[Yahoo-eng-team] [Bug 1488764] [NEW] Create IPSec site connection with IPSec policy that specifies AH-ESP protocol error

Dongcan Ye Tue, 25 Aug 2015 23:03:08 -0700

Public bug reported:

Create IPSec site connection with IPSec policy that specifies AH-ESP
protocol leads to the following error:



2015-08-26 13:29:10.976 ERROR neutron.agent.linux.utils 
[req-7b4a7ccc-286e-4267-9d50-d84afa5b5663 demo 
99b8d178a6784d749920414ac08bce66] 
Command: ['ip', 'netns', 'exec', 
u'qrouter-552bb850-4b33-4bf9-8d6a-c7f47f6e2d27', 'ipsec', 'addconn', 
'--ctlbase', 
u'/opt/stack/data/neutron/ipsec/552bb850-4b33-4bf9-8d6a-c7f47f6e2d27/var/run/pluto.ctl',
 '--defaultroutenexthop', u'172.24.4.3', '--config', 
u'/opt/stack/data/neutron/ipsec/552bb850-4b33-4bf9-8d6a-c7f47f6e2d27/etc/ipsec.conf',
 u'a9587a5c-ff6e-4257-89c1-475300fc8622']
Exit code: 34
Stdin: 
Stdout: 034 Must do at AH or ESP, not neither. 

Stderr: WARNING: /opt/stack/data/neutron/ipsec/552bb850-4b33-4bf9-8d6a-
c7f47f6e2d27/etc/ipsec.co

2015-08-26 13:29:10.976 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec 
[req-7b4a7ccc-286e-4267-9d50-d84afa5b5663 demo 
99b8d178a6784d749920414ac08bce66] Failed to enable vpn process on router 
552bb850-4b33-4bf9-8d6a-c7f47f6e2d27
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec 
Traceback (most recent call last):
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec  
 File 
"/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py",
 line 251, in enable
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec  
   self.start()
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec  
 File 
"/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py",
 line 433, in start
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec  
   ipsec_site_conn['id']
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec  
 File 
"/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py",
 line 332, in _execute
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec  
   extra_ok_codes=extra_ok_codes)
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec  
 File "/opt/stack/neutron/neutron/agent/linux/ip_lib.py", line 719, in execute
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec  
   extra_ok_codes=extra_ok_codes, **kwargs)
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec  
 File "/opt/stack/neutron/neutron/agent/linux/utils.py", line 153, in execute
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec  
   raise RuntimeError(m)
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec 
RuntimeError: 
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec 
Command: ['ip', 'netns', 'exec', 
u'qrouter-552bb850-4b33-4bf9-8d6a-c7f47f6e2d27', 'ipsec', 'addconn', 
'--ctlbase', 
u'/opt/stack/data/neutron/ipsec/552bb850-4b33-4bf9-8d6a-c7f47f6e2d27/var/run/pluto.ctl',
 '--defaultroutenexthop', u'172.24.4.3', '--config', 
u'/opt/stack/data/neutron/ipsec/552bb850-4b33-4bf9-8d6a-c7f47f6e2d27/etc/ipsec.conf',
 u'a9587a5c-ff6e-4257-89c1-475300fc8622']
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec 
Exit code: 34
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec 
Stdin: 
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec 
Stdout: 034 Must do at AH or ESP, not neither. 
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec 
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec 
Stderr: WARNING: 
/opt/stack/data/neutron/ipsec/552bb850-4b33-4bf9-8d6a-c7f47f6e2d27/etc/ipsec.co
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec 
2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec


It seems Openswan doesn't support AH-ESP combined.

** Affects: neutron
     Importance: Undecided
         Status: New


** Tags: vpnaas

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1488764

Title:
  Create IPSec site connection with IPSec policy that specifies AH-ESP
  protocol error

Status in neutron:
  New

Bug description:
  Create IPSec site connection with IPSec policy that specifies AH-ESP
  protocol leads to the following error:

  
  2015-08-26 13:29:10.976 ERROR neutron.agent.linux.utils 
[req-7b4a7ccc-286e-4267-9d50-d84afa5b5663 demo 
99b8d178a6784d749920414ac08bce66] 
  Command: ['ip', 'netns', 'exec', 
u'qrouter-552bb850-4b33-4bf9-8d6a-c7f47f6e2d27', 'ipsec', 'addconn', 
'--ctlbase', 
u'/opt/stack/data/neutron/ipsec/552bb850-4b33-4bf9-8d6a-c7f47f6e2d27/var/run/pluto.ctl',
 '--defaultroutenexthop', u'172.24.4.3', '--config', 
u'/opt/stack/data/neutron/ipsec/552bb850-4b33-4bf9-8d6a-c7f47f6e2d27/etc/ipsec.conf',
 u'a9587a5c-ff6e-4257-89c1-475300fc8622']
  Exit code: 34
  Stdin: 
  Stdout: 034 Must do at AH or ESP, not neither. 

  Stderr: WARNING: /opt/stack/data/neutron/ipsec/552bb850-4b33-4bf9
  -8d6a-c7f47f6e2d27/etc/ipsec.co

  2015-08-26 13:29:10.976 ERROR 
neutron_vpnaas.services.vpn.device_drivers.ipsec 
[req-7b4a7ccc-286e-4267-9d50-d84afa5b5663 demo 
99b8d178a6784d749920414ac08bce66] Failed to enable vpn process on router 
552bb850-4b33-4bf9-8d6a-c7f47f6e2d27
  2015-08-26 13:29:10.976 TRACE 
neutron_vpnaas.services.vpn.device_drivers.ipsec Traceback (most recent call 
last):
  2015-08-26 13:29:10.976 TRACE 
neutron_vpnaas.services.vpn.device_drivers.ipsec   File 
"/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py",
 line 251, in enable
  2015-08-26 13:29:10.976 TRACE 
neutron_vpnaas.services.vpn.device_drivers.ipsec     self.start()
  2015-08-26 13:29:10.976 TRACE 
neutron_vpnaas.services.vpn.device_drivers.ipsec   File 
"/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py",
 line 433, in start
  2015-08-26 13:29:10.976 TRACE 
neutron_vpnaas.services.vpn.device_drivers.ipsec     ipsec_site_conn['id']
  2015-08-26 13:29:10.976 TRACE 
neutron_vpnaas.services.vpn.device_drivers.ipsec   File 
"/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py",
 line 332, in _execute
  2015-08-26 13:29:10.976 TRACE 
neutron_vpnaas.services.vpn.device_drivers.ipsec     
extra_ok_codes=extra_ok_codes)
  2015-08-26 13:29:10.976 TRACE 
neutron_vpnaas.services.vpn.device_drivers.ipsec   File 
"/opt/stack/neutron/neutron/agent/linux/ip_lib.py", line 719, in execute
  2015-08-26 13:29:10.976 TRACE 
neutron_vpnaas.services.vpn.device_drivers.ipsec     
extra_ok_codes=extra_ok_codes, **kwargs)
  2015-08-26 13:29:10.976 TRACE 
neutron_vpnaas.services.vpn.device_drivers.ipsec   File 
"/opt/stack/neutron/neutron/agent/linux/utils.py", line 153, in execute
  2015-08-26 13:29:10.976 TRACE 
neutron_vpnaas.services.vpn.device_drivers.ipsec     raise RuntimeError(m)
  2015-08-26 13:29:10.976 TRACE 
neutron_vpnaas.services.vpn.device_drivers.ipsec RuntimeError: 
  2015-08-26 13:29:10.976 TRACE 
neutron_vpnaas.services.vpn.device_drivers.ipsec Command: ['ip', 'netns', 
'exec', u'qrouter-552bb850-4b33-4bf9-8d6a-c7f47f6e2d27', 'ipsec', 'addconn', 
'--ctlbase', 
u'/opt/stack/data/neutron/ipsec/552bb850-4b33-4bf9-8d6a-c7f47f6e2d27/var/run/pluto.ctl',
 '--defaultroutenexthop', u'172.24.4.3', '--config', 
u'/opt/stack/data/neutron/ipsec/552bb850-4b33-4bf9-8d6a-c7f47f6e2d27/etc/ipsec.conf',
 u'a9587a5c-ff6e-4257-89c1-475300fc8622']
  2015-08-26 13:29:10.976 TRACE 
neutron_vpnaas.services.vpn.device_drivers.ipsec Exit code: 34
  2015-08-26 13:29:10.976 TRACE 
neutron_vpnaas.services.vpn.device_drivers.ipsec Stdin: 
  2015-08-26 13:29:10.976 TRACE 
neutron_vpnaas.services.vpn.device_drivers.ipsec Stdout: 034 Must do at AH or 
ESP, not neither. 
  2015-08-26 13:29:10.976 TRACE 
neutron_vpnaas.services.vpn.device_drivers.ipsec 
  2015-08-26 13:29:10.976 TRACE 
neutron_vpnaas.services.vpn.device_drivers.ipsec Stderr: WARNING: 
/opt/stack/data/neutron/ipsec/552bb850-4b33-4bf9-8d6a-c7f47f6e2d27/etc/ipsec.co
  2015-08-26 13:29:10.976 TRACE 
neutron_vpnaas.services.vpn.device_drivers.ipsec 
  2015-08-26 13:29:10.976 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec

  
  It seems Openswan doesn't support AH-ESP combined.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1488764/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 1488764] [NEW] Create IPSec site connection with IPSec policy that specifies AH-ESP protocol error

Reply via email to