Public bug reported: In template/openswan/ipsec.conf.template, both leftnexthop and rightnexthop connection parameters are assigned like below, leftnexthop=%defaultroute rightnexthop=%defaultroute
With this settings, ipsec addconn command is failing for ipv6 addresses like below 2015-03-26 15:09:32.006 ERROR neutron.agent.linux.utils [req-ef46a8a3-75b9-4452-83df-051d49dc263d admin 4546bfa7704845bf874241f1fb3a376b] Command: ['ip', 'netns', 'exec', u'qrouter-7f361721-74a6-4734-b021-388b4b64762e', 'ipsec', 'addconn', '--ctlbase', u'/opt/stack/data/neutron/ipsec/7f3 61721-74a6-4734-b021-388b4b64762e/var/run/pluto.ctl', '--defaultroutenexthop', u'1001::f816:3eff:feb4:a2db', '--config', u'/opt/stack/data/neutron/ips ec/7f361721-74a6-4734-b021-388b4b64762e/etc/ipsec.conf', u'ef7409c5-395d-44eb-91d5-875059a3b3eb'] Exit code: 37 Stdin: Stdout: 023 address family inconsistency in this connection=10 host=10/nexthop=0 037 attempt to load incomplete connection Looks like with IKEv1, parsing defaultroute for ipv6 addresses has problems. When addresses are given for leftnexthop, instead of %defaultroute, ipsec addconn is working for ipv6. i.e modified the template like below leftnexthop={{vpnservice.external_ip}} #rightnexthop (i.e not using rightnexthop) So, neutron shouldn't use %defaultroute for leftnexthop and rightnexthop and instead assign ip6 addresses from vpnservice object. ** Affects: neutron Importance: Undecided Assignee: venkata anil (anil-venkata) Status: New ** Changed in: neutron Assignee: (unassigned) => venkata anil (anil-venkata) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1436890 Title: [IPv6] [VPNaaS]Error when %defaultroute assigned to leftnexthop and rightnexthop for ipv6 Status in OpenStack Neutron (virtual network service): New Bug description: In template/openswan/ipsec.conf.template, both leftnexthop and rightnexthop connection parameters are assigned like below, leftnexthop=%defaultroute rightnexthop=%defaultroute With this settings, ipsec addconn command is failing for ipv6 addresses like below 2015-03-26 15:09:32.006 ERROR neutron.agent.linux.utils [req-ef46a8a3-75b9-4452-83df-051d49dc263d admin 4546bfa7704845bf874241f1fb3a376b] Command: ['ip', 'netns', 'exec', u'qrouter-7f361721-74a6-4734-b021-388b4b64762e', 'ipsec', 'addconn', '--ctlbase', u'/opt/stack/data/neutron/ipsec/7f3 61721-74a6-4734-b021-388b4b64762e/var/run/pluto.ctl', '--defaultroutenexthop', u'1001::f816:3eff:feb4:a2db', '--config', u'/opt/stack/data/neutron/ips ec/7f361721-74a6-4734-b021-388b4b64762e/etc/ipsec.conf', u'ef7409c5-395d-44eb-91d5-875059a3b3eb'] Exit code: 37 Stdin: Stdout: 023 address family inconsistency in this connection=10 host=10/nexthop=0 037 attempt to load incomplete connection Looks like with IKEv1, parsing defaultroute for ipv6 addresses has problems. When addresses are given for leftnexthop, instead of %defaultroute, ipsec addconn is working for ipv6. i.e modified the template like below leftnexthop={{vpnservice.external_ip}} #rightnexthop (i.e not using rightnexthop) So, neutron shouldn't use %defaultroute for leftnexthop and rightnexthop and instead assign ip6 addresses from vpnservice object. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1436890/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp