Pearl1594 commented on pull request #4953:
URL: https://github.com/apache/cloudstack/pull/4953#issuecomment-826828102
Setup:
2 VPCs with 2 n/w tiers each and a VM on each of the n/w tier
Cases tested:
Case1:
VPN customer gateway 1 - ike(ikev2) + split connection = false
VPN customer gateway 2 - ike(ikev2) + split connection = false
IPsec tunnel status:
```
ipsec status vpn-10.0.52.84
Routed Connections:
vpn-10.0.52.84{55}: ROUTED, TUNNEL, reqid 49
vpn-10.0.52.84{55}: 10.1.0.0/16 === 10.2.1.0/24 10.2.2.0/24
Security Associations (1 up, 0 connecting):
vpn-10.0.52.84[28]: ESTABLISHED 13 seconds ago,
10.0.52.83[10.0.52.83]...10.0.52.84[10.0.52.84]
vpn-10.0.52.84{57}: INSTALLED, TUNNEL, reqid 49, ESP SPIs: c3ffeeb5_i
cb883f28_o
vpn-10.0.52.84{57}: 10.1.1.0/24 10.1.2.0/24 === 10.2.1.0/24 10.2.2.0/24
ipsec status vpn-10.0.52.83
Routed Connections:
vpn-10.0.52.83{37}: ROUTED, TUNNEL, reqid 34
vpn-10.0.52.83{37}: 10.2.0.0/16 === 10.1.1.0/24 10.1.2.0/24
Security Associations (1 up, 0 connecting):
vpn-10.0.52.83[29]: ESTABLISHED 10 seconds ago,
10.0.52.84[10.0.52.84]...10.0.52.83[10.0.52.83]
vpn-10.0.52.83{39}: INSTALLED, TUNNEL, reqid 36, ESP SPIs: cb883f28_i
c3ffeeb5_o
vpn-10.0.52.83{39}: 10.2.1.0/24 10.2.2.0/24 === 10.1.1.0/24 10.1.2.0/24
root@r-24-VM:~#
```
VPN connection established and all VMs can ping VMs in the other VPCs subnets
Case2:
VPN customer gateway 1 - ike(ikev2) + split connection = true
VPN customer gateway 2 - ike(ikev2) + split connection = true
IPsec tunnel status
```
root@r-23-VM:~# ipsec status vpn-10.0.52.84
Routed Connections:
vpn-10.0.52.84{21}: ROUTED, TUNNEL, reqid 20
vpn-10.0.52.84{21}: 10.1.0.0/16 === 10.2.1.0/24
Security Associations (1 up, 0 connecting):
vpn-10.0.52.84[20]: ESTABLISHED 23 seconds ago,
10.0.52.83[10.0.52.83]...10.0.52.84[10.0.52.84]
vpn-10.0.52.84{24}: INSTALLED, TUNNEL, reqid 20, ESP SPIs: cbf2b114_i
c93db1a6_o
vpn-10.0.52.84{24}: 10.1.1.0/24 === 10.2.1.0/24
root@r-24-VM:~# ipsec status vpn-10.0.52.83
Routed Connections:
vpn-10.0.52.83{20}: ROUTED, TUNNEL, reqid 18
vpn-10.0.52.83{20}: 10.2.0.0/16 === 10.1.1.0/24
Security Associations (1 up, 0 connecting):
vpn-10.0.52.83[20]: ESTABLISHED 17 seconds ago,
10.0.52.84[10.0.52.84]...10.0.52.83[10.0.52.83]
vpn-10.0.52.83{24}: INSTALLED, TUNNEL, reqid 22, ESP SPIs: c468fcc6_i
c5e974ba_o
vpn-10.0.52.83{24}: 10.2.2.0/24 === 10.1.1.0/24
vpn-10.0.52.83{25}: INSTALLED, TUNNEL, reqid 23, ESP SPIs: c93db1a6_i
cbf2b114_o
vpn-10.0.52.83{25}: 10.2.1.0/24 === 10.1.1.0/24
```
VPN connection established between:
vpc2-n1(10.2.1.0/24) and vpc1-n1 (10.1.1.0/24)
vpc2-n2(10.2.2.0/24) and vpc1-n1 (10.1.1.0/24)
No connection to subnet - 10.1.2.0/24
Case3:
VPN customer gateway 1 - ikev2 + split connection = true ;
VPN customer gateway 2: ikev2 w/o split connections
IPsec tunnel status:
```
ipsec status vpn-10.0.52.83
Routed Connections:
vpn-10.0.52.83{15}: ROUTED, TUNNEL, reqid 14
vpn-10.0.52.83{15}: 10.2.0.0/16 === 10.1.1.0/24
Security Associations (1 up, 0 connecting):
vpn-10.0.52.83[15]: ESTABLISHED 4 minutes ago,
10.0.52.84[10.0.52.84]...10.0.52.83[10.0.52.83]
vpn-10.0.52.83{19}: INSTALLED, TUNNEL, reqid 17, ESP SPIs: c414f83b_i
c585fa93_o
vpn-10.0.52.83{19}: 10.2.1.0/24 10.2.2.0/24 === 10.1.1.0/24
root@r-24-VM:~# ipsec status vpn-10.0.52.84
Security Associations (1 up, 0 connecting):
ipsec status vpn-10.0.52.84
Routed Connections:
vpn-10.0.52.84{26}: ROUTED, TUNNEL, reqid 24
vpn-10.0.52.84{26}: 10.1.0.0/16 === 10.2.1.0/24 10.2.2.0/24
Security Associations (1 up, 0 connecting):
vpn-10.0.52.84[14]: ESTABLISHED 4 minutes ago,
10.0.52.83[10.0.52.83]...10.0.52.84[10.0.52.84]
vpn-10.0.52.84{28}: INSTALLED, TUNNEL, reqid 24, ESP SPIs: c585fa93_i
c414f83b_o
vpn-10.0.52.84{28}: 10.1.1.0/24 === 10.2.1.0/24 10.2.2.0/24
```
Cannot ping to VMs on subnet 10.1.2.0/24
Test4:
VPN customer gateway 1 : ikev2 + split connection = true
VPN customer gateway 2 = ikev1
site to site VPN connection gets disconnected
```
2021-04-26 12:49:34,429 DEBUG [c.c.a.t.Request]
(RouterStatusMonitor-1:ctx-06786015) (logid:61c6a7aa) Seq
1-7511441228500566349: Sending { Cmd , MgmtId: 32986808451658, via:
1(trl-176-k-M7-pearl-dsilva-kvm1), Ver: v1, Flags: 100111,
[{"com.cloud.agent.api.CheckS2SVpnConnectionsCommand":{"vpnIps":["10.0.52.83"],"accessDetails":{"router.name":"r-24-VM","router.ip":"169.254.189.8"},"wait":"30"}}]
}
2021-04-26 12:49:34,653 DEBUG [c.c.a.t.Request]
(AgentManager-Handler-16:null) (logid:) Seq 1-7511441228500566349: Processing:
{ Ans: , MgmtId: 32986808451658, via: 1, Ver: v1, Flags: 110,
[{"com.cloud.agent.api.CheckS2SVpnConnectionsAnswer":{"ipToConnected":{"10.0.52.83":"false"},"ipToDetail":{"10.0.52.83":"IPsec
SA not found;Site-to-site VPN have not
connected"},"details":"10.0.52.83:11:IPsec SA not found;Site-to-site VPN have
not connected&
","result":"true","wait":"0"}}] }
```
IPsec tunnel status:
```
ipsec status vpn-10.0.52.83
Routed Connections:
vpn-10.0.52.83{32}: ROUTED, TUNNEL, reqid 29
vpn-10.0.52.83{32}: 10.2.0.0/16 === 10.1.1.0/24 10.1.2.0/24
Security Associations (0 up, 0 connecting):
no match
root@r-24-VM:~#
ipsec status vpn-10.0.52.84
Routed Connections:
vpn-10.0.52.84{50}: ROUTED, TUNNEL, reqid 44
vpn-10.0.52.84{50}: 10.1.0.0/16 === 10.2.1.0/24
Security Associations (0 up, 0 connecting):
no match
root@r-23-VM:~#
```
Get the following in the log file - /var/log/daemon.log:
received NO_PROPOSAL_CHOSEN error notify
There seems to be an issue while testing scenarios - 3 and 4 - Could you
please advice @DaanHoogland @rhtyd
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
