Public bug reported:
Code repo: neutron-vpnaas master
OS: Centos7
ipsec device driver: libreswan-3.15-5.el7_1.x86_64
In /etc/neutron/vpn_agent.ini, vpn_device_driver is
neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver.
Before running neutron-vpn-agent, I had checked ipsec status, it seems normal:
# ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.15 (netkey) on 3.10.0-123.el7.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPSChecking for obsolete
ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
After create ikepolicy, ipsecpolicy and vpn service, create an
ipsec-site-connection failed,
ipsec whack --ctlbase status code in vpn-agent.log returns 1 which means not
running.
Then I trace the code, I think the problem is in function enable(), call
self.ensure_configs()[1] may have some problems.
ensure_configs[2] in libreswan_ipsec.py will override, I'm not confirm the root
cause is ipsec checknss (which create nssdb).
If call self.ensure_configs() failed, we can't start ipsec pluto daemon.
Here is the running ipsec process:
# ps aux |grep ipsec
root 22223 0.0 0.0 9648 1368 pts/17 S+ 12:59 0:00 /bin/sh
/sbin/ipsec checknss
/opt/stack/data/neutron/ipsec/f75151f6-ef01-4a68-9747-eb52f4e629f5/etc
root 22224 0.0 0.0 37400 3300 pts/17 S+ 12:59 0:00 certutil -N -d
sql:/etc/ipsec.d --empty-password
root 25893 0.0 0.0 9040 668 pts/0 S+ 13:40 0:00 grep
--color=auto ipsec
root 26396 0.0 0.1 335268 4588 ? Ssl 08:58 0:00
/usr/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
[1]
https://github.com/openstack/neutron-vpnaas/blob/master/neutron_vpnaas/services/vpn/device_drivers/ipsec.py#L304
[2]
https://github.com/openstack/neutron-vpnaas/blob/master/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py#L59
** Affects: neutron
Importance: Undecided
Status: New
** Tags: vpnaas
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1605066
Title:
[Neutron][VPNaaS] Failed to create ipsec site connection
Status in neutron:
New
Bug description:
Code repo: neutron-vpnaas master
OS: Centos7
ipsec device driver: libreswan-3.15-5.el7_1.x86_64
In /etc/neutron/vpn_agent.ini, vpn_device_driver is
neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver.
Before running neutron-vpn-agent, I had checked ipsec status, it seems normal:
# ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.15 (netkey) on 3.10.0-123.el7.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPSChecking for obsolete
ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
After create ikepolicy, ipsecpolicy and vpn service, create an
ipsec-site-connection failed,
ipsec whack --ctlbase status code in vpn-agent.log returns 1 which means not
running.
Then I trace the code, I think the problem is in function enable(), call
self.ensure_configs()[1] may have some problems.
ensure_configs[2] in libreswan_ipsec.py will override, I'm not confirm the
root cause is ipsec checknss (which create nssdb).
If call self.ensure_configs() failed, we can't start ipsec pluto daemon.
Here is the running ipsec process:
# ps aux |grep ipsec
root 22223 0.0 0.0 9648 1368 pts/17 S+ 12:59 0:00 /bin/sh
/sbin/ipsec checknss
/opt/stack/data/neutron/ipsec/f75151f6-ef01-4a68-9747-eb52f4e629f5/etc
root 22224 0.0 0.0 37400 3300 pts/17 S+ 12:59 0:00 certutil -N
-d sql:/etc/ipsec.d --empty-password
root 25893 0.0 0.0 9040 668 pts/0 S+ 13:40 0:00 grep
--color=auto ipsec
root 26396 0.0 0.1 335268 4588 ? Ssl 08:58 0:00
/usr/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
[1]
https://github.com/openstack/neutron-vpnaas/blob/master/neutron_vpnaas/services/vpn/device_drivers/ipsec.py#L304
[2]
https://github.com/openstack/neutron-vpnaas/blob/master/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py#L59
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1605066/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
