Github user swill commented on the issue:
Hey @jayapalu, thanks for the follow up. Here are a couple things to note.
- In order to get Remote Access VPN to work you need to update the L2TP
conf file to include `type=transport`.
- In order to get 3des working for S2S VPN, you will need to install the
`libstrongswan-extra-plugins` package as well.
- Running `ipsec restart` seems to get rid of the discrepancy between the
running config and the config files, but I think one of the main issues is a
missing `ipsec rereadsecrets` when the S2S config changes.
Here is some basic stuff you can do to reproduce the problems. You can use
two VPCs as a test environment and create a S2S VPN connection between them to
- Remove all the S2S VPN connections and gateways.
- Manually remove the `/etc/ipsec.d/ipsec.vpn-vv.xx.yy.zz.conf` and
`/etc/ipsec.d/ipsec.vpn-vv.xx.yy.zz.secrets` files from the VRs.
- Create a S2S VPN configuration with `dpd=true` and `pfs=modp1024` and set
a PSK of something like `1234567890`. This configuration should work. If it
doesn't, do an `ipsec restart` and it will probably start working. Even if it
does not work, we can continue the tests sequence.
- Remove the entire configuration through ACS (connections and gateways).
-- Note the files `/etc/ipsec.d/ipsec.vpn-vv.xx.yy.zz.conf` and
`/etc/ipsec.d/ipsec.vpn-vv.xx.yy.zz.secrets` are not removed from the VRs.
-- Note the `conf` file includes dpd and psk details previously configured.
- Create a new S2S VPN configuration with `dpd=false` and without PFS. For
now, don't change the PSK from what it was before.
-- Note that the `conf` file on the VRs still includes the `dpd`
configuration. Also note that `pfs=no` now, but the `esp` config still
includes the `modp1024` to specify `pfs=yes`.
-- If the connection was working before, this configuration, which is very
much broken, will still work because what ipsec has in memory does not reflect
what is in the config files.
- Remove the entire configuration through ACS again.
- Recreate it again, but this time change the PSK to something different
-- Note that now the connection breaks and you get an authentication error.
-- At this point to get it working again you will have to run `ipsec
restart` because the old PSK is still in the ipsec memory.
-- You may have to manually clean up your config files at this point
because they may be polluted by bad configuration since they are never deleted
and configuration options are never deleted in a config, only added or edited.
That should get you going. If you have questions, let me know. I will
isolate the problem more on monday.
I think the majority of these problems will go away if the config files get
deleted when the configuration is deleted through ACS. I think the logic will
then flow the way it is expected. Right now, things like `ipsec reload` are
never called because they are showing as not changed, even though the config
has actually changed. I think that is the first step and then we go from
there. I also think we will need to run `ipsec rereadsecrets` after updating
the s2s config in order to check if the PSK has changed and load it into the
running config if it did change.
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket