Public bug reported: While using IKE policy with version v2, the IPsec siteconnection status always down, but the network traffic is OK.
>From the ipsec status we can see that the ipsec connection is established: # ip netns exec snat-a4d93552-c534-4a2c-96f7-c9b0ea918ba7 ipsec whack --ctlbase /var/lib/neutron/ipsec/a4d93552-c534-4a2c-96f7-c9b0ea918ba7/var/run/pluto --status 000 Total IPsec connections: loaded 3, active 1 000 000 State Information: DDoS cookies not required, Accepting new IKE connections 000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0) 000 IPsec SAs: total(1), authenticated(1), anonymous(0) 000 000 #2: "b42f6ee6-acf3-4d2d-beb9-f115d68fef55/0x1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 2364s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate 000 #2: "b42f6ee6-acf3-4d2d-beb9-f115d68fef55/0x1" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=4294901761 Traffic: ESPin=0B ESPout=0B! ESPmax=0B 000 #1: "b42f6ee6-acf3-4d2d-beb9-f115d68fef55/0x1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 2574s; newest ISAKMP; isakmp#0; idle; import:admin initiate 000 #1: "b42f6ee6-acf3-4d2d-beb9-f115d68fef55/0x1" ref=0 refhim=0 Traffic: 000 000 Bare Shunt list: 000 I think we should match "PARENT SA" in IKE v2. [1] [1] https://libreswan.org/wiki/How_to_read_status_output ** Affects: neutron Importance: Undecided Assignee: Dongcan Ye (hellochosen) Status: New ** Tags: vpnaas ** Changed in: neutron Assignee: (unassigned) => Dongcan Ye (hellochosen) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1781354 Title: VPNaaS: IPsec siteconnection status DOWN while using IKE v2 Status in neutron: New Bug description: While using IKE policy with version v2, the IPsec siteconnection status always down, but the network traffic is OK. From the ipsec status we can see that the ipsec connection is established: # ip netns exec snat-a4d93552-c534-4a2c-96f7-c9b0ea918ba7 ipsec whack --ctlbase /var/lib/neutron/ipsec/a4d93552-c534-4a2c-96f7-c9b0ea918ba7/var/run/pluto --status 000 Total IPsec connections: loaded 3, active 1 000 000 State Information: DDoS cookies not required, Accepting new IKE connections 000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0) 000 IPsec SAs: total(1), authenticated(1), anonymous(0) 000 000 #2: "b42f6ee6-acf3-4d2d-beb9-f115d68fef55/0x1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 2364s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate 000 #2: "b42f6ee6-acf3-4d2d-beb9-f115d68fef55/0x1" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=4294901761 Traffic: ESPin=0B ESPout=0B! ESPmax=0B 000 #1: "b42f6ee6-acf3-4d2d-beb9-f115d68fef55/0x1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 2574s; newest ISAKMP; isakmp#0; idle; import:admin initiate 000 #1: "b42f6ee6-acf3-4d2d-beb9-f115d68fef55/0x1" ref=0 refhim=0 Traffic: 000 000 Bare Shunt list: 000 I think we should match "PARENT SA" in IKE v2. [1] [1] https://libreswan.org/wiki/How_to_read_status_output To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1781354/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
