root@r-5015-VM:~# grep -ir "10.128.0.0/18" /etc/ ### this is VPC CIDR

/etc/iptables/router_rules.v4:-A INPUT -s 10.128.64.0/18 -d 10.128.0.0/18
-j MARK --set-xmark 0x524/0xffffffff
/etc/iptables/router_rules.v4:-A FORWARD -s 10.128.64.0/18 -d 10.128.0.0/18
-j MARK --set-xmark 0x524/0xffffffff
/etc/iptables/router_rules.v4:-A FORWARD -s 10.128.0.0/18 -d 10.128.64.0/18
-j MARK --set-xmark 0x525/0xffffffff
/etc/iptables/router_rules.v4:-A OUTPUT -s 10.128.0.0/18 -d 10.128.64.0/18
-j MARK --set-xmark 0x525/0xffffffff
/etc/iptables/router_rules.v4:-A FORWARD -s 10.128.0.0/18 ! -d 10.128.0.0/18
-j ACCEPT
/etc/ipsec.d/ipsec.vpn-185.39.XXX.YYY.conf: leftsubnet=10.128.0.0/18
/etc/cloudstack/cmdline.json:        "vpccidr": "10.128.0.0/18"
/etc/cloudstack/site2sitevpn.json:        "local_guest_cidr": "10.128.0.0/18
",

So just restart VPC and be safe better than sorry :)

Cheers

On 7 March 2018 at 14:21, <daniel.herrm...@zv.fraunhofer.de> wrote:

> Hi,
>
> As far as I know, when creating a site 2 site VPN, you can only specify
> the remote networks. The local network is always set to the whole VPC CIDR.
> Or am I wrong?
>
> Regards
> Daniel
>
> On 07.03.18, 12:39, "Rafael Weingärtner" <rafaelweingart...@gmail.com>
> wrote:
>
>     I agree with you. I was not aware of that link in ACS website. I
> already
>     created a task for myself to fix that.
>
>     I thought the VPC CIDR was used only as a logical value internally in
> ACS.
>     However, as you pointed out, you can create a VPN to the whole VPC.
> Then,
>     yes, a restart would be required.
>
>
>     On Wed, Mar 7, 2018 at 8:33 AM, <daniel.herrm...@zv.fraunhofer.de>
> wrote:
>
>     > Hi,
>     >
>     > Maybe we could link to the Apache search system at the page listing
> the
>     > Cloudstack Mailing-Lists: https://cloudstack.apache.org/
> mailing-lists.html
>     >
>     > If you click on the list there, you get to
> http://mail-archives.apache.
>     > org/mod_mbox/cloudstack-users/. Then there is markmail linked and
> the
>     > https://lists.apache.org/list.html?users@cloudstack.apache.org link
> you
>     > shared (which btw looks best to me, thanks).
>     >
>     > The tiers are going to stay as they are currently. I guess the CIDR
> is
>     > used in the Strongswan VPN configuration as local network, so I
> guess a
>     > restart might be required.
>     >
>     > Other thoughts?
>     >
>     > Thanks
>     > Daniel
>     >
>     > On 07.03.18, 12:25, "Rafael Weingärtner" <
> rafaelweingart...@gmail.com>
>     > wrote:
>     >
>     >     MarkMail is not an Apache's system. If you want an Apache's
> system to
>     >     search mailing lists you can use:
>     >     https://lists.apache.org/list.html?d...@cloudstack.apache.org.
>     >
>     >     Do you intend on changing the Tiers CIDR as well? If it is only
> the
>     > VPC,
>     >     you might not even need to restart with a cleanup. Of course, it
> is
>     > always
>     >     a good practice to test before applying in production.
>     >
>     >     On Wed, Mar 7, 2018 at 8:07 AM, <daniel.herrmann@zv.
> fraunhofer.de>
>     > wrote:
>     >
>     >     > Hi all,
>     >     >
>     >     >
>     >     >
>     >     > First of all: when trying to search the lists on MarkMail (
>     >     > https://cloudstack.apache.org/mailing-lists.html) I get a
> warning
>     > that
>     >     > the entered information will be transmitted insecurely (no
> HTTPs).
>     > If I
>     >     > accept that, MarkMail redirects back to HTTPs but does not
> present a
>     > valid
>     >     > certificate (unknown issuer, Firefox 58.0.2
>     >     >
>     >     >
>     >     >
>     >     > Now, to the question:
>     >     >
>     >     >
>     >     >
>     >     > We have a VPC with a pretty large CIDR (172.19.0.0/16), which
>     > however
>     >     > only has tiers in the upper half (172.19.128.0/17). We now
> would
>     > like to
>     >     > reduce the VPC CIDR. Is it safe to edit this in the database
> and
>     > then do a
>     >     > VPC restart with cleanup? Anything else to consider?
>     >     >
>     >     >
>     >     >
>     >     > We use VPN s2s tunnel, so I guess we need to change the remote
>     > subnet on
>     >     > the other VPN endpoints, but other than that?
>     >     >
>     >     >
>     >     >
>     >     > Is it possible like that, any problems to expect?
>     >     >
>     >     >
>     >     >
>     >     > Thanks and regards
>     >     >
>     >     > Daniel
>     >
>     >
>
>
>     --
>     Rafael Weingärtner
>
>


-- 

Andrija Panić

Reply via email to