Public bug reported:
In template/openswan/ipsec.conf.template, both leftnexthop and rightnexthop
connection parameters are assigned like below,
leftnexthop=%defaultroute
rightnexthop=%defaultroute
With this settings, ipsec addconn command is failing for ipv6 addresses
like below
2015-03-26 15:09:32.006 ERROR neutron.agent.linux.utils
[req-ef46a8a3-75b9-4452-83df-051d49dc263d admin
4546bfa7704845bf874241f1fb3a376b]
Command: ['ip', 'netns', 'exec',
u'qrouter-7f361721-74a6-4734-b021-388b4b64762e', 'ipsec', 'addconn',
'--ctlbase', u'/opt/stack/data/neutron/ipsec/7f3
61721-74a6-4734-b021-388b4b64762e/var/run/pluto.ctl', '--defaultroutenexthop',
u'1001::f816:3eff:feb4:a2db', '--config', u'/opt/stack/data/neutron/ips
ec/7f361721-74a6-4734-b021-388b4b64762e/etc/ipsec.conf',
u'ef7409c5-395d-44eb-91d5-875059a3b3eb']
Exit code: 37
Stdin:
Stdout: 023 address family inconsistency in this connection=10 host=10/nexthop=0
037 attempt to load incomplete connection
Looks like with IKEv1, parsing defaultroute for ipv6 addresses has
problems.
When addresses are given for leftnexthop, instead of %defaultroute, ipsec
addconn is working for ipv6.
i.e modified the template like below
leftnexthop={{vpnservice.external_ip}}
#rightnexthop (i.e not using rightnexthop)
So, neutron shouldn't use %defaultroute for leftnexthop and
rightnexthop and instead assign ip6 addresses from vpnservice object.
** Affects: neutron
Importance: Undecided
Assignee: venkata anil (anil-venkata)
Status: New
** Changed in: neutron
Assignee: (unassigned) => venkata anil (anil-venkata)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1436890
Title:
[IPv6] [VPNaaS]Error when %defaultroute assigned to leftnexthop and
rightnexthop for ipv6
Status in OpenStack Neutron (virtual network service):
New
Bug description:
In template/openswan/ipsec.conf.template, both leftnexthop and rightnexthop
connection parameters are assigned like below,
leftnexthop=%defaultroute
rightnexthop=%defaultroute
With this settings, ipsec addconn command is failing for ipv6
addresses like below
2015-03-26 15:09:32.006 ERROR neutron.agent.linux.utils
[req-ef46a8a3-75b9-4452-83df-051d49dc263d admin
4546bfa7704845bf874241f1fb3a376b]
Command: ['ip', 'netns', 'exec',
u'qrouter-7f361721-74a6-4734-b021-388b4b64762e', 'ipsec', 'addconn',
'--ctlbase', u'/opt/stack/data/neutron/ipsec/7f3
61721-74a6-4734-b021-388b4b64762e/var/run/pluto.ctl',
'--defaultroutenexthop', u'1001::f816:3eff:feb4:a2db', '--config',
u'/opt/stack/data/neutron/ips
ec/7f361721-74a6-4734-b021-388b4b64762e/etc/ipsec.conf',
u'ef7409c5-395d-44eb-91d5-875059a3b3eb']
Exit code: 37
Stdin:
Stdout: 023 address family inconsistency in this connection=10
host=10/nexthop=0
037 attempt to load incomplete connection
Looks like with IKEv1, parsing defaultroute for ipv6 addresses has
problems.
When addresses are given for leftnexthop, instead of %defaultroute, ipsec
addconn is working for ipv6.
i.e modified the template like below
leftnexthop={{vpnservice.external_ip}}
#rightnexthop (i.e not using rightnexthop)
So, neutron shouldn't use %defaultroute for leftnexthop and
rightnexthop and instead assign ip6 addresses from vpnservice object.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1436890/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
