We've encountered stange behavior of vpn-service in Mitaka (srongswan-based vpnaas). Our setup allows customer to establish s2s vpn between our neutron and their ASA. But! When VPN-tunnel established from customer site (ie ASA is initiator) - everything works fine. Packet from both sides routed in tunnel, to sites can.

But when tunnel must be established from our site - nothing happens... All packets routed through default router in that case, and tunnel never gets up. With single ping from customers site - everything work fine again...

As far as I understand mechanics of neutron, when customer sends a packet to private network, neutron-vpa-agent momentarily enable iptables routing rules. But when initialization comes from OpenStack private network (ie iptables rules are missing, and must be added when first packet leaves its source) - no rules added and all packet forwarder trough default router, ie trough internet.

We are not sure that this is a bug, maybe openstack vpn works as intended... But afaik, strongswan itself doesn't care which side is initiator, and allows enablement from internal networks.

Any idea what can we look at to enable this type of establishment (ie private network as a source)?

Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Reply via email to