Public bug reported: I have manually setup a fresh OpenStack Pike HA environment based on Ubuntu 16.04.3 in conjunction with DVR. VPN creation works fine in case of centralized routers, but when a VPN gets created in the context of distributed routers, all VPN services and connections turn their state to ACTIVE, but a connection between different clients connected via VPN is not possible. The error log does not contain any errors.
My environment comprises 2 controller nodes (also functioning as network nodes) and 3 compute node. Each controller node runs a neutron-vpn- agent, whereas each compute node runs a neutron-l3-agent which is unaware of any VPN settings. Controller/Network node: ############# vpn_agent.ini ############# [ipsec] enable_detailed_logging = true ipsec_status_check_interval = 60 [vpnagent] vpn_device_driver = neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver ############ neutron.conf ############ [DEFAULT] allow_overlapping_ips = true auth_strategy = keystone base_mac = 02:05:69:00:00:00 bind_host = 10.30.200.101 bind_port = 9696 core_plugin = ml2 debug = true dhcp_agents_per_network = 2 dns_domain = openstack.mycompany.com. dvr_base_mac = 0A:05:69:00:00:00 endpoint_type = internalURL host = os-network01 interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver l3_ha = true l3_ha_net_cidr = 169.254.192.0/18 log_dir = /var/log/neutron max_l3_agents_per_router = 2 min_l3_agents_per_router = 2 notify_nova_on_port_data_changes = true notify_nova_on_port_status_changes = true router_distributed = true service_plugins = router,firewall,qos,lbaasv2,vpnaas state_path = /var/lib/neutron transport_url = rabbit://neutron:neutronpass@os-rabbit01:5672,neutron:neutronpass@os-rabbit02:5672/openstack [agent] root_helper = sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf [database] connection = mysql+pymysql://neutron:neutronDBpass@os-controller/neutron max_retries = -1 [keystone_authtoken] auth_type = password auth_uri = https://os-cloud.mycompany.com:5000 auth_url = http://os-identity:35357 memcached_servers = os-memcache:11211 password = neutronpass project_domain_name = default project_name = service user_domain_name = default username = neutron [nova] auth_type = password auth_url = http://os-identity:35357 endpoint_type = internal password = novapass project_domain_name = default project_name = service region_name = RegionOne user_domain_name = default username = nova [oslo_concurrency] lock_path = /var/lock/neutron [oslo_messaging_notifications] driver = messagingv2 [oslo_messaging_rabbit] amqp_durable_queues = true rabbit_ha_queues = true rabbit_retry_backoff = 2 rabbit_retry_interval = 1 [oslo_middleware] enable_proxy_headers_parsing = true [service_providers] service_provider = FIREWALL:Iptables:neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver:default service_provider = LOADBALANCERV2:Haproxy:neutron_lbaas.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default service_provider = VPN:strongswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default $ ext-list | grep vpn neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead. | vpnaas | VPN service | | vpn-endpoint-groups | VPN Endpoint Groups | | vpn-flavors | VPN Service Flavor Extension | "usr.lib.ipsec.charon" and "usr.lib.ipsec.stroke" have been disabled: ln -sf /etc/apparmor.d/usr.lib.ipsec.charon /etc/apparmor.d/disable/ ln -sf /etc/apparmor.d/usr.lib.ipsec.stroke /etc/apparmor.d/disable/ Any ideas? ** Affects: neutron Importance: Undecided Status: New ** Tags: vpnaas ** Summary changed: - VPNaaS: VPN creating not working in case of distributed routers (Pike) + VPNaaS: VPN creation not working in case of distributed virtual routers (Pike) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1717266 Title: VPNaaS: VPN creation not working in case of distributed virtual routers (Pike) Status in neutron: New Bug description: I have manually setup a fresh OpenStack Pike HA environment based on Ubuntu 16.04.3 in conjunction with DVR. VPN creation works fine in case of centralized routers, but when a VPN gets created in the context of distributed routers, all VPN services and connections turn their state to ACTIVE, but a connection between different clients connected via VPN is not possible. The error log does not contain any errors. My environment comprises 2 controller nodes (also functioning as network nodes) and 3 compute node. Each controller node runs a neutron-vpn-agent, whereas each compute node runs a neutron-l3-agent which is unaware of any VPN settings. Controller/Network node: ############# vpn_agent.ini ############# [ipsec] enable_detailed_logging = true ipsec_status_check_interval = 60 [vpnagent] vpn_device_driver = neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver ############ neutron.conf ############ [DEFAULT] allow_overlapping_ips = true auth_strategy = keystone base_mac = 02:05:69:00:00:00 bind_host = 10.30.200.101 bind_port = 9696 core_plugin = ml2 debug = true dhcp_agents_per_network = 2 dns_domain = openstack.mycompany.com. dvr_base_mac = 0A:05:69:00:00:00 endpoint_type = internalURL host = os-network01 interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver l3_ha = true l3_ha_net_cidr = 169.254.192.0/18 log_dir = /var/log/neutron max_l3_agents_per_router = 2 min_l3_agents_per_router = 2 notify_nova_on_port_data_changes = true notify_nova_on_port_status_changes = true router_distributed = true service_plugins = router,firewall,qos,lbaasv2,vpnaas state_path = /var/lib/neutron transport_url = rabbit://neutron:neutronpass@os-rabbit01:5672,neutron:neutronpass@os-rabbit02:5672/openstack [agent] root_helper = sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf [database] connection = mysql+pymysql://neutron:neutronDBpass@os-controller/neutron max_retries = -1 [keystone_authtoken] auth_type = password auth_uri = https://os-cloud.mycompany.com:5000 auth_url = http://os-identity:35357 memcached_servers = os-memcache:11211 password = neutronpass project_domain_name = default project_name = service user_domain_name = default username = neutron [nova] auth_type = password auth_url = http://os-identity:35357 endpoint_type = internal password = novapass project_domain_name = default project_name = service region_name = RegionOne user_domain_name = default username = nova [oslo_concurrency] lock_path = /var/lock/neutron [oslo_messaging_notifications] driver = messagingv2 [oslo_messaging_rabbit] amqp_durable_queues = true rabbit_ha_queues = true rabbit_retry_backoff = 2 rabbit_retry_interval = 1 [oslo_middleware] enable_proxy_headers_parsing = true [service_providers] service_provider = FIREWALL:Iptables:neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver:default service_provider = LOADBALANCERV2:Haproxy:neutron_lbaas.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default service_provider = VPN:strongswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default $ ext-list | grep vpn neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead. | vpnaas | VPN service | | vpn-endpoint-groups | VPN Endpoint Groups | | vpn-flavors | VPN Service Flavor Extension | "usr.lib.ipsec.charon" and "usr.lib.ipsec.stroke" have been disabled: ln -sf /etc/apparmor.d/usr.lib.ipsec.charon /etc/apparmor.d/disable/ ln -sf /etc/apparmor.d/usr.lib.ipsec.stroke /etc/apparmor.d/disable/ Any ideas? To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1717266/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
