Github user swill commented on the issue:
    Hey @jayapalu, thanks for the follow up.  Here are a couple things to note.
    - In order to get Remote Access VPN to work you need to update the L2TP 
conf file to include `type=transport`.
    - In order to get 3des working for S2S VPN, you will need to install the 
`libstrongswan-extra-plugins` package as well.
    - Running `ipsec restart` seems to get rid of the discrepancy between the 
running config and the config files, but I think one of the main issues is a 
missing `ipsec rereadsecrets` when the S2S config changes.
    Here is some basic stuff you can do to reproduce the problems.  You can use 
two VPCs as a test environment and create a S2S VPN connection between them to 
do tests.
    - Remove all the S2S VPN connections and gateways.
    - Manually remove the `/etc/ipsec.d/ipsec.vpn-vv.xx.yy.zz.conf` and 
`/etc/ipsec.d/ipsec.vpn-vv.xx.yy.zz.secrets` files from the VRs.
    - Create a S2S VPN configuration with `dpd=true` and `pfs=modp1024` and set 
a PSK of something like `1234567890`.  This configuration should work.  If it 
doesn't, do an `ipsec restart` and it will probably start working.  Even if it 
does not work, we can continue the tests sequence.
    - Remove the entire configuration through ACS (connections and gateways).
    -- Note the files `/etc/ipsec.d/ipsec.vpn-vv.xx.yy.zz.conf` and 
`/etc/ipsec.d/ipsec.vpn-vv.xx.yy.zz.secrets` are not removed from the VRs.
    -- Note the `conf` file includes dpd and psk details previously configured.
    - Create a new S2S VPN configuration with `dpd=false` and without PFS.  For 
now, don't change the PSK from what it was before.
    -- Note that the `conf` file on the VRs still includes the `dpd` 
configuration.  Also note that `pfs=no` now, but the `esp` config still 
includes the `modp1024` to specify `pfs=yes`.
    -- If the connection was working before, this configuration, which is very 
much broken, will still work because what ipsec has in memory does not reflect 
what is in the config files.
    - Remove the entire configuration through ACS again.
    - Recreate it again, but this time change the PSK to something different 
like `0987654321`.
    -- Note that now the connection breaks and you get an authentication error.
    -- At this point to get it working again you will have to run `ipsec 
restart` because the old PSK is still in the ipsec memory.
    -- You may have to manually clean up your config files at this point 
because they may be polluted by bad configuration since they are never deleted 
and configuration options are never deleted in a config, only added or edited.
    That should get you going.  If you have questions, let me know.  I will 
isolate the problem more on monday.
    I think the majority of these problems will go away if the config files get 
deleted when the configuration is deleted through ACS.  I think the logic will 
then flow the way it is expected.  Right now, things like `ipsec reload` are 
never called because they are showing as not changed, even though the config 
has actually changed.  I think that is the first step and then we go from 
there.  I also think we will need to run `ipsec rereadsecrets` after updating 
the s2s config in order to check if the PSK has changed and load it into the 
running config if it did change.

If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at or file a JIRA ticket
with INFRA.

Reply via email to