@remi, judging from your configure.py, I am assuming that any network change, like adding a PF rule, will drop the Remote Access VPN connection as well. Is that the case? Or am I missing something?
On Mon, Apr 24, 2017 at 1:49 PM, Will Stevens <williamstev...@gmail.com> wrote: > I am trying to find a way to remove this explicit down and still be able > to keep the VPN connection up. > > https://github.com/apache/cloudstack/blob/master/systemvm/patches/debian/ > config/opt/cloud/bin/configure.py#L638 > > On Mon, Apr 24, 2017 at 1:41 PM, Will Stevens <williamstev...@gmail.com> > wrote: > >> @remi yes, I think you are right that we should change that for the >> site2site config. I will check that after. >> >> The issue referred to in this thread is in reference to the remote access >> VPN dropping when other networking is configured. >> >> In this case it is not a mystery why it is going down since we actually >> call a down on it when it gets reconfigured. I have been trying to get it >> to handle network config changes without taking down the VPN. >> >> I have obviously removed the explicit down and am trying to find a >> working configuration, but when xl2tpd is stopped, it goes down hard and >> when it comes back up it can't find the same tunnel, so the tunnel is >> dropped. >> >> I will review your config to see how you are handling this. >> >> Thanks for the support. >> >> On Apr 24, 2017 1:02 PM, "Remi Bergsma" <rberg...@schubergphilis.com> >> wrote: >> >>> Hi all, >>> >>> While I haven’t investigated this issue, it does sound similar to what I >>> fixed in Cosmic (our fork) last month. >>> >>> This code does a down/up of the VPN connection: >>> https://github.com/apache/cloudstack/blob/master/systemvm/pa >>> tches/debian/config/opt/cloud/bin/configure.py#L547-L548 >>> >>> We found that to be impacting. Since we have auto=start in the config >>> file already, we only have to reload the config and ipsec will take care of >>> the rest on its own. Fast & easy! Most of all, no more unneeded restarts. >>> >>> Simply put: just remove the stop/start lines as it is not needed. >>> The code is also hit when non-VPN changes are made, so that’s probably >>> why people report that another change causes it to disconnect. >>> >>> This is how we fixed it: >>> https://github.com/MissionCriticalCloud/cosmic/pull/339/comm >>> its/5ee5e70894a321f4d633c836e0bacef481b2b9af >>> >>> Hope this gives some inspiration and a possible solution. >>> >>> Regards, Remi >>> >>> >>> >>> On 24/04/2017, 17:50, "williamstev...@gmail.com on behalf of Will >>> Stevens" <williamstev...@gmail.com on behalf of wstev...@cloudops.com> >>> wrote: >>> >>> Working on it now, I will let you know when I have a fix. >>> >>> *Will STEVENS* >>> Lead Developer >>> >>> <https://goo.gl/NYZ8KK> >>> >>> On Mon, Apr 24, 2017 at 11:34 AM, Haijiao <18602198...@163.com> >>> wrote: >>> >>> > Hi Will >>> > >>> > Any progress about this issue ? >>> > >>> > tks >>> > >>> > >>> > Sent from my mobile >>> > >>> > --------- 转发的邮件 --------- >>> > 发件人: Haijiao <18602198...@163.com> >>> > 发送日期: 2017年04月14日 23:21 >>> > 收件人: dev <dev@cloudstack.apache.org> >>> > 抄送人: >>> > 主题: Re:Re: [4.10] VPN disconnected while network changes taken >>> > Sure, Karuturi >>> > >>> > Logged a bug in Jira, thanks! >>> > >>> > CLOUDSTACK-9878 Remote Access VPN that losing connection when new >>> network >>> > configs are introduced >>> > https://issues.apache.org/jira/browse/CLOUDSTACK-9878 >>> > >>> > >>> > >>> > 在2017年04月14 13时14分, "Rajani Karuturi"<raj...@apache.org>写道: >>> > >>> > >>> > Hi Haijiao, >>> > >>> > Thanks for testing. Can you log a bug for this please? It can be >>> > a blocker for 4.10. >>> > >>> > @Will, >>> > >>> > Did you get a chance to take a look at this issue? >>> > >>> > Thanks, >>> > >>> > ~ Rajani >>> > >>> > http://cloudplatform.accelerite.com/ >>> > >>> > On April 12, 2017 at 7:12 AM, Will Stevens >>> > (wstev...@cloudops.com) wrote: >>> > >>> > Thanks, I will have a look. >>> > >>> > *Will STEVENS* >>> > Lead Developer >>> > >>> > <https://goo.gl/NYZ8KK> >>> > >>> > On Tue, Apr 11, 2017 at 8:58 PM, Haijiao <18602198...@163.com> >>> > wrote: >>> > >>> > HI, Will >>> > It's a Remote Access VPN that losing connection while new >>> > network configs >>> > introduced. >>> > Thanks ! >>> > >>> > 在2017年04月12 02时26分, "Will Stevens"<wstev...@cloudops.com>写道: >>> > >>> > Is this a Site-to-Site VPN connection or the Remote Access VPN >>> > that is >>> > losing connection when new network configs are introduced? >>> > >>> > Thanks, >>> > >>> > *Will STEVENS* >>> > Lead Developer >>> > >>> > <https://goo.gl/NYZ8KK> >>> > >>> > On Sat, Apr 8, 2017 at 12:49 AM, Haijiao <18602198...@163.com> >>> > wrote: >>> > >>> > Hi, >>> > >>> > We built and tested the ACS 4.10 from the latest master (Apr.7, >>> > 2017) >>> > >>> > Our environment is, >>> > - ACS: 4.10.0.0-SNAPSHOT >>> > - Management Server: Centos7.2 1151 >>> > - Host: Centos7.2 1151 >>> > - System VM: systemvm64template-master-4.10.0-kvm.qcow2.bz2 >>> > - Network: Isolated Network >>> > - Network Offering: Offering for Isolated networks with Source >>> > Nat >>> > >>> > service >>> > >>> > enabled >>> > >>> > We can successfully setup VPN and it works as expected. However, >>> > once >>> > >>> > we >>> > >>> > take any network changes below, the VPN connnection will be >>> > immediately >>> > disconnected. >>> > >>> > - Update firewall rules (add/change) >>> > - Update port fowarding >>> > - Update LB >>> > - Add one more VPN account >>> > >>> > Is there some configuration we missed ? Or it's due to the new >>> > VPN >>> > component (StrongSWAN) introcuced in 4.10 ? >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> >>> >>> >>> >>> >
