/0           
  neutron-l3-agent-FORWARD  all  --  0.0.0.0/0            0.0.0.0/0
  """
  and
  - ping from 10.5.4.4 to 192.168.255.30 - OK (0% loss)
  - ping from 192.168.255.30 to 10.5.4.1 - OK (0% loss)
  - ping from 192.168.255.30 to 10.5.4.4 - not OK (100% loss)

  To fix the situation, I need to add the following rule in the project namespace:
  """
  iptables -I FORWARD 1 -s 192.168.255.0/24 -d 10.5.4.0/24 -m policy --dir in --pol ipsec -j ACCEPT

  iptables -L FORWARD -n --line-numbers
  Chain FORWARD (policy ACCEPT)
  num  target     prot opt source               destination         
  1    ACCEPT     all  --  192.168.255.0/24     10.5.4.0/24          policy match dir in pol ipsec
  2    neutron-filter-top  all  --  0.0.0.0/0            0.0.0.0/0           
  3    neutron-l3-agent-FORWARD  all  --  0.0.0.0/0            0.0.0.0/0
  """
  then i see that
  - ping from 192.168.255.30 to 10.5.4.4 - OK (0% loss)

  
  What could be the problem and how to fix it?

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2097610/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next