[
https://issues.apache.org/jira/browse/CLOUDSTACK-8685?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14696875#comment-14696875
]
ASF subversion and git services commented on CLOUDSTACK-8685:
-------------------------------------------------------------
Commit 05a29f01b4de0e88e2f0fb99886573a25c87fea6 in cloudstack's branch
refs/heads/master from [~remibergsma]
[ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=05a29f0 ]
Merge pull request #693 from remibergsma/s2svpn-fixes
Fix site-to-site VPN featureThis is work done together with @jayapalu on fixing
the site2site VPN. The first part was done in PR #690 by @jayapalu. On top of
that, some other fixes were needed and those are added in this PR. It made
sense to make a new PR which includes all fixes so we can actually test it.
The original PR #690 is already merged into this one, so can be closed. Since
the commit ids are kept the same, merging this will close both.
I closely compared the 4.4/4.5 implementation with the new 4.6 one. I did not
only make it work, but also added some security improvements (some of which
were also in 4.4/4.5). I noticed the pre shared key was being logged, so
removed that as well.
This is how I tested and verified it:
https://github.com/schubergphilis/MCT-shared/tree/master/helper_scripts/cloudstack/vpn_tests
When I have some time available, I'll write a Marvin test for it that we can
include in the repo.
It now works(tm) with one manual step due to CLOUDSTACK-8685:
We need a default gateway before site-to-site VPN will actually work. It will
connect, but not forward packets. The reason for this, is due to the iptables
setup. VM1 has router1 as gateway, but router1 does not know the route to VM2
so it will give up. With a default gateway, the packets are about to be
forwarded to the default gateway but when they reach eth1 the public nic,
iptables kicks in, does some magic and forwards it through the ipsec tunnel.
So, you need a default gw set to upstream.
Workaround for now is setting the route manually:
``route add default gw 1.2.3.4`` or ``ip route add default via 1.2.3.4``
In other words, we need to fix CLOUDSTACK-8685 soon, too.
Thanks to @snuf @jayapalu!
@jayapalu @snuf could you please review this?
* pr/693:
do not log sensitive site-to-site VPN PSK
tighten security of site-to-site VPN
CLOUDSTACK-8730: fix s2s iptables rules and ipsec config
CLOUDSTACK-8710: Fixed applying iptables rules for s2s vpn
Signed-off-by: Remi Bergsma <[email protected]>
> [VPC_VR] Default route is not configured on VPC VR
> --------------------------------------------------
>
> Key: CLOUDSTACK-8685
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8685
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Network Controller
> Affects Versions: 4.6.0
> Environment: Advanced zone with VPC. Latest build from ACS master.
> Reporter: Sanjeev N
> Priority: Critical
> Attachments: management-server.zip
>
>
> [VPC_VR] Default route is not configured on VPC VR
> Steps to reproduce:
> ================
> 1.Bring up CS in advanced zone
> 2.Create VPC and wait for the VR to come into running state
> 3.Connect to VR and verify route table information
> Result:
> ======
> Default route is not configured on VPC VR.
> root@r-9-VM:/var/cache/cloud# route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
> 10.1.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3
> 10.220.128.0 0.0.0.0 255.255.224.0 U 0 0 0 eth1
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
> root@r-9-VM:/var/cache/cloud#
> Observations:
> ===========
> When vr boots up, we run cloud-early-config. This will clean if there is any
> default route exists on VR. Then we execute vpc_ipassoc.sh to configure
> public nic and default route via public nic. However, in the latest ACS
> master we are not executing vpc_ipassoc.sh.
> For any configuration on VR , we are creating configuration file and applying
> it with update_config.py.
> Looks like adding default route is missing in the confguration file.
> Following is the configuration file genearted on VR :
> 015-07-29 05:20:39,132 DEBUG [c.c.h.x.r.CitrixResourceBase]
> (DirectAgent-402:ctx-83549002) VR Config file
> VR-d3b73941-7b3d-489a-bcc6-47c6a777c950.cfg got created in VR, ip
> 169.254.0.54 with content
> #Apache CloudStack Virtual Router Config File
> <version>
> 1.0
> </version>
> <file>
> /var/cache/cloud/ip_associations.json
> {"ip_address":[{"public_ip":"10.220.135.97","source_nat":false,"add":true,"one_to_one_nat":false,"first_i_p":false,"gateway":"10.220.128.1","netmask":"255.255.224.0","vif_mac_address":"06:dd:e0:00:00:0e","nic_dev_id":1,"new_nic":false},{"public_ip":"10.220.135.99","source_nat":false,"add":true,"one_to_one_nat":true,"first_i_p":false,"gateway":"10.220.128.1","netmask":"255.255.224.0","vif_mac_address":"06:dd:e0:00:00:0e","nic_dev_id":1,"new_nic":false}],"type":"ips"}
> </file>
> <script>
> /opt/cloud/bin/update_config.py ip_associations.json
> </script>
> <file>
> /var/cache/cloud/staticnat_rules.json
> {"rules":[{"revoke":false,"source_ip_address":"10.220.135.99","source_port_range":"0:0","destination_ip_address":"10.1.1.36"}],"type":"staticnatrules"}
> </file>
> <script>
> /opt/cloud/bin/update_config.py staticnat_rules.json
> </script>
> <file>
> /var/cache/cloud/forwarding_rules.json
> {"rules":[{"revoke":false,"protocol":"tcp","source_ip_address":"10.220.135.97","source_port_range":"22:22","destination_ip_address":"10.1.1.194","destination_port_range":"22:22"}],"type":"forwardrules"}
> </file>
> <script>
> /opt/cloud/bin/update_config.py forwarding_rules.json
> </script>
> <file>
> /var/cache/cloud/network_acl.json
> {"device":"eth2","mac_address":"02:00:7c:a8:00:02","private_gateway_acl":false,"nic_ip":"10.1.1.1","nic_netmask":"24","ingress_rules":[{"type":"tcp","first_port":22,"last_port":22,"cidr":"0.0.0.0/0","allowed":true}],"egress_rules":[{"type":"icmp","icmp_type":-1,"icmp_code":-1,"cidr":"0.0.0.0/0","allowed":true}],"type":"networkacl"}
> </file>
> <script>
> /opt/cloud/bin/update_config.py network_acl.json
> </script>
> <file>
> /var/cache/cloud/vm_dhcp_entry.json
> {"host_name":"VM-403a0536-ba54-404f-a664-1b14d039497c","mac_address":"02:00:10:ca:00:01","ipv4_adress":"10.1.1.194","ipv6_duid":"00:03:00:01:02:00:10:ca:00:01","default_gateway":"10.1.1.1","default_entry":true,"type":"dhcpentry"}
> </file>
> <script>
> /opt/cloud/bin/update_config.py vm_dhcp_entry.json
> </script>
> <file>
> /var/cache/cloud/vm_dhcp_entry.json
> {"host_name":"VM-4c5e69ab-65dd-4315-b8fb-702f5599ede0","mac_address":"02:00:0f:22:00:03","ipv4_adress":"10.1.1.36","ipv6_duid":"00:03:00:01:02:00:0f:22:00:03","default_gateway":"10.1.1.1","default_entry":true,"type":"dhcpentry"}
> </file>
> <script>
> /opt/cloud/bin/update_config.py vm_dhcp_entry.json
> </script>
> <file>
> /var/cache/cloud/vm_metadata.json
> {"vm_ip_address":"10.1.1.194","vm_metadata":[["userdata","user-data",null],["metadata","service-offering","Tiny
>
> Instance"],["metadata","availability-zone","XenRT-Zone-0"],["metadata","local-ipv4","10.1.1.194"],["metadata","local-hostname","VM-403a0536-ba54-404f-a664-1b14d039497c"],["metadata","public-ipv4","10.220.135.96"],["metadata","public-hostname","10.220.135.96"],["metadata","instance-id","403a0536-ba54-404f-a664-1b14d039497c"],["metadata","vm-id","403a0536-ba54-404f-a664-1b14d039497c"],["metadata","public-keys",null],["metadata","cloud-identifier","CloudStack-{5bcd0291-2ac9-4d68-9887-bda6ae6596c2}"]],"type":"vmdata"}
> </file>
> <script>
> /opt/cloud/bin/update_config.py vm_metadata.json
> </script>
> <file>
> /var/cache/cloud/vm_metadata.json
> {"vm_ip_address":"10.1.1.36","vm_metadata":[["userdata","user-data",null],["metadata","service-offering","Tiny
>
> Instance"],["metadata","availability-zone","XenRT-Zone-0"],["metadata","local-ipv4","10.1.1.36"],["metadata","local-hostname","VM-4c5e69ab-65dd-4315-b8fb-702f5599ede0"],["metadata","public-ipv4","10.220.135.96"],["metadata","public-hostname","10.220.135.96"],["metadata","instance-id","4c5e69ab-65dd-4315-b8fb-702f5599ede0"],["metadata","vm-id","4c5e69ab-65dd-4315-b8fb-702f5599ede0"],["metadata","public-keys",null],["metadata","cloud-identifier","CloudStack-{5bcd0291-2ac9-4d68-9887-bda6ae6596c2}"]],"type":"vmdata"}
> </file>
> <script>
> /opt/cloud/bin/update_config.py vm_metadata.json
> </script>
> 2015-07-29 05:20:39,132 DEBUG [c.c.h.x.r.CitrixResourceBase]
> (DirectAgent-402:ctx-83549002) Executing command in VR:
> /opt/cloud/bin/router_proxy.sh vr_cfg.sh 169.254.0.54 -c
> /var/cache/cloud/VR-d3b73941-7b3d-489a-bcc6-47c6a777c950.cfg
> Please look for job-115 in the attached MS log file for the sequence of
> events happened when we rebooted VPC VR
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
