cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [6/6] git commit: updated refs/heads/master to 05a29f0
Date Fri, 14 Aug 2015 11:06:47 GMT
Merge pull request #693 from remibergsma/s2svpn-fixes

Fix site-to-site VPN featureThis is work done together with @jayapalu on fixing the site2site
VPN. The first part was done in PR #690 by @jayapalu. On top of that, some other fixes were
needed and those are added in this PR. It made sense to make a new PR which includes all fixes
so we can actually test it.

The original PR #690 is already merged into this one, so can be closed. Since the commit ids
are kept the same, merging this will close both.

I closely compared the 4.4/4.5 implementation with the new 4.6 one. I did not only make it
work, but also added some security improvements (some of which were also in 4.4/4.5). I noticed
the pre shared key was being logged, so removed that as well.

This is how I tested and verified it:
When I have some time available, I'll write a Marvin test for it that we can include in the

It now works(tm) with one manual step due to CLOUDSTACK-8685:
We need a default gateway before site-to-site VPN will actually work. It will connect, but
not forward packets. The reason for this, is due to the iptables setup. VM1 has router1 as
gateway, but router1 does not know the route to VM2 so it will give up. With a default gateway,
the packets are about to be forwarded to the default gateway but when they reach eth1 the
public nic, iptables kicks in, does some magic and forwards it through the ipsec tunnel. So,
you need a default gw set to upstream.

Workaround for now is setting the route manually:
``route add default gw``  or  ``ip route add default via``

In other words, we need to fix CLOUDSTACK-8685 soon, too.

Thanks to @snuf @jayapalu!

@jayapalu @snuf could you please review this?

* pr/693:
  do not log sensitive site-to-site VPN PSK
  tighten security of site-to-site VPN
  CLOUDSTACK-8730: fix s2s iptables rules and ipsec config
  CLOUDSTACK-8710: Fixed applying iptables rules for s2s vpn

Signed-off-by: Remi Bergsma <>


Branch: refs/heads/master
Commit: 05a29f01b4de0e88e2f0fb99886573a25c87fea6
Parents: 0fcc729 7ddec66
Author: Remi Bergsma <>
Authored: Fri Aug 14 13:05:53 2015 +0200
Committer: Remi Bergsma <>
Committed: Fri Aug 14 13:05:53 2015 +0200

 .../debian/config/opt/cloud/bin/      | 18 +++++++++---------
 .../debian/config/opt/cloud/bin/cs/      |  5 ++++-
 2 files changed, 13 insertions(+), 10 deletions(-)

View raw message