Public bug reported: Hi, I tried to follow this guide to use VPNaas: https://wiki.openstack.org/wiki/Neutron/VPNaaS/HowToInstall
I have two openstack regions which has their own private net/subnet, public net/subnet and router configured. Then I created two servers individually at two regions with floatingip. After that, I can correctly access those two VMs using both private ip address and floatingips. Then I tried to create VPN connection between these two VMs: Step1: Create VPN service in RegionOne: ------------------ $ neutron vpn-ikepolicy-create ikepolicy1 $ neutron vpn-ipsecpolicy-create ipsecpolicy1 $ neutron vpn-service-create --name myvpn --description "My vpn service" router1 private-subnet $ neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address 172.24.4.133 --peer-id 172.24.4.133 --peer-cidr 10.2.0.0/24 --psk secret Step2: Create VPN service in RegionTwo: ------------------ $ neutron vpn-ikepolicy-create ikepolicy1 $ neutron vpn-ipsecpolicy-create ipsecpolicy1 $ neutron vpn-service-create --name myvpn --description "My vpn service" router1 private-subnet $ neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address 172.24.4.26 --peer-id 172.24.4.26 --peer-cidr 10.1.0.0/24 --psk secret After these two steps, I can successfully connect these two VMs through their private ip addresses. e.g. VM1: 10.1.0.5, VM2: 10.2.0.5 When I tried to check the ipsec status, it was also correct: ------------------- $ sudo service ipsec status IPsec stopped but... An orphaned Pluto is active? And I can found the process info in the following directory: e.g. /opt/stack/data/neutron/ipsec/c39744d5-639a-4f59-b787-ca3797d22400/var/run/ Here, *c39744d5-639a-4f59-b787-ca3797d22400* is my router's id. However, when I tried to create another VM in the same private net and allocate a floatingip address to it, I always got the following error from VPN-agent: ------------------- 2014-11-21 02:32:25.713 ERROR neutron.agent.linux.utils [-] Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1', 'ipsec', 'pluto', '--ctlbase', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto', '--ipsecdir', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc/ipsec.secrets', '--virtual_private', '%v4:10.1.0.0/24,%v4:10.2.0.0/24'] Exit code: 10 Stdout: '' Stderr: 'adjusting ipsec.d to /opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc\npluto: lock file "/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto.pid" already exists\n' 2014-11-21 02:32:25.714 ERROR neutron.services.vpn.device_drivers.ipsec [-] Failed to enable vpn process on router 2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Traceback (most recent call last): 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 243, in enable 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec self.restart() 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 343, in restart 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec self.start() 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 386, in start 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec '--virtual_private', virtual_private 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 315, in _execute 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec check_exit_code=check_exit_code) 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/agent/linux/ip_lib.py", line 550, in execute 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec check_exit_code=check_exit_code, extra_ok_codes=extra_ok_codes) 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/agent/linux/utils.py", line 84, in execute 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec raise RuntimeError(m) 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec RuntimeError: 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1', 'ipsec', 'pluto', '--ctlbase', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto', '--ipsecdir', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc/ipsec.secrets', '--virtual_private', '%v4:10.1.0.0/24,%v4:10.2.0.0/24'] 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Exit code: 10 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Stdout: '' 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Stderr: 'adjusting ipsec.d to /opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc\npluto: lock file "/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto.pid" already exists\n' 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Then the vpn service died and when I checked the ipsec service status, I got the following info: $ sudo service ipsec status IPsec stopped In this case, I have to delete the ipsec-site-connection I created before and then restart vpn-agent and recreat the ipsec-site-connection. After that, the connection between two VMs will recover. This error will not happen if I don't assign floatingip to the new VM when create it. What I'm using is a devstack environment built in 2014-11-20. Thanks. ** Affects: neutron Importance: Undecided Status: New ** Description changed: Hi, I tried to follow this guide to use VPNaas: https://wiki.openstack.org/wiki/Neutron/VPNaaS/HowToInstall I have two openstack regions which has their own private net/subnet, public net/subnet and router configured. Then I created two servers individually at two regions with floatingip. After that, I can correctly access those two VMs using both private ip address and floatingips. Then I tried to create VPN connection between these two VMs: Step1: Create VPN service in RegionOne: ------------------ $ neutron vpn-ikepolicy-create ikepolicy1 $ neutron vpn-ipsecpolicy-create ipsecpolicy1 $ neutron vpn-service-create --name myvpn --description "My vpn service" router1 private-subnet $ neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address 172.24.4.133 --peer-id 172.24.4.133 --peer-cidr 10.2.0.0/24 --psk secret Step2: Create VPN service in RegionTwo: ------------------ $ neutron vpn-ikepolicy-create ikepolicy1 $ neutron vpn-ipsecpolicy-create ipsecpolicy1 $ neutron vpn-service-create --name myvpn --description "My vpn service" router1 private-subnet $ neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address 172.24.4.26 --peer-id 172.24.4.26 --peer-cidr 10.1.0.0/24 --psk secret - After these two steps, now I can successfully connect these two VMs through their private ip addresses. + After these two steps, I can successfully connect these two VMs through their private ip addresses. e.g. VM1: 10.1.0.5, VM2: 10.2.0.5 When I tried to check the ipsec status, it was also correct: ------------------- $ sudo service ipsec status IPsec stopped but... An orphaned Pluto is active? And I can found the process info in the following directory: e.g. /opt/stack/data/neutron/ipsec/c39744d5-639a-4f59-b787-ca3797d22400/var/run/ Here, *c39744d5-639a-4f59-b787-ca3797d22400* is my router's id. However, when I tried to create another VM in the same private net and allocate a floatingip address to it, I always got the following error from VPN-agent: ------------------- 2014-11-21 02:32:25.713 ERROR neutron.agent.linux.utils [-] Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1', 'ipsec', 'pluto', '--ctlbase', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto', '--ipsecdir', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc/ipsec.secrets', '--virtual_private', '%v4:10.1.0.0/24,%v4:10.2.0.0/24'] Exit code: 10 Stdout: '' Stderr: 'adjusting ipsec.d to /opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc\npluto: lock file "/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto.pid" already exists\n' 2014-11-21 02:32:25.714 ERROR neutron.services.vpn.device_drivers.ipsec [-] Failed to enable vpn process on router 2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Traceback (most recent call last): 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 243, in enable 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec self.restart() 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 343, in restart 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec self.start() 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 386, in start 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec '--virtual_private', virtual_private 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 315, in _execute 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec check_exit_code=check_exit_code) 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/agent/linux/ip_lib.py", line 550, in execute 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec check_exit_code=check_exit_code, extra_ok_codes=extra_ok_codes) 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/agent/linux/utils.py", line 84, in execute 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec raise RuntimeError(m) 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec RuntimeError: 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1', 'ipsec', 'pluto', '--ctlbase', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto', '--ipsecdir', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc/ipsec.secrets', '--virtual_private', '%v4:10.1.0.0/24,%v4:10.2.0.0/24'] 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Exit code: 10 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Stdout: '' 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Stderr: 'adjusting ipsec.d to /opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc\npluto: lock file "/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto.pid" already exists\n' 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec - Then the vpn service died and when I checked the ipsec service status, I got the following info: $ sudo service ipsec status IPsec stopped In this case, I have to delete the ipsec-site-connection I created first and then stop the vpn-agent and manually clean the */opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/* directory. Then after I restarted the vpn-agent and recreated the ipsec- site-connection, the connection between two VMs recovered. So is this the correct way to add VM when using VPNaaS or there is really a bug here? What I'm using is a devstack environment built in 2014-11-20. Thanks. ** Description changed: Hi, I tried to follow this guide to use VPNaas: https://wiki.openstack.org/wiki/Neutron/VPNaaS/HowToInstall I have two openstack regions which has their own private net/subnet, public net/subnet and router configured. Then I created two servers individually at two regions with floatingip. After that, I can correctly access those two VMs using both private ip address and floatingips. Then I tried to create VPN connection between these two VMs: Step1: Create VPN service in RegionOne: ------------------ $ neutron vpn-ikepolicy-create ikepolicy1 $ neutron vpn-ipsecpolicy-create ipsecpolicy1 $ neutron vpn-service-create --name myvpn --description "My vpn service" router1 private-subnet $ neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address 172.24.4.133 --peer-id 172.24.4.133 --peer-cidr 10.2.0.0/24 --psk secret Step2: Create VPN service in RegionTwo: ------------------ $ neutron vpn-ikepolicy-create ikepolicy1 $ neutron vpn-ipsecpolicy-create ipsecpolicy1 $ neutron vpn-service-create --name myvpn --description "My vpn service" router1 private-subnet $ neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address 172.24.4.26 --peer-id 172.24.4.26 --peer-cidr 10.1.0.0/24 --psk secret After these two steps, I can successfully connect these two VMs through their private ip addresses. e.g. VM1: 10.1.0.5, VM2: 10.2.0.5 When I tried to check the ipsec status, it was also correct: ------------------- $ sudo service ipsec status IPsec stopped but... An orphaned Pluto is active? And I can found the process info in the following directory: e.g. /opt/stack/data/neutron/ipsec/c39744d5-639a-4f59-b787-ca3797d22400/var/run/ Here, *c39744d5-639a-4f59-b787-ca3797d22400* is my router's id. However, when I tried to create another VM in the same private net and allocate a floatingip address to it, I always got the following error from VPN-agent: ------------------- 2014-11-21 02:32:25.713 ERROR neutron.agent.linux.utils [-] Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1', 'ipsec', 'pluto', '--ctlbase', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto', '--ipsecdir', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc/ipsec.secrets', '--virtual_private', '%v4:10.1.0.0/24,%v4:10.2.0.0/24'] Exit code: 10 Stdout: '' Stderr: 'adjusting ipsec.d to /opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc\npluto: lock file "/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto.pid" already exists\n' 2014-11-21 02:32:25.714 ERROR neutron.services.vpn.device_drivers.ipsec [-] Failed to enable vpn process on router 2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Traceback (most recent call last): 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 243, in enable 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec self.restart() 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 343, in restart 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec self.start() 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 386, in start 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec '--virtual_private', virtual_private 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 315, in _execute 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec check_exit_code=check_exit_code) 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/agent/linux/ip_lib.py", line 550, in execute 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec check_exit_code=check_exit_code, extra_ok_codes=extra_ok_codes) 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/agent/linux/utils.py", line 84, in execute 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec raise RuntimeError(m) 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec RuntimeError: 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1', 'ipsec', 'pluto', '--ctlbase', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto', '--ipsecdir', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc/ipsec.secrets', '--virtual_private', '%v4:10.1.0.0/24,%v4:10.2.0.0/24'] 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Exit code: 10 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Stdout: '' 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Stderr: 'adjusting ipsec.d to /opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc\npluto: lock file "/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto.pid" already exists\n' 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Then the vpn service died and when I checked the ipsec service status, I got the following info: $ sudo service ipsec status IPsec stopped - In this case, I have to delete the ipsec-site-connection I created first - and then stop the vpn-agent and manually clean the + In this case, I have to delete the ipsec-site-connection I created + before and then stop the vpn-agent and manually clean the */opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/* directory. Then after I restarted the vpn-agent and recreated the ipsec- site-connection, the connection between two VMs recovered. So is this the correct way to add VM when using VPNaaS or there is really a bug here? What I'm using is a devstack environment built in 2014-11-20. Thanks. ** Description changed: Hi, I tried to follow this guide to use VPNaas: https://wiki.openstack.org/wiki/Neutron/VPNaaS/HowToInstall I have two openstack regions which has their own private net/subnet, public net/subnet and router configured. Then I created two servers individually at two regions with floatingip. After that, I can correctly access those two VMs using both private ip address and floatingips. Then I tried to create VPN connection between these two VMs: Step1: Create VPN service in RegionOne: ------------------ $ neutron vpn-ikepolicy-create ikepolicy1 $ neutron vpn-ipsecpolicy-create ipsecpolicy1 $ neutron vpn-service-create --name myvpn --description "My vpn service" router1 private-subnet $ neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address 172.24.4.133 --peer-id 172.24.4.133 --peer-cidr 10.2.0.0/24 --psk secret Step2: Create VPN service in RegionTwo: ------------------ $ neutron vpn-ikepolicy-create ikepolicy1 $ neutron vpn-ipsecpolicy-create ipsecpolicy1 $ neutron vpn-service-create --name myvpn --description "My vpn service" router1 private-subnet $ neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address 172.24.4.26 --peer-id 172.24.4.26 --peer-cidr 10.1.0.0/24 --psk secret After these two steps, I can successfully connect these two VMs through their private ip addresses. e.g. VM1: 10.1.0.5, VM2: 10.2.0.5 When I tried to check the ipsec status, it was also correct: ------------------- $ sudo service ipsec status IPsec stopped but... An orphaned Pluto is active? And I can found the process info in the following directory: e.g. /opt/stack/data/neutron/ipsec/c39744d5-639a-4f59-b787-ca3797d22400/var/run/ Here, *c39744d5-639a-4f59-b787-ca3797d22400* is my router's id. However, when I tried to create another VM in the same private net and allocate a floatingip address to it, I always got the following error from VPN-agent: ------------------- 2014-11-21 02:32:25.713 ERROR neutron.agent.linux.utils [-] Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1', 'ipsec', 'pluto', '--ctlbase', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto', '--ipsecdir', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc/ipsec.secrets', '--virtual_private', '%v4:10.1.0.0/24,%v4:10.2.0.0/24'] Exit code: 10 Stdout: '' Stderr: 'adjusting ipsec.d to /opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc\npluto: lock file "/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto.pid" already exists\n' 2014-11-21 02:32:25.714 ERROR neutron.services.vpn.device_drivers.ipsec [-] Failed to enable vpn process on router 2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Traceback (most recent call last): 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 243, in enable 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec self.restart() 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 343, in restart 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec self.start() 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 386, in start 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec '--virtual_private', virtual_private 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 315, in _execute 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec check_exit_code=check_exit_code) 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/agent/linux/ip_lib.py", line 550, in execute 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec check_exit_code=check_exit_code, extra_ok_codes=extra_ok_codes) 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/agent/linux/utils.py", line 84, in execute 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec raise RuntimeError(m) 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec RuntimeError: 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1', 'ipsec', 'pluto', '--ctlbase', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto', '--ipsecdir', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc/ipsec.secrets', '--virtual_private', '%v4:10.1.0.0/24,%v4:10.2.0.0/24'] 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Exit code: 10 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Stdout: '' 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Stderr: 'adjusting ipsec.d to /opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc\npluto: lock file "/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto.pid" already exists\n' 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Then the vpn service died and when I checked the ipsec service status, I got the following info: $ sudo service ipsec status IPsec stopped In this case, I have to delete the ipsec-site-connection I created - before and then stop the vpn-agent and manually clean the - */opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/* - directory. Then after I restarted the vpn-agent and recreated the ipsec- - site-connection, the connection between two VMs recovered. + before and then restart vpn-agent and recreat the ipsec-site-connection. + After that, the connection between two VMs will recover. So is this the correct way to add VM when using VPNaaS or there is really a bug here? What I'm using is a devstack environment built in 2014-11-20. Thanks. -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1394890 Title: Can't add new VM to a router which has been used for vpn service Status in OpenStack Neutron (virtual network service): New Bug description: Hi, I tried to follow this guide to use VPNaas: https://wiki.openstack.org/wiki/Neutron/VPNaaS/HowToInstall I have two openstack regions which has their own private net/subnet, public net/subnet and router configured. Then I created two servers individually at two regions with floatingip. After that, I can correctly access those two VMs using both private ip address and floatingips. Then I tried to create VPN connection between these two VMs: Step1: Create VPN service in RegionOne: ------------------ $ neutron vpn-ikepolicy-create ikepolicy1 $ neutron vpn-ipsecpolicy-create ipsecpolicy1 $ neutron vpn-service-create --name myvpn --description "My vpn service" router1 private-subnet $ neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address 172.24.4.133 --peer-id 172.24.4.133 --peer-cidr 10.2.0.0/24 --psk secret Step2: Create VPN service in RegionTwo: ------------------ $ neutron vpn-ikepolicy-create ikepolicy1 $ neutron vpn-ipsecpolicy-create ipsecpolicy1 $ neutron vpn-service-create --name myvpn --description "My vpn service" router1 private-subnet $ neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address 172.24.4.26 --peer-id 172.24.4.26 --peer-cidr 10.1.0.0/24 --psk secret After these two steps, I can successfully connect these two VMs through their private ip addresses. e.g. VM1: 10.1.0.5, VM2: 10.2.0.5 When I tried to check the ipsec status, it was also correct: ------------------- $ sudo service ipsec status IPsec stopped but... An orphaned Pluto is active? And I can found the process info in the following directory: e.g. /opt/stack/data/neutron/ipsec/c39744d5-639a-4f59-b787-ca3797d22400/var/run/ Here, *c39744d5-639a-4f59-b787-ca3797d22400* is my router's id. However, when I tried to create another VM in the same private net and allocate a floatingip address to it, I always got the following error from VPN-agent: ------------------- 2014-11-21 02:32:25.713 ERROR neutron.agent.linux.utils [-] Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1', 'ipsec', 'pluto', '--ctlbase', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto', '--ipsecdir', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc/ipsec.secrets', '--virtual_private', '%v4:10.1.0.0/24,%v4:10.2.0.0/24'] Exit code: 10 Stdout: '' Stderr: 'adjusting ipsec.d to /opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc\npluto: lock file "/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto.pid" already exists\n' 2014-11-21 02:32:25.714 ERROR neutron.services.vpn.device_drivers.ipsec [-] Failed to enable vpn process on router 2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Traceback (most recent call last): 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 243, in enable 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec self.restart() 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 343, in restart 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec self.start() 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 386, in start 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec '--virtual_private', virtual_private 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/services/vpn/device_drivers/ipsec.py", line 315, in _execute 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec check_exit_code=check_exit_code) 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/agent/linux/ip_lib.py", line 550, in execute 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec check_exit_code=check_exit_code, extra_ok_codes=extra_ok_codes) 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/agent/linux/utils.py", line 84, in execute 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec raise RuntimeError(m) 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec RuntimeError: 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1', 'ipsec', 'pluto', '--ctlbase', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto', '--ipsecdir', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc/ipsec.secrets', '--virtual_private', '%v4:10.1.0.0/24,%v4:10.2.0.0/24'] 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Exit code: 10 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Stdout: '' 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Stderr: 'adjusting ipsec.d to /opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/etc\npluto: lock file "/opt/stack/data/neutron/ipsec/2cbf1df5-b8d3-46ea-bc09-009a6d1be5a1/var/run/pluto.pid" already exists\n' 2014-11-21 02:32:25.714 TRACE neutron.services.vpn.device_drivers.ipsec Then the vpn service died and when I checked the ipsec service status, I got the following info: $ sudo service ipsec status IPsec stopped In this case, I have to delete the ipsec-site-connection I created before and then restart vpn-agent and recreat the ipsec-site- connection. After that, the connection between two VMs will recover. This error will not happen if I don't assign floatingip to the new VM when create it. What I'm using is a devstack environment built in 2014-11-20. Thanks. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1394890/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp