rhtyd commented on a change in pull request #2190: CLOUDSTACK-10010: Fixed the
negotiation of S2S VPN connections
URL: https://github.com/apache/cloudstack/pull/2190#discussion_r154496797
##########
File path: systemvm/patches/debian/config/opt/cloud/bin/configure.py
##########
@@ -582,10 +582,21 @@ def configure_ipsec(self, obj):
logging.info("Configured vpn %s %s", leftpeer, rightpeer)
CsHelper.execute("ipsec rereadsecrets")
- # This will load the new config and start the connection when needed
since auto=start in the config
+ # This will load the new config
CsHelper.execute("ipsec reload")
os.chmod(vpnsecretsfile, 0400)
+ # Check that the ipsec config is ready
+ for i in range(2):
+ result = CsHelper.execute('ipsec status vpn-%s | grep "%s"' %
(rightpeer, peerlist.split(",", 1)[0]))
+ if len(result) > 0:
+ break
+ time.sleep(1)
+
+ # With 'auto=route', connections are established with an attempt to
communicate over the S2S VPN
+ # Attempt to ping the other side to initialize the connection of the
S2S VPN configuration
+ CsHelper.execute("timeout 0.5 ping -c 1 %s" % (peerlist.split("/",
1)[0]))
Review comment:
Here the timeout maybe too small and the ping `IP` may be something like
10.0.0.0 (for a peer cidr of 10.0.0.0/16) instead of say 10.1.1.1. It's better
to ping right peer or ping the peerlist cird replacing `.0` with `.1`?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
