[GitHub] cloudstack issue #872: Strongswan vpn feature

[jayapalu]

Github user jayapalu commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
PR#1741 is closed. So closed this PR.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
I am not able to merge my changes with @jayapalu's branch, so I have 
created a new PR #1741 which includes everything from this PR as well as all 
the changes I had to make to get both Remote Access VPN and Site-to-Site VPN 
working.  I will be moving all my testing and such for this feature to PR #1741.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
@jayapalu I need to get all my changes merged into this PR though. This PR 
has bugs as it is. I will open a new PR with a merge of your changes and my 
changes today. 


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[jayapalu]

Github user jayapalu commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
@swill  We will try to wrap up this PR by next week. I will also try to 
post the test results then we will push the changes after LGTMs.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
Tomorrow I will pick a recommended S2S VPN configuration and verify the 
rest of the different possible options with that single configuration to give a 
better global picture of the state of this PR.

Also, the testing of the Remote Access VPN connections on my branch are 
going well as well.  We have found a pretty serious unrelated bug in the IP 
allocation in the VR on VR reboot.  If a PF rule is set on the VR and it is 
reboot, the `eth1` interface gets the PF IP instead of the Source NAT IP, so 
that breaks the Remote Access VPN connection.  We have been troubleshooting it, 
but  the problem has been relatively tricky to track down.  More details on 
that once we root cause the issue.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
I wrote a small testing setup which allows me to automate the build up and 
tear down different configurations in test environment.

Here are the results so far of my branch (hopefully soon to be merged with 
this PR, or I will open my own PR with it).

I am testing this functionality by creating two VPCs with VMs in them and 
creating a S2S VPN connection between the two VPCs.  Then I SSH into a VM in 
one VPC and I ping the private IP of a VM in the other VPC.  Then I tear it 
down and try a different configuration.  

**Setup**
```
VPC 1  VPC 2   
=  =   
VPN GatewayVPN Gateway 
VPN Customer Gateway   VPN Customer Gateway
VPN Connection<--->VPN Connection
 - Passive = True   - Passive = False
```

**Legend**
`SKIP` => At least one of the VPN Connections did not come up, so no test 
was run.
`OK` => The ping test was successful over the S2S VPN connection.
`FAIL` => The ping test failed over the S2S VPN connection.

The following finished before my VPN connection failed.  From these results 
it is fair to say that the Diffie-Hellman group is required for this S2S VPN 
implementation so far.

**Results**
```

+--+-+-+--+--+
| Status   | IKE | ESP | DPD  | 
Encap|

+==+=+=+==+==+
| SKIP | 3des-md5| 3des-md5| True | 
False|

+--+-+-+--+--+
| SKIP | 3des-md5| 3des-md5;modp1024   | True | 
False|

+--+-+-+--+--+
| SKIP | 3des-md5| 3des-md5;modp1536   | True | 
False|

+--+-+-+--+--+
| OK   | 3des-md5;modp1024   | 3des-md5| True | 
False|

+--+-+-+--+--+
| OK   | 3des-md5;modp1024   | 3des-md5;modp1024   | True | 
False|

+--+-+-+--+--+
| OK   | 3des-md5;modp1024   | 3des-md5;modp1536   | True | 
False|

+--+-+-+--+--+
| OK   | 3des-md5;modp1536   | 3des-md5| True | 
False|

+--+-+-+--+--+
| OK   | 3des-md5;modp1536   | 3des-md5;modp1024   | True | 
False|

+--+-+-+--+--+
| OK   | 3des-md5;modp1536   | 3des-md5;modp1536   | True | 
False|

+--+-+-+--+--+
| SKIP | 3des-md5| 3des-sha1   | True | 
False|

+--+-+-+--+--+
| SKIP | 3des-md5| 3des-sha1;modp1024  | True | 
False|

+--+-+-+--+--+
| SKIP | 3des-md5| 3des-sha1;modp1536  | True | 
False|

+--+-+-+--+--+
| OK   | 3des-md5;modp1024   | 3des-sha1   | True | 
False|

+--+-+-+--+--+
| OK   | 3des-md5;modp1024   | 3des-sha1;modp1024  | True | 
False|

+--+-+-+--+--+
| OK   | 3des-md5;modp1024   | 3des-sha1;modp1536  | True | 
False|

+--+-+-+--+--+
| OK   | 3des-md5;modp1536   | 3des-sha1   | True | 
False|

+--+-+-+--+--+
| OK   | 3des-md5;modp1536   | 3des-sha1;modp1024  | True | 
False|

+--+-+-+--+--+
| OK   | 3des-md5;modp1536   | 3des-sha1;modp1536  | True | 
False|

[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
@jayapalu I am not sure why, but I can't seem to do a pull request against 
your branch.  Any ideas why?  Maybe you have some specific permissions on your 
repo to stop this?  If you are not sure, I can just create a new PR with the 
combination of your work and my work.  I have most things working now.  I will 
post a status of what is working and what is not working later tonight after my 
tests finish running...


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[jayapalu]

Github user jayapalu commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
@swill 
The changes added are some improvements. One example is before running 
ipsec up , calling ipsec down 






---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
@jayapalu the issues are harder to notice if the connection is always 
coming up.  The problem is if you do a configuration which the connection does 
not come up.  Because of the logic I pointed out above, the 
`stopVpnConnection()` function is never called in the java, so the VRs are 
never directed to remove the S2S VPN configuration from the VR.

> Each time we configure the s2s vpn we suppose to overwrite config file 
(ipsec.vpn-.conf).
> Even if the file not got deleted next time the config get overwritten.

This is not actually the case.  If the Connection state is `Disconnected`, 
then the config files are not deleted from the VR.  In that case, for example, 
if you had `dpd=true`, then it will add the following items to the config file.

```
dpddelay=30
dpdtimeout=120
dpdaction=restart
```

Now let's assume that we need to set `dpd=false`, so we remove the 
configuration from ACS ([the files won't get deleted because it is in 
`Disconnected` 
state](https://github.com/apache/cloudstack/blob/master/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java#L520)).
  Then when the new configuration is applied to the VR, it will see the 
`dpd=false` and will not attempt to modify those lines.  Which means that since 
the config already had those `dpd` lines in the config, they will not be 
removed and every config will include those `dpd` config options even though 
ACS has specified that those config options should not be present.

I have updated the java code to delete the configs from the VR even if the 
connection is disconnected.  I will continue testing and will send a PR to your 
PR soon.

I see you have made changes to this PR.  Are the changes a result of 
testing and these changes fix some bad behavior?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[jayapalu]

Github user jayapalu commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
I have created two VPCs and configured the s2s vpn from UI. My tunnels are 
coming up without manually restarting the ipsec in this branch.

s2s_customer_gateway:

++--+--+---+-++---++--+--+-+-+---++-+
| id | uuid | name | gateway_ip| 
guest_cidr_list | ipsec_psk  | ike_policy| esp_policy | ike_lifetime | 
esp_lifetime | dpd | force_encap | domain_id | account_id | removed |

++--+--+---+-++---++--+--+-+-+---++-+
|  7 | 9cff8e2a-2848-46fc-80ef-7dcc47bfd4e4 | cg1  | 10.147.46.102 | 
10.1.0.0/16 | 1234567890 | 3des-md5;modp1024 | 3des-md5   |86400 |  
   3600 |   0 |   0 | 1 |  2 | NULL|
|  8 | 60bd9e15-0a18-4334-ab98-ff56b0f839a5 | cg2  | 10.147.46.103 | 
10.2.0.0/16 | 1234567890 | 3des-md5;modp1024 | 3des-md5   |86400 |  
   3600 |   1 |   0 | 1 |  2 | NULL|

++--+--+---+-++---++--+--+-+-+---++-+
2 rows in set (0.00 sec)

ipsec status
Security Associations (1 up, 0 connecting):
vpn-10.147.46.102[17]: ESTABLISHED 10 minutes ago, 
10.147.46.103[10.147.46.103]...10.147.46.102[10.147.46.102]
vpn-10.147.46.102{21}:  INSTALLED, TUNNEL, ESP SPIs: c562e87d_i c6a45be4_o
vpn-10.147.46.102{21}:   10.2.0.0/16 === 10.1.0.0/16 


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[jayapalu]

Github user jayapalu commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
@swill I did not test the case of delete vpn on error state, so I did not 
come across the vpn config file mess.
Each time we configure the s2s vpn we suppose to overwrite  config fie 
(ipsec.vpn-.conf).
Even if the file not got deleted next time the config get overwritten. 

Please add your commits in this PR so that we will have track.
I am also testing today, I will add few changes.



---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
I have to solve for this now though: 


![image](https://cloud.githubusercontent.com/assets/13644/19495845/0811c4ba-9553-11e6-9691-1cc17941526d.png)



---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
I think I have found why the VPN connections are not correctly being 
deleted from the VR when you run `deleteVpnConnection`.

The [problem is 
here](https://github.com/apache/cloudstack/blob/master/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java#L520):
```
if (conn.getState() == State.Connected) {
stopVpnConnection(id);
}
```

It should be:
```
if (conn.getState() != State.Pending) {
stopVpnConnection(id);
}
```

Right now, if the VPN is not in a `Connected` state, the configuration on 
the VR is never cleaned up.  That means that if you make a mistake in your VPN 
configuration when you do it the first time, the config is never deleted 
because it will either be in `Disconnected` or `Error` state.  Between this and 
the fact that config files never get rebuilt, only added to or updated, deleted 
configuration options (like `dpd` for example) will never be removed from the 
config file.  This means that regardless of what you do (like delete everything 
from ACS and start again), the VPN connection for that IP will ALWAYS be broken 
and it will never be possible to make it work correctly because the config will 
be corrupted.

@jayapalu, do you want me to create a pull request to your PR to make all 
my changes available to you guys, or should I create my own PR?  Because we 
need this fix in 4.7, I have a few branches I am maintaining locally with the 
changes.  Let me know...


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[jayapalu]

Github user jayapalu commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
@swill 
My setup is up with the strongswan template. Configured s2s VPN connection, 
I could observe that once that 'ipsec restart' or reload/rereadsecrets brought 
up the tunnels.

I will test  once again  issues you have mentioned above tomorrow.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
Hey @jayapalu, thanks for the follow up.  Here are a couple things to note.
- In order to get Remote Access VPN to work you need to update the L2TP 
conf file to include `type=transport`.
- In order to get 3des working for S2S VPN, you will need to install the 
`libstrongswan-extra-plugins` package as well.
- Running `ipsec restart` seems to get rid of the discrepancy between the 
running config and the config files, but I think one of the main issues is a 
missing `ipsec rereadsecrets` when the S2S config changes.

Here is some basic stuff you can do to reproduce the problems.  You can use 
two VPCs as a test environment and create a S2S VPN connection between them to 
do tests.
- Remove all the S2S VPN connections and gateways.
- Manually remove the `/etc/ipsec.d/ipsec.vpn-vv.xx.yy.zz.conf` and 
`/etc/ipsec.d/ipsec.vpn-vv.xx.yy.zz.secrets` files from the VRs.
- Create a S2S VPN configuration with `dpd=true` and `pfs=modp1024` and set 
a PSK of something like `1234567890`.  This configuration should work.  If it 
doesn't, do an `ipsec restart` and it will probably start working.  Even if it 
does not work, we can continue the tests sequence.
- Remove the entire configuration through ACS (connections and gateways).
-- Note the files `/etc/ipsec.d/ipsec.vpn-vv.xx.yy.zz.conf` and 
`/etc/ipsec.d/ipsec.vpn-vv.xx.yy.zz.secrets` are not removed from the VRs.
-- Note the `conf` file includes dpd and psk details previously configured.
- Create a new S2S VPN configuration with `dpd=false` and without PFS.  For 
now, don't change the PSK from what it was before.
-- Note that the `conf` file on the VRs still includes the `dpd` 
configuration.  Also note that `pfs=no` now, but the `esp` config still 
includes the `modp1024` to specify `pfs=yes`.
-- If the connection was working before, this configuration, which is very 
much broken, will still work because what ipsec has in memory does not reflect 
what is in the config files.
- Remove the entire configuration through ACS again.
- Recreate it again, but this time change the PSK to something different 
like `0987654321`.
-- Note that now the connection breaks and you get an authentication error.
-- At this point to get it working again you will have to run `ipsec 
restart` because the old PSK is still in the ipsec memory.
-- You may have to manually clean up your config files at this point 
because they may be polluted by bad configuration since they are never deleted 
and configuration options are never deleted in a config, only added or edited.

That should get you going.  If you have questions, let me know.  I will 
isolate the problem more on monday.

I think the majority of these problems will go away if the config files get 
deleted when the configuration is deleted through ACS.  I think the logic will 
then flow the way it is expected.  Right now, things like `ipsec reload` are 
never called because they are showing as not changed, even though the config 
has actually changed.  I think that is the first step and then we go from 
there.  I also think we will need to run `ipsec rereadsecrets` after updating 
the s2s config in order to check if the PSK has changed and load it into the 
running config if it did change.



---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[jayapalu]

Github user jayapalu commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
@swill Let me also try the issue you have mentioned in my setup on Monday.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
The more I dig into this the deeper the rabbit hole goes.  Here are a few 
things I have found which I need to address.
- When a VPN connection, gateway, etc is deleted, the configuration is not 
actually cleaned up.
- When a new configuration is defined, it only has the ability to add to or 
modify the current configuration, it does not have the ability to remove config 
items.  Combined with the above point, this means that if you ever turn on 
`dpd` for example, it is not possible to ever turn it off.
- The configuration files on the VR do not reflect the running config in 
`ipsec`.  You can have identical configurations and it will work sometimes and 
it wont work other times.  I have been able to reset the config to make the 
running config match the defined config by doing a `ipsec restart`, but I have 
to close the gap as to why it is not consistent and where the divergence 
happens.  I believe it is due to the PSK not actually getting updated with a 
`ipsec rereadsecrets`, but because of other issues, I can't even get code 
blocks to execute when they should be on changes.  
- There appears to be a problem with the `if secret.is_changed() or 
file.is_changed()` logic which is causing logic not to run when it should.  I 
am still working out why this is the case.

All to say, I still have a lot to work through before this is ready for 
primetime.  I think I have the Remote Access VPN functionality working as 
expected and relatively stable now, but I am still working through a lot of 
issues with the S2S VPN feature(s).  I have given a code drop of the Remote 
Access VPN functionality to one of our operations teams to continue testing 
that feature as I work through the S2S issues.  Hopefully I will have better 
news next week.

Have a nice weekend everyone...


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
I have found a new issue.  If I create a S2S VPN connection, and then clean 
up everything.  The S2S VPN connection still works even though there is nothing 
configured in ACS anymore.  Looking into why that would be the case as well...


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
@serg38 if you respond from email, can you remove the quoted text so it 
does not add a full page of text to the GitHub issue.  :P  Maybe edit your 
above response to remove the extra text since this page is already crazy long.  
Thanks for looking at this and helping...  👍


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
@serg38 Inline...

`plutostart=no` will do nothing.  I need to remove that, I just have not 
gotten around to cleaning that up.  That config option no longer is even picked 
up: https://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1

`keyexchange=ikev2` I have tried this, but that has much bigger 
implications because ACS uses PSK and we don't have the corresponding UI or API 
to configure the details for `IKEv2`.  If we want to support `IKEv2`, we need 
to do a more complete overhaul of how ACS configures IPSec on the VR.

Note that I have been able to get the config working with Windows as per my 
post above...


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[serg38]

Github user serg38 commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
@swill Can you try changing in ipsec.conf

plutostart=no
keyexchange=ikev2

and adding

ike=aes256-sha1-modp1024!
esp=aes256-sha1!

From: Will Stevens 
Reply-To: apache/cloudstack 
Date: Friday, October 7, 2016 at 12:27 PM
To: apache/cloudstack 
Cc: Sergey Levitskiy , Mention 

Subject: Re: [apache/cloudstack] Strongswan vpn feature (#872)


At @serg38's request, here are the current 
configs...

# cat /etc/strongswan.conf

# strongswan.conf - strongSwan configuration file

#

# Refer to the strongswan.conf(5) manpage for details

#

# Configuration changes should be made in the included files



charon {

load_modular = yes

plugins {

include strongswan.d/charon/*.conf

}

}



include strongswan.d/*.conf

# cat /etc/strongswan.d/charon/*.conf

addrblock {



# Whether to load the plugin. Can also be an integer to increase the

# priority of this plugin.

load = yes



}



aes {



# Whether to load the plugin. Can also be an integer to increase the

# priority of this plugin.

load = yes



}



af-alg {



# Whether to load the plugin. Can also be an integer to increase the

# priority of this plugin.

load = yes



}



# Section to specify arbitrary attributes that are assigned to a peer via

# configuration payload (CP).

attr {



#  is an attribute name or an integer, values can be an IP 
address,

# subnet or arbitrary value.

#  =



# Whether to load the plugin. Can also be an integer to increase the

# priority of this plugin.

load = yes



}



ccm {



# Whether to load the plugin. Can also be an integer to increase the

# priority of this plugin.

load = yes



}



certexpire {



# Whether to load the plugin. Can also be an integer to increase the

# priority of this plugin.

load = yes



csv {



# Cron style string specifying CSV export times.

# cron =



# String to use in empty intermediate CA fields.

# empty_string =



# Use a fixed intermediate CA field count.

# fixed_fields = yes



# Force export of all trustchains we have a private key for.

# force = yes



# strftime(3) format string to export expiration dates as.

# format = %d:%m:%Y



# strftime(3) format string for the CSV file name to export local

# certificates to.

# local =



# strftime(3) format string for the CSV file name to export remote

# certificates to.

# remote =



# CSV field separator.

# separator = ,



}



}



cmac {



# Whether to load the plugin. Can also be an integer to increase the

# priority of this plugin.

load = yes



}



constraints {



# Whether to load the plugin. Can also be an integer to increase the

# priority of this plugin.

load = yes



}



ctr {



# Whether to load the plugin. Can also be an integer to increase the

# priority of this plugin.

load = yes



}



curl {



# Whether to load the plugin. Can also be an integer to increase the

# priority of this plugin.

load = yes



}



dhcp {



# Always use the configured server address.

# force_server_address = no



# Derive user-defined MAC address from hash of IKE identity.

# identity_lease = no



# Interface name the plugin uses for address allocation.

# interface =



# Whether to load the plugin. Can also be an 

[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
Thanks to @kiwiflyer for finding this link: 
https://support.microsoft.com/en-us/kb/926179

We have been able to create a connection by setting the registry for 
`AssumeUDPEncapsulationContextOnSendRule` to `2` (for the record `1` does not 
work).  This is a good start.  With some documentation, it looks like we have a 
working solution for Mac and Windows.

Will be doing some more testing to confirm everything is working as 
expected, but as a first pass, we seem to be moving in the right direction...


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
At @serg38's request, here are the current configs...

```
# cat /etc/strongswan.conf 
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}

include strongswan.d/*.conf
```

```
# cat /etc/strongswan.d/charon/*.conf
addrblock {

# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes

}

aes {

# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes

}

af-alg {

# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes

}

# Section to specify arbitrary attributes that are assigned to a peer via
# configuration payload (CP).
attr {

#  is an attribute name or an integer, values can be an IP 
address,
# subnet or arbitrary value.
#  =

# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes

}

ccm {

# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes

}

certexpire {

# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes

csv {

# Cron style string specifying CSV export times.
# cron =

# String to use in empty intermediate CA fields.
# empty_string =

# Use a fixed intermediate CA field count.
# fixed_fields = yes

# Force export of all trustchains we have a private key for.
# force = yes

# strftime(3) format string to export expiration dates as.
# format = %d:%m:%Y

# strftime(3) format string for the CSV file name to export local
# certificates to.
# local =

# strftime(3) format string for the CSV file name to export remote
# certificates to.
# remote =

# CSV field separator.
# separator = ,

}

}

cmac {

# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes

}

constraints {

# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes

}

ctr {

# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes

}

curl {

# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes

}

dhcp {

# Always use the configured server address.
# force_server_address = no

# Derive user-defined MAC address from hash of IKE identity.
# identity_lease = no

# Interface name the plugin uses for address allocation.
# interface =

# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes

# DHCP server unicast or broadcast IP address.
# server = 255.255.255.255

}

dnskey {

# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes

}

eap-aka {

# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes

# request_identity = yes

}

eap-gtc {

# XAuth backend to be used for credential verification.
# backend = pam

# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes

}

eap-identity {

# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes

}

eap-md5 {

# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes

}

eap-mschapv2 {

# Whether to load the plugin. Can also be an integer to increase the
# 

Re: [GitHub] cloudstack issue #872: Strongswan vpn feature

[Sergey Levitskiy]

@swill I believe windows natively support "L2TP” . And I see they negotiated 
both encryption and integrity . looks like the difference is this:

On OSX
   xl2tpd[2263]: control_finish: Peer requested tunnel 32 twice, ignoring 
second one.

On windows it seems it trying to establish ‘child’ session.

   charon: 16[IKE] IKE_SA L2TP-PSK[39] state change: CONNECTING => ESTABLISHED
charon: 16[ENC] generating ID_PROT response 0 [ ID HASH ]
charon: 16[NET] sending packet: from 74.121.ff.gg[4500] to 
74.121.xx.yy[64916] (76 bytes)
charon: 08[NET] sending packet: from 74.121.ff.gg[4500] to 
74.121.xx.yy[64916]
charon: 11[NET] received packet: from 74.121.xx.yy[64916] to 
74.121.ff.gg[4500]
charon: 11[NET] waiting for data on sockets
charon: 04[NET] received packet: from 74.121.xx.yy[64916] to 
74.121.ff.gg[4500] (444 bytes)
charon: 04[ENC] parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA 
NAT-OA ]
charon: 04[IKE] changing received traffic selectors 
172.16.11.171/32[udp/l2f]=== 74.121.ff.gg/32[udp/l2f] due to NAT
charon: 04[CFG] looking for a child config for 74.121.ff.gg/32[udp/l2f] 
=== 74.121.xx.yy/32[udp/l2f] 
charon: 04[CFG] proposing traffic selectors for us:


Can you post strongSwan configs : ipsec.conf, striongswan.cof, ipsec.secrets ?


On 10/7/16, 10:46 AM, "swill"  wrote:

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
If anyone has experience with Remote Access VPN on Windows and has any 
insight into why the following is failing, please let me know. 

**FAILING WINDOWS LOG:**
```
charon: 11[NET] received packet: from 74.121.xx.yy[1011] to 
74.121.ff.gg[500]
charon: 11[NET] waiting for data on sockets
charon: 02[NET] received packet: from 74.121.xx.yy[1011] to 
74.121.ff.gg[500] (408 bytes)
charon: 02[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
charon: 02[CFG] looking for an ike config for 
74.121.ff.gg...74.121.xx.yy
charon: 02[CFG]   candidate: 74.121.ff.gg...%any, prio 1052
charon: 02[CFG] found matching ike config: 74.121.ff.gg...%any with 
prio 1052
charon: 02[ENC] received unknown vendor ID: 
01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01
charon: 02[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
charon: 02[IKE] received NAT-T (RFC 3947) vendor ID
charon: 02[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
charon: 02[IKE] received FRAGMENTATION vendor ID
charon: 02[ENC] received unknown vendor ID: 
fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
charon: 02[ENC] received unknown vendor ID: 
26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
charon: 02[ENC] received unknown vendor ID: 
e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
charon: 02[IKE] 74.121.xx.yy is initiating a Main Mode IKE_SA
charon: 02[IKE] IKE_SA (unnamed)[39] state change: CREATED => CONNECTING
charon: 02[CFG] selecting proposal:
charon: 02[CFG]   no acceptable ENCRYPTION_ALGORITHM found
charon: 02[CFG] selecting proposal:
charon: 02[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
charon: 02[CFG] selecting proposal:
charon: 02[CFG]   no acceptable ENCRYPTION_ALGORITHM found
charon: 02[CFG] selecting proposal:
charon: 02[CFG]   no acceptable ENCRYPTION_ALGORITHM found
charon: 02[CFG] selecting proposal:
charon: 02[CFG]   no acceptable ENCRYPTION_ALGORITHM found
charon: 02[CFG] selecting proposal:
charon: 02[CFG]   no acceptable ENCRYPTION_ALGORITHM found
charon: 02[CFG] selecting proposal:
charon: 02[CFG]   no acceptable ENCRYPTION_ALGORITHM found
charon: 02[CFG] selecting proposal:
charon: 02[CFG]   no acceptable ENCRYPTION_ALGORITHM found
charon: 02[CFG] selecting proposal:
charon: 02[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
charon: 02[CFG] selecting proposal:
charon: 02[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
charon: 02[CFG] selecting proposal:
charon: 02[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
charon: 02[CFG] selecting proposal:
charon: 02[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
charon: 02[CFG] selecting proposal:
charon: 02[CFG]   proposal matches
charon: 02[CFG] received proposals: 
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, 
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, 
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, 
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, 
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
charon: 02[CFG] configured proposals: 
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, 
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, 

[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
@murali-reddy, @jburwell mentioned to ping you regarding the above.  Not 
sure if you have any ideas or suggestions, but I am open to any thoughts.  
Thanks...  :)


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
If anyone has experience with Remote Access VPN on Windows and has any 
insight into why the following is failing, please let me know. 

**FAILING WINDOWS LOG:**
```
charon: 11[NET] received packet: from 74.121.xx.yy[1011] to 
74.121.ff.gg[500]
charon: 11[NET] waiting for data on sockets
charon: 02[NET] received packet: from 74.121.xx.yy[1011] to 
74.121.ff.gg[500] (408 bytes)
charon: 02[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
charon: 02[CFG] looking for an ike config for 74.121.ff.gg...74.121.xx.yy
charon: 02[CFG]   candidate: 74.121.ff.gg...%any, prio 1052
charon: 02[CFG] found matching ike config: 74.121.ff.gg...%any with prio 
1052
charon: 02[ENC] received unknown vendor ID: 
01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01
charon: 02[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
charon: 02[IKE] received NAT-T (RFC 3947) vendor ID
charon: 02[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
charon: 02[IKE] received FRAGMENTATION vendor ID
charon: 02[ENC] received unknown vendor ID: 
fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
charon: 02[ENC] received unknown vendor ID: 
26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
charon: 02[ENC] received unknown vendor ID: 
e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
charon: 02[IKE] 74.121.xx.yy is initiating a Main Mode IKE_SA
charon: 02[IKE] IKE_SA (unnamed)[39] state change: CREATED => CONNECTING
charon: 02[CFG] selecting proposal:
charon: 02[CFG]   no acceptable ENCRYPTION_ALGORITHM found
charon: 02[CFG] selecting proposal:
charon: 02[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
charon: 02[CFG] selecting proposal:
charon: 02[CFG]   no acceptable ENCRYPTION_ALGORITHM found
charon: 02[CFG] selecting proposal:
charon: 02[CFG]   no acceptable ENCRYPTION_ALGORITHM found
charon: 02[CFG] selecting proposal:
charon: 02[CFG]   no acceptable ENCRYPTION_ALGORITHM found
charon: 02[CFG] selecting proposal:
charon: 02[CFG]   no acceptable ENCRYPTION_ALGORITHM found
charon: 02[CFG] selecting proposal:
charon: 02[CFG]   no acceptable ENCRYPTION_ALGORITHM found
charon: 02[CFG] selecting proposal:
charon: 02[CFG]   no acceptable ENCRYPTION_ALGORITHM found
charon: 02[CFG] selecting proposal:
charon: 02[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
charon: 02[CFG] selecting proposal:
charon: 02[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
charon: 02[CFG] selecting proposal:
charon: 02[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
charon: 02[CFG] selecting proposal:
charon: 02[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
charon: 02[CFG] selecting proposal:
charon: 02[CFG]   proposal matches
charon: 02[CFG] received proposals: 
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, 
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, 
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, 
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, 
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
charon: 02[CFG] configured proposals: 
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, 
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, 
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_MD5_96/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_MD5/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160,
 
IKE:AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/
 
PRF_HMAC_MD5/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
charon: 02[CFG] selected proposal: 
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
charon: 02[IKE] sending XAuth vendor ID
charon: 02[IKE] sending DPD vendor ID
charon: 02[IKE] sending NAT-T (RFC 3947) vendor ID
charon: 02[ENC] generating ID_PROT response 0 [ SA V V V ]
charon: 02[NET] sending packet: from 74.121.ff.gg[500] to 
74.121.xx.yy[1011] (136 bytes)
charon: 08[NET] sending packet: from 74.121.ff.gg[500] to 74.121.xx.yy[1011]
charon: 11[NET] received packet: from 74.121.xx.yy[1011] to 
74.121.ff.gg[500]
charon: 11[NET] waiting for data on sockets

[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
@rhtyd ya I am trying to get it working with all. It is a lot of trial and 
error, more research, then more trial and error. 

Right now I have it working on Mac. On Windows, phase 1 is working, but is 
failing on phase 2. Hopefully I can figure it out today.

Once I have remote access VPN working, I will automate the testing of the 
500+ different site to site vpn configurations. Once I have a red / green 
matrix of site to site configurations, we will have a better idea where we are 
at. 


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[rhtyd]

Github user rhtyd commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
@swill thanks for sharing your progress, last time I hit the issue -- when 
I fixed it to make it work with osx, it won't work with windows and vice-versa 
so we need to test that vpn works on all three -- windows, osx and on 
Linux(Ubuntu/Fedora etc).


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
For interested parties.  One of the problems with the Mac VPN client with 
the previous OpenSwan integration was that you could not `cat` large files or 
`scp` files over the remote access vpn.  I have confirmed this is solved with 
the StrongSwan implementation, so that is going to make the VPN usable again on 
a Mac.  👍 


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
Thanks @serg38.  I found this as well: 
http://docs.cloudstack.apache.org/projects/cloudstack-administration/en/4.8/networking/using_remote_access.html

I personally don't have access to Windows right now, but I have two people 
testing for me on Windows 8 and 10.  Right now it is not working on either, but 
I think I am getting closer to understanding why.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[serg38]

Github user serg38 commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
@swill The default way is using integrated VPN client in Windows. For 
windows 8.1 the guide is here

https://blogs.technet.microsoft.com/networking/2014/01/13/configuring-native-vpn-client-through-pc-settings/
For Windows 7 a pretty good step by step instruction here:

http://www.databasemart.com/HowTo/Cisco_VPN_Remote_Access_Setup_Windows_7.aspx
And here it is for Windows 10 but I never tried it there
http://www.simplehelp.net/2015/08/02/how-to-set-up-a-vpn-in-windows-10/




---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
BTW @jayapalu, don't worry about any of these changes.  Once I have 
everything working I will send a PR to your PR to make the changes and then a 
bunch of us can do another round of testing once you have accepted my PR.  Does 
that make sense and work for you?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
How are people using Windows Remote Access VPN?  I have this working on Mac 
 now, but it does not seem to work on Windows.  I have been trying to find a 
solution, but it seems like the different Windows versions have very different 
ways in which they handle VPN.  Is there a common VPN client on Windows that 
people use, or do people use the built in VPN client?  I am not a Windows user, 
so I am not sure about these details...  Thx...


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
**Update:**  I found this article: 
https://lists.strongswan.org/pipermail/users/2014-October/006871.html

**In the file `/etc/ipsec.d/l2tp.conf` I added the option `type=transport` 
to the `conn L2TP-PSK` section and now I have `Remote Access VPN` working!  
Woohoo!!!**

I have also change a few other things, but they may not be required, but 
seem to be correct according to the strongswan docs I have been reading.

Removed `charonstart=yes` and `plutostart=yes` from `config setup` in 
`/etc/ipsec.conf` as per: 
https://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1

Removed `pfs=no` from `conn L2TP-PSK` in `/etc/ipsec.d/l2tp.conf` as per: 
https://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
I will be writing a script to test all possible Site-to-Site VPN connection 
options to see which configurations are working and which configurations are 
failing.  Then we will see where we are at...


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
I have not been able to make the `Remote Access VPN` work with Mac.  I have 
tried both `L2TP over IPSec` and `Cisco IPSec` (bare ipsec I believe), neither 
work.

I am getting the same problems that Rohit had above.  I have tested in 3 
different network environments.  From the office, from home and over 3G by 
creating a wireless hotspot and I get the same results in all situations.

I have run the following command on the VR to enable more detailed logging 
`ipsec stroke loglevel cfg 2`.

Here is a dump of the logs when attempting to connect.  It looks like the 
connection is established, but there seems to be an issue doing the final 
negotiation.  I have been trying different configurations to see if I can find 
one that works, but I have not been able to find a config that works yet.  I 
have also flushed my iptables to be sure it is not an issue with the firewall.

Here are the logs:
```
Oct  6 15:56:03 r-1968-VM charon: 02[NET] received packet: from 
24.114.xx.yy[13429] to 74.121.ww.zz[500] (788 bytes)
Oct  6 15:56:03 r-1968-VM charon: 02[ENC] parsed ID_PROT request 0 [ SA V V 
V V V V V V V V V V ]
Oct  6 15:56:03 r-1968-VM charon: 02[CFG] looking for an ike config for 
74.121.ww.zz...24.114.xx.yy
Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   candidate: 74.121.ww.zz...%any, 
prio 1052
Oct  6 15:56:03 r-1968-VM charon: 02[CFG] found matching ike config: 
74.121.ww.zz...%any with prio 1052
Oct  6 15:56:03 r-1968-VM charon: 02[IKE] received NAT-T (RFC 3947) vendor 
ID
Oct  6 15:56:03 r-1968-VM charon: 02[IKE] received 
draft-ietf-ipsec-nat-t-ike vendor ID
Oct  6 15:56:03 r-1968-VM charon: 02[IKE] received 
draft-ietf-ipsec-nat-t-ike-08 vendor ID
Oct  6 15:56:03 r-1968-VM charon: 02[IKE] received 
draft-ietf-ipsec-nat-t-ike-07 vendor ID
Oct  6 15:56:03 r-1968-VM charon: 02[IKE] received 
draft-ietf-ipsec-nat-t-ike-06 vendor ID
Oct  6 15:56:03 r-1968-VM charon: 02[IKE] received 
draft-ietf-ipsec-nat-t-ike-05 vendor ID
Oct  6 15:56:03 r-1968-VM charon: 02[IKE] received 
draft-ietf-ipsec-nat-t-ike-04 vendor ID
Oct  6 15:56:03 r-1968-VM charon: 02[IKE] received 
draft-ietf-ipsec-nat-t-ike-03 vendor ID
Oct  6 15:56:03 r-1968-VM charon: 02[IKE] received 
draft-ietf-ipsec-nat-t-ike-02 vendor ID
Oct  6 15:56:03 r-1968-VM charon: 02[IKE] received 
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct  6 15:56:03 r-1968-VM charon: 02[IKE] received FRAGMENTATION vendor ID
Oct  6 15:56:03 r-1968-VM charon: 02[IKE] received DPD vendor ID
Oct  6 15:56:03 r-1968-VM charon: 02[IKE] 24.114.xx.yy is initiating a Main 
Mode IKE_SA
Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
ENCRYPTION_ALGORITHM found
Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
ENCRYPTION_ALGORITHM found
Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
ENCRYPTION_ALGORITHM found
Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
ENCRYPTION_ALGORITHM found
Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
ENCRYPTION_ALGORITHM found
Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
ENCRYPTION_ALGORITHM found
Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
ENCRYPTION_ALGORITHM found
Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
ENCRYPTION_ALGORITHM found
Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
ENCRYPTION_ALGORITHM found
Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
ENCRYPTION_ALGORITHM found
Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
DIFFIE_HELLMAN_GROUP found
Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
PSEUDO_RANDOM_FUNCTION found
Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
ENCRYPTION_ALGORITHM found
Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
ENCRYPTION_ALGORITHM found
Oct  6 15:56:03 r-1968-VM charon: 02[CFG] 

[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
Sorry, found it.  :)


![image](https://cloud.githubusercontent.com/assets/13644/19118904/f7471f20-8aeb-11e6-88dc-de4d436b8d1c.png)



---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
@jayapalu why would I get this when trying to enable `Remote Access VPN`?  
What is the significance of these IPs `10.1.2.1-10.1.2.8`?


![image](https://cloud.githubusercontent.com/assets/13644/19118810/9e731304-8aeb-11e6-905f-b3b5f4fdb886.png)



---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
@jayapalu I will continue testing the different combinations to see what is 
working and what is not.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
@jayapalu ^


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
`3DES` is not installed in this template by default.  I had to run `apt-get 
install libstrongswan-extra-plugins` in order to get support for `3DES` and for 
the configuration you specified to work.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
Right, I forgot to mention that.  Thanks @pdion891.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[pdion891]

Github user pdion891 commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
in case of HTTPs  issue registering the template 
http://objects-east.cloud.ca/v1/5ef827605f884961b94881e928e7a250/swill/systemvm64template-master-4.6.0-xen.vhd.bz2
can be use.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
Here is the template (for xen anyway): 
https://objects-east.cloud.ca/v1/5ef827605f884961b94881e928e7a250/swill/systemvm64template-master-4.6.0-xen.vhd.bz2

So far I have not been able to get the VRs to actually come up with this 
template yet.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[jayapalu]

Github user jayapalu commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
@swill
can you please share the systemvm template URL. I can also run the test 
cases with it.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[jayapalu]

Github user jayapalu commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
@swill 
If your connection is not coming up without IKE DH in customer gateway 
configuration then try configuring IKE DH in customer gateway value from  
UI/API.
In strongswan 5.2 ipsec, customer gateway configuration (at least in one 
customer gateway)need to configured IKE DH value (modp1024), without this the 
connection  is not coming up. 

Config file VR example:
 cat /etc/ipsec.d/ipsec.vpn-10.147.46.103.conf 
#conn for vpn-10.147.46.103
conn vpn-10.147.46.103
 left=10.147.46.104
 leftsubnet=10.2.0.0/16
 leftnexthop=10.147.46.1
 right=10.147.46.103
 rightsubnet=10.1.0.0/16
 type=tunnel
 authby=secret
 keyexchange=ike
 ike=3des-md5-modp1024
 ikelifetime=24h
 esp=3des-md5
 lifetime=1h
 pfs=no
 keyingtries=2
 auto=start
 forceencaps=no



---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
I got it to build, will be testing it soon...


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
@rhtyd have you gotten this system VM to build?  I am having trouble 
getting it to finish building.

My build is failing here...
```
+ log DEBUG 'on_exit: clean_vbox'
+ local level=DEBUG
+ shift
+ [[ 1 != \1 ]]
+ local code=
++ date '+%F %T'
+ local 'line=[2016-09-19 17:55:41] DEBUG: on_exit: clean_vbox'
+ '[' -t 2 ']'
+ echo '[2016-09-19 17:55:41] DEBUG: on_exit: clean_vbox'
[2016-09-19 17:55:41] DEBUG: on_exit: clean_vbox
+ eval clean_vbox
++ clean_vbox
++ log INFO 'deleting all virtualbox vms and disks for jenkins'
++ local level=INFO
++ shift
++ [[ 1 != \1 ]]
++ local code=
+++ date '+%F %T'
++ local 'line=[2016-09-19 17:55:41] INFO: deleting all virtualbox vms and 
disks for jenkins'
++ '[' -t 2 ']'
++ echo '[2016-09-19 17:55:41] INFO: deleting all virtualbox vms and disks 
for jenkins'
[2016-09-19 17:55:41] INFO: deleting all virtualbox vms and disks for 
jenkins
++ bundle exec ./vbox_vm_clean.rb --delete --kill
++ bundle exec ./vbox_disk_clean.rb
+ (( i--  ))
+ (( i>=0  ))
... it just hangs here for hours ...
```

To make sure it is not my jenkins box which has a problem, I try building 
my port of the changes (https://github.com/swill/cloudstack/tree/strongswan) 
made in this PR (prior to the latest update, back when it still had merge 
conflicts), and that builds fine.

Jenkins is basically running:
```
whoami
export PATH=/home/jenkins/.rvm/bin:$PATH
export rvm_path=/home/jenkins/.rvm
export HOME=/home/jenkins/
#wget 
http://download.virtualbox.org/virtualbox/4.2.6/VBoxGuestAdditions_4.2.6.iso
cd tools/appliance
if [ -d iso ]; then
rm -fvr iso
fi
if [ -d dist ]; then
rm -fvr dist
fi
if [ -d box ]; then
rm -fvr box
fi
if [ -d /home/jenkins/iso ]; then
cp -rv /home/jenkins/iso .
fi

if [ ! -d iso ]; then
mkdir iso
ln -s $WORKSPACE/*.iso iso/
fi


export clean_vbox=1
export BUILD_NUMBER=
export version=4.6.0
export branch=master
chmod +x build.sh
./build.sh systemvm64template
```

Any ideas???


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
I will start doing some testing on this today.  Thanks...


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[rhtyd]

Github user rhtyd commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
Thanks @jayapalu I'm rebuilding some infra, I'll get back to you soon.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[jayapalu]

Github user jayapalu commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
@rhtyd @pdion891 @swill 
I have squashed the commits. Added the template changes to install 
strongswan 5.2.
Can one you trigger the systemvm template job on this branch. 


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[jayapalu]

Github user jayapalu commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
@pdion891 

Below is the Remote access vpn config, update left with the VR public ip.
#ipsec remote access vpn configuration
conn L2TP-PSK
authby=psk
pfs=no
rekey=no
keyingtries=3
keyexchange=ikev1
forceencaps=yes
leftfirewall=yes
leftnexthop=%defaultroute
#
# --
# The VPN server.
#
# Allow incoming connections on the external network interface.
# If you want to use a different interface or if there is no
# defaultroute, you can use:   left=your.ip.addr.ess
#
left=172.26.0.151
#
leftprotoport=17/1701
# If you insist on supporting non-updated Windows clients,
# you can use:leftprotoport=17/%any
#
# --
# The remote user(s).
#
# Allow incoming connections only from this IP address.
right=%any
# If you want to allow multiple connections from any IP address,
# you can use:right=%any
#
rightprotoport=17/%any
#
# --
# Change 'ignore' to 'add' to enable this configuration.
#
rightsubnetwithin=0.0.0.0/0
auto=add


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
Thanks for getting back to us @jayapalu.  I will hold off focusing on this 
until you have made your update.  If you can get @pdion891 the config, that 
will help us get to the point where we can start validating this and getting 
the config tested.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[pdion891]

Github user pdion891 commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
@jayapalu  do you have a configuration example of strongswan for the remote 
management VPN? I would validate that the generated configuration will work 
with Windows and OSx clients.

Thanks,


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[jayapalu]

Github user jayapalu commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
@swill @kiwiflyer 
Sorry for the late response. 
I am started looking into this. I am looking into getting template with 
strongswan 5.2. Once it is done I will update the code changes.
I will update this PR with new code changes by next week.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[kiwiflyer]

Github user kiwiflyer commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
Yeah, I think this one is dead unless it gets reworked into a new PR. We 
might be able to help a bit on this one as well.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
Given the lack of response, I am guessing I should just clone the work from 
this PR into my own branch and open a new PR once I have everything working...


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
@jayapalu are you active enough that if I make pull requests against your 
branch you can make the changes available in this PR.  Or should I just start 
from your work and develop and test in my own branch and when ready for 
community testing, I just create a new PR?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
Is anyone working on this right now?  

Having reviewed this thread, I believe the following pieces are still 
outstanding:
- fix merge conflicts.
- potentially: upgrade the VR to use Debian 8 (since we will be removing 
OpenSwan which blocked that upgrade previously).
- update implementation to use 5.x to better support NATed connections.
- build a new systemvmtemplate from this branch on master.
- test site-to-site vpn functionality.
-- create ACS side first, then remote side, then connect.
-- create remote side, then ACS side, then connect.
-- break connection from each side to verify renegotiation of connection is 
established.
- test client-to-site vpn functionality.
-- test from: Mac, Window and Ubuntu.
-- test from behind NATed connection.

What am I missing?  I am looking at potentially picking this up to try to 
get it fixed and ready to merge, so any feedback from the people who have 
reviewed this so far would be appreciated.

@jburwell, @jayapalu, @rhtyd, @pdion891, @remibergsma 


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[pdion891]

Github user pdion891 commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
JIRA reference: https://issues.apache.org/jira/browse/CLOUDSTACK-8682



---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[bvbharatk]

Github user bvbharatk commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
### ACS CI BVT Run
 **Sumarry:**
 Build Number 209
 Hypervisor xenserver
 NetworkType Advanced
 Passed=71
 Failed=2
 Skipped=3

_Link to logs Folder (search by build_no):_ 
https://www.dropbox.com/sh/yj3wnzbceo9uef2/AAB6u-Iap-xztdm6jHX9SjPja?dl=0


**Failed tests:**
* test_vpc_vpn.py

 * test_01_redundant_vpc_site2site_vpn Failed

 * test_01_vpc_site2site_vpn Failed


**Skipped tests:**
test_vm_nic_adapter_vmxnet3
test_static_role_account_acls
test_deploy_vgpu_enabled_vm

**Passed test suits:**
test_deploy_vm_with_userdata.py
test_affinity_groups_projects.py
test_portable_publicip.py
test_over_provisioning.py
test_global_settings.py
test_scale_vm.py
test_service_offerings.py
test_routers_iptables_default_policy.py
test_routers.py
test_reset_vm_on_reboot.py
test_snapshots.py
test_deploy_vms_with_varied_deploymentplanners.py
test_login.py
test_list_ids_parameter.py
test_public_ip_range.py
test_multipleips_per_nic.py
test_regions.py
test_affinity_groups.py
test_network_acl.py
test_pvlan.py
test_volumes.py
test_nic.py
test_deploy_vm_root_resize.py
test_resource_detail.py
test_secondary_storage.py
test_vm_life_cycle.py
test_disk_offerings.py


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[bvbharatk]

Github user bvbharatk commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
### ACS CI BVT Run
 **Sumarry:**
 Build Number 201
 Hypervisor xenserver
 NetworkType Advanced
 Passed=71
 Failed=2
 Skipped=3

_Link to logs Folder (search by build_no):_ 
https://www.dropbox.com/sh/yj3wnzbceo9uef2/AAB6u-Iap-xztdm6jHX9SjPja?dl=0


**Failed tests:**
* test_vpc_vpn.py

 * test_01_redundant_vpc_site2site_vpn Failing since 2 runs

 * test_01_vpc_site2site_vpn Failing since 2 runs


**Skipped tests:**
test_vm_nic_adapter_vmxnet3
test_static_role_account_acls
test_deploy_vgpu_enabled_vm

**Passed test suits:**
test_deploy_vm_with_userdata.py
test_affinity_groups_projects.py
test_portable_publicip.py
test_over_provisioning.py
test_global_settings.py
test_scale_vm.py
test_service_offerings.py
test_routers_iptables_default_policy.py
test_routers.py
test_reset_vm_on_reboot.py
test_snapshots.py
test_deploy_vms_with_varied_deploymentplanners.py
test_login.py
test_list_ids_parameter.py
test_public_ip_range.py
test_multipleips_per_nic.py
test_regions.py
test_affinity_groups.py
test_network_acl.py
test_pvlan.py
test_volumes.py
test_nic.py
test_deploy_vm_root_resize.py
test_resource_detail.py
test_secondary_storage.py
test_vm_life_cycle.py
test_disk_offerings.py


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[bvbharatk]

Github user bvbharatk commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
### ACS CI BVT Run
 **Sumarry:**
 Build Number 194
 Hypervisor xenserver
 NetworkType Advanced
 Passed=69
 Failed=4
 Skipped=3

_Link to logs Folder (search by build_no):_ 
https://www.dropbox.com/sh/yj3wnzbceo9uef2/AAB6u-Iap-xztdm6jHX9SjPja?dl=0


**Failed tests:**
* test_vpc_vpn.py

 * ContextSuite context=TestRVPCSite2SiteVpn>:setup Failing since 20 runs

 * ContextSuite context=TestVpcRemoteAccessVpn>:setup Failing since 20 runs

 * ContextSuite context=TestVpcSite2SiteVpn>:setup Failing since 20 runs

* test_volumes.py

 * test_06_download_detached_volume Failed


**Skipped tests:**
test_vm_nic_adapter_vmxnet3
test_static_role_account_acls
test_deploy_vgpu_enabled_vm

**Passed test suits:**
test_deploy_vm_with_userdata.py
test_affinity_groups_projects.py
test_portable_publicip.py
test_over_provisioning.py
test_global_settings.py
test_scale_vm.py
test_service_offerings.py
test_routers_iptables_default_policy.py
test_routers.py
test_reset_vm_on_reboot.py
test_snapshots.py
test_deploy_vms_with_varied_deploymentplanners.py
test_login.py
test_list_ids_parameter.py
test_public_ip_range.py
test_multipleips_per_nic.py
test_regions.py
test_affinity_groups.py
test_network_acl.py
test_pvlan.py
test_nic.py
test_deploy_vm_root_resize.py
test_resource_detail.py
test_secondary_storage.py
test_vm_life_cycle.py
test_disk_offerings.py


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[bvbharatk]

Github user bvbharatk commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
### ACS CI BVT Run
 **Sumarry:**
 Build Number 174
 Hypervisor xenserver
 NetworkType Advanced
 Passed=71
 Failed=2
 Skipped=3

_Link to logs Folder (search by build_no):_ 
https://www.dropbox.com/sh/yj3wnzbceo9uef2/AAB6u-Iap-xztdm6jHX9SjPja?dl=0


**Failed tests:**
* test_vpc_vpn.py

 * test_01_redundant_vpc_site2site_vpn Failed

 * test_01_vpc_site2site_vpn Failed


**Skipped tests:**
test_vm_nic_adapter_vmxnet3
test_static_role_account_acls
test_deploy_vgpu_enabled_vm

**Passed test suits:**
test_deploy_vm_with_userdata.py
test_affinity_groups_projects.py
test_portable_publicip.py
test_over_provisioning.py
test_global_settings.py
test_scale_vm.py
test_service_offerings.py
test_routers_iptables_default_policy.py
test_routers.py
test_reset_vm_on_reboot.py
test_snapshots.py
test_deploy_vms_with_varied_deploymentplanners.py
test_login.py
test_list_ids_parameter.py
test_public_ip_range.py
test_multipleips_per_nic.py
test_regions.py
test_affinity_groups.py
test_network_acl.py
test_pvlan.py
test_volumes.py
test_nic.py
test_deploy_vm_root_resize.py
test_resource_detail.py
test_secondary_storage.py
test_vm_life_cycle.py
test_disk_offerings.py


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[bvbharatk]

Github user bvbharatk commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
### ACS CI BVT Run
 **Sumarry:**
 Build Number 159
 Hypervisor xenserver
 NetworkType Advanced
 Passed=71
 Failed=2
 Skipped=3

_Link to logs Folder (search by build_no):_ 
https://www.dropbox.com/sh/yj3wnzbceo9uef2/AAB6u-Iap-xztdm6jHX9SjPja?dl=0


**Failed tests:**
* test_vpc_vpn.py

 * test_01_redundant_vpc_site2site_vpn Failed

 * test_01_vpc_site2site_vpn Failed


**Skipped tests:**
test_vm_nic_adapter_vmxnet3
test_static_role_account_acls
test_deploy_vgpu_enabled_vm

**Passed test suits:**
test_deploy_vm_with_userdata.py
test_affinity_groups_projects.py
test_portable_publicip.py
test_over_provisioning.py
test_global_settings.py
test_scale_vm.py
test_service_offerings.py
test_routers_iptables_default_policy.py
test_routers.py
test_reset_vm_on_reboot.py
test_snapshots.py
test_deploy_vms_with_varied_deploymentplanners.py
test_login.py
test_list_ids_parameter.py
test_public_ip_range.py
test_multipleips_per_nic.py
test_regions.py
test_affinity_groups.py
test_network_acl.py
test_pvlan.py
test_volumes.py
test_nic.py
test_deploy_vm_root_resize.py
test_resource_detail.py
test_secondary_storage.py
test_vm_life_cycle.py
test_disk_offerings.py


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[bvbharatk]

Github user bvbharatk commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
### ACS CI BVT Run
 **Sumarry:**
 Build Number 151
 Hypervisor xenserver
 NetworkType Advanced
 Passed=71
 Failed=2
 Skipped=3

_Link to logs Folder (search by build_no):_ 
https://www.dropbox.com/sh/yj3wnzbceo9uef2/AAB6u-Iap-xztdm6jHX9SjPja?dl=0


**Failed tests:**
* test_vpc_vpn.py

 * test_01_redundant_vpc_site2site_vpn Failed

 * test_01_vpc_site2site_vpn Failed


**Skipped tests:**
test_vm_nic_adapter_vmxnet3
test_static_role_account_acls
test_deploy_vgpu_enabled_vm

**Passed test suits:**
test_deploy_vm_with_userdata.py
test_affinity_groups_projects.py
test_portable_publicip.py
test_over_provisioning.py
test_global_settings.py
test_scale_vm.py
test_service_offerings.py
test_routers_iptables_default_policy.py
test_routers.py
test_reset_vm_on_reboot.py
test_snapshots.py
test_deploy_vms_with_varied_deploymentplanners.py
test_login.py
test_list_ids_parameter.py
test_public_ip_range.py
test_multipleips_per_nic.py
test_regions.py
test_affinity_groups.py
test_network_acl.py
test_pvlan.py
test_volumes.py
test_nic.py
test_deploy_vm_root_resize.py
test_resource_detail.py
test_secondary_storage.py
test_vm_life_cycle.py
test_disk_offerings.py


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[bvbharatk]

Github user bvbharatk commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
### ACS CI BVT Run
 **Sumarry:**
 Build Number 143
 Hypervisor xenserver
 NetworkType Advanced
 Passed=71
 Failed=2
 Skipped=3

_Link to logs Folder (search by build_no):_ 
https://www.dropbox.com/sh/yj3wnzbceo9uef2/AAB6u-Iap-xztdm6jHX9SjPja?dl=0


**Failed tests:**
* test_vpc_vpn.py

 * test_01_redundant_vpc_site2site_vpn Failed

 * test_01_vpc_site2site_vpn Failed


**Skipped tests:**
test_vm_nic_adapter_vmxnet3
test_static_role_account_acls
test_deploy_vgpu_enabled_vm

**Passed test suits:**
test_deploy_vm_with_userdata.py
test_affinity_groups_projects.py
test_portable_publicip.py
test_over_provisioning.py
test_global_settings.py
test_scale_vm.py
test_service_offerings.py
test_routers_iptables_default_policy.py
test_routers.py
test_reset_vm_on_reboot.py
test_snapshots.py
test_deploy_vms_with_varied_deploymentplanners.py
test_login.py
test_list_ids_parameter.py
test_public_ip_range.py
test_multipleips_per_nic.py
test_regions.py
test_affinity_groups.py
test_network_acl.py
test_pvlan.py
test_volumes.py
test_nic.py
test_deploy_vm_root_resize.py
test_resource_detail.py
test_secondary_storage.py
test_vm_life_cycle.py
test_disk_offerings.py


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[jayapalu]

Github user jayapalu commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
### ACS CI BVT Run
 **Sumarry:**
 Build Number 135
 Hypervisor xenserver
 NetworkType Advanced
 Passed=71
 Failed=2
 Skipped=3

_Link to logs Folder (search by build_no):_ 
https://www.dropbox.com/sh/yj3wnzbceo9uef2/AAB6u-Iap-xztdm6jHX9SjPja?dl=0


**Failed tests:**
* test_vpc_vpn.py

 * test_01_redundant_vpc_site2site_vpn Failed

 * test_01_vpc_site2site_vpn Failed


**Skipped tests:**
test_vm_nic_adapter_vmxnet3
test_static_role_account_acls
test_deploy_vgpu_enabled_vm

**Passed test suits:**
test_deploy_vm_with_userdata.py
test_affinity_groups_projects.py
test_portable_publicip.py
test_over_provisioning.py
test_global_settings.py
test_scale_vm.py
test_service_offerings.py
test_routers_iptables_default_policy.py
test_routers.py
test_reset_vm_on_reboot.py
test_snapshots.py
test_deploy_vms_with_varied_deploymentplanners.py
test_login.py
test_list_ids_parameter.py
test_public_ip_range.py
test_multipleips_per_nic.py
test_regions.py
test_affinity_groups.py
test_network_acl.py
test_pvlan.py
test_volumes.py
test_nic.py
test_deploy_vm_root_resize.py
test_resource_detail.py
test_secondary_storage.py
test_vm_life_cycle.py
test_disk_offerings.py


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[bvbharatk]

Github user bvbharatk commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
### ACS CI BVT Run
 **Sumarry:**
 Build Number 127
 Hypervisor xenserver
 NetworkType Advanced
 Passed=71
 Failed=2
 Skipped=3

_Link to logs Folder (search by build_no):_ 
https://www.dropbox.com/sh/yj3wnzbceo9uef2/AAB6u-Iap-xztdm6jHX9SjPja?dl=0


**Failed tests:**
* test_vpc_vpn.py

 * test_01_redundant_vpc_site2site_vpn Failed

 * test_01_vpc_site2site_vpn Failed


**Skipped tests:**
test_vm_nic_adapter_vmxnet3
test_static_role_account_acls
test_deploy_vgpu_enabled_vm

**Passed test suits:**
test_deploy_vm_with_userdata.py
test_affinity_groups_projects.py
test_portable_publicip.py
test_over_provisioning.py
test_global_settings.py
test_scale_vm.py
test_service_offerings.py
test_routers_iptables_default_policy.py
test_routers.py
test_reset_vm_on_reboot.py
test_snapshots.py
test_deploy_vms_with_varied_deploymentplanners.py
test_login.py
test_list_ids_parameter.py
test_public_ip_range.py
test_multipleips_per_nic.py
test_regions.py
test_affinity_groups.py
test_network_acl.py
test_pvlan.py
test_volumes.py
test_nic.py
test_deploy_vm_root_resize.py
test_resource_detail.py
test_secondary_storage.py
test_vm_life_cycle.py
test_disk_offerings.py


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[bvbharatk]

Github user bvbharatk commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
### ACS CI BVT Run
 **Sumarry:**
 Build Number 119
 Hypervisor xenserver
 NetworkType Advanced
 Passed=69
 Failed=4
 Skipped=3

_Link to logs Folder (search by build_no):_ 
https://www.dropbox.com/sh/yj3wnzbceo9uef2/AAB6u-Iap-xztdm6jHX9SjPja?dl=0


**Failed tests:**
* test_vpc_vpn.py

 * test_01_redundant_vpc_site2site_vpn Failed

 * test_01_vpc_remote_access_vpn Failed

 * test_01_vpc_site2site_vpn Failed

* test_vm_life_cycle.py

 * test_10_attachAndDetach_iso Failed


**Skipped tests:**
test_vm_nic_adapter_vmxnet3
test_static_role_account_acls
test_deploy_vgpu_enabled_vm

**Passed test suits:**
test_deploy_vm_with_userdata.py
test_affinity_groups_projects.py
test_portable_publicip.py
test_over_provisioning.py
test_global_settings.py
test_scale_vm.py
test_service_offerings.py
test_routers_iptables_default_policy.py
test_routers.py
test_reset_vm_on_reboot.py
test_snapshots.py
test_deploy_vms_with_varied_deploymentplanners.py
test_login.py
test_list_ids_parameter.py
test_public_ip_range.py
test_multipleips_per_nic.py
test_regions.py
test_affinity_groups.py
test_network_acl.py
test_pvlan.py
test_volumes.py
test_nic.py
test_deploy_vm_root_resize.py
test_resource_detail.py
test_secondary_storage.py
test_disk_offerings.py


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[bvbharatk]

Github user bvbharatk commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
### ACS CI BVT Run
 **Sumarry:**
 Build Number 113
 Hypervisor xenserver
 NetworkType Advanced
 Passed=70
 Failed=3
 Skipped=3

_Link to logs Folder (search by build_no):_ 
https://www.dropbox.com/sh/yj3wnzbceo9uef2/AAB6u-Iap-xztdm6jHX9SjPja?dl=0


**Failed tests:**
* test_vpc_vpn.py

 * test_01_redundant_vpc_site2site_vpn Failed

 * test_01_vpc_site2site_vpn Failed

* test_vm_life_cycle.py

 * test_10_attachAndDetach_iso Failing since 2 runs


**Skipped tests:**
test_vm_nic_adapter_vmxnet3
test_static_role_account_acls
test_deploy_vgpu_enabled_vm

**Passed test suits:**
test_deploy_vm_with_userdata.py
test_affinity_groups_projects.py
test_portable_publicip.py
test_over_provisioning.py
test_global_settings.py
test_scale_vm.py
test_service_offerings.py
test_routers_iptables_default_policy.py
test_routers.py
test_reset_vm_on_reboot.py
test_snapshots.py
test_deploy_vms_with_varied_deploymentplanners.py
test_login.py
test_list_ids_parameter.py
test_public_ip_range.py
test_multipleips_per_nic.py
test_regions.py
test_affinity_groups.py
test_network_acl.py
test_pvlan.py
test_volumes.py
test_nic.py
test_deploy_vm_root_resize.py
test_resource_detail.py
test_secondary_storage.py
test_disk_offerings.py


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #872: Strongswan vpn feature

[bvbharatk]

Github user bvbharatk commented on the issue:

https://github.com/apache/cloudstack/pull/872
  
### ACS CI BVT Run
 **Sumarry:**
 Build Number 107
 Hypervisor xenserver
 NetworkType Advanced
 Passed=67
 Failed=6
 Skipped=3

_Link to logs Folder (search by build_no):_ 
https://www.dropbox.com/sh/yj3wnzbceo9uef2/AAB6u-Iap-xztdm6jHX9SjPja?dl=0


**Failed tests:**
* test_vpc_vpn.py

 * ContextSuite context=TestRVPCSite2SiteVpn>:setup Failing since 8 runs

 * ContextSuite context=TestVpcRemoteAccessVpn>:setup Failing since 8 runs

 * ContextSuite context=TestVpcSite2SiteVpn>:setup Failing since 8 runs

* test_reset_vm_on_reboot.py

 * ContextSuite context=TestResetVmOnReboot>:setup Failing since 2 runs

* test_volumes.py

 * test_06_download_detached_volume Failed

* test_vm_life_cycle.py

 * test_10_attachAndDetach_iso Failing since 2 runs


**Skipped tests:**
test_vm_nic_adapter_vmxnet3
test_static_role_account_acls
test_deploy_vgpu_enabled_vm

**Passed test suits:**
test_deploy_vm_with_userdata.py
test_affinity_groups_projects.py
test_portable_publicip.py
test_over_provisioning.py
test_global_settings.py
test_scale_vm.py
test_service_offerings.py
test_routers_iptables_default_policy.py
test_routers.py
test_snapshots.py
test_deploy_vms_with_varied_deploymentplanners.py
test_login.py
test_list_ids_parameter.py
test_public_ip_range.py
test_multipleips_per_nic.py
test_regions.py
test_affinity_groups.py
test_network_acl.py
test_pvlan.py
test_nic.py
test_deploy_vm_root_resize.py
test_resource_detail.py
test_secondary_storage.py
test_disk_offerings.py


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---