Reviewed: https://review.openstack.org/582113 Committed: https://git.openstack.org/cgit/openstack/neutron-vpnaas/commit/?id=321392b9a7d288167b0155284c0b7d30af44e5b3 Submitter: Zuul Branch: master
commit 321392b9a7d288167b0155284c0b7d30af44e5b3 Author: Dongcan Ye <[email protected]> Date: Thu Jul 12 09:00:13 2018 +0000 Match IPSEC SA established state While using IKE policy with version v2, the IPsec siteconnection status always down. From librewan wiki[1], the "phase2" in IKEv2 mistakenly calls itself a PARENT SA which same as "phase1", This is a known bug for some versions of libreswan. For the newer versions of libreswan(3.20+), the "IPsec SA established" will successful output if phase2 state established. Here we match the "established" and "newest IPSEC" for an established IPSEC SA. [1] https://libreswan.org/wiki/How_to_read_status_output Change-Id: Iffff7d00f48e69fbc53bb45df17d6a5be6760a6d Closes-Bug: #1781354 ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1781354 Title: VPNaaS: IPsec siteconnection status DOWN while using IKE v2 Status in neutron: Fix Released Bug description: While using IKE policy with version v2, the IPsec siteconnection status always down, but the network traffic is OK. From the ipsec status we can see that the ipsec connection is established: # ip netns exec snat-a4d93552-c534-4a2c-96f7-c9b0ea918ba7 ipsec whack --ctlbase /var/lib/neutron/ipsec/a4d93552-c534-4a2c-96f7-c9b0ea918ba7/var/run/pluto --status 000 Total IPsec connections: loaded 3, active 1 000 000 State Information: DDoS cookies not required, Accepting new IKE connections 000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0) 000 IPsec SAs: total(1), authenticated(1), anonymous(0) 000 000 #2: "b42f6ee6-acf3-4d2d-beb9-f115d68fef55/0x1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 2364s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate 000 #2: "b42f6ee6-acf3-4d2d-beb9-f115d68fef55/0x1" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=4294901761 Traffic: ESPin=0B ESPout=0B! ESPmax=0B 000 #1: "b42f6ee6-acf3-4d2d-beb9-f115d68fef55/0x1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 2574s; newest ISAKMP; isakmp#0; idle; import:admin initiate 000 #1: "b42f6ee6-acf3-4d2d-beb9-f115d68fef55/0x1" ref=0 refhim=0 Traffic: 000 000 Bare Shunt list: 000 I think we should match "PARENT SA" in IKE v2. [1] [1] https://libreswan.org/wiki/How_to_read_status_output To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1781354/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
