cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From raj...@apache.org
Subject [2/2] git commit: updated refs/heads/master to 13bfdd7
Date Tue, 14 Feb 2017 12:29:45 GMT
Merge pull request #1741 from swill/strongswanvpn

Updated StrongSwan VPN ImplementationThis PR is a merge of @jayapalu changes in #872 and the
changes I had to make to get the functionality working.

I have done pretty extensive testing of this code so far and we are looking to be in pretty
good shape.  One thing to note is that a `Diffie-Hellman` group **is required** in order for
this feature to work correctly.  It is not highlighted in the tests below, but I have shown
that the `PFS` is not required for this feature to work.  In #872 I have shown a more exhaustive
set of tests of this code, but I have limited this set of tests to a recommended `IKE` and
`ESP` configuration in order to reduce the noise and test the other areas of functionality.

**Test Results**
I am testing this functionality by creating two VPCs with VMs in each and creating a S2S VPN
connection between the two VPCs. Then I SSH into a VM in one VPC and I ping the private IP
of a VM in the other VPC. Then I tear it down and try a different configuration.

_Setup_

```
VPC 1                          VPC 2
=====                          =====
VPN Gateway                    VPN Gateway
VPN Customer Gateway           VPN Customer Gateway
VPN Connection        <--->    VPN Connection
 - Passive = True               - Passive = False
```

_Legend_
`SKIP` => At least one of the VPN Connections did not come up, so no test was run.
`OK` => The ping test was successful over the S2S VPN connection.
`FAIL` => The ping test failed over the S2S VPN connection.

`Passive` => Specifies if either the `<vpc_1> : <vpc_2>` sides of the VPN Connection
is set to passive.
`Conn State` => Specifies the connection status of the `<vpc_1> : <vpc_2>`
VPN Connection in the UI.
`Requires Reset` => If the ping test does not result in an `OK`, then a VPN Connection
Reset is performed on either `<vpc_1> : <vpc_2>` sides of the VPN Connection based
on which side is not showing `Connected`.  The results in the `Status` column is the final
result after the reset is performed.

_Results_

```
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| Status | IKE & ESP            | DPD   | Encap | IKE Life | ESP Life | Passive      
| Conn State                  | Requires Reset |
+========+======================+=======+=======+==========+==========+===============+=============================+================+
| OK     | aes128-sha1;modp1536 | True  | False | 86400    | 3600     | True : False  | Disconnected
: Connected    | False : False  |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| OK     | aes128-sha1;modp1536 | True  | True  | 86400    | 3600     | True : False  | Disconnected
: Connected    | False : False  |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| OK     | aes128-sha1;modp1536 | True  | False |          | 3600     | True : False  | Disconnected
: Connected    | False : False  |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| OK     | aes128-sha1;modp1536 | True  | False | 86400    |          | True : False  | Disconnected
: Connected    | False : False  |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| OK     | aes128-sha1;modp1536 | True  | False |          |          | True : False  | Disconnected
: Connected    | False : False  |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| OK     | aes128-sha1;modp1536 | True  | False | 86400    | 3600     | False : False | Connected
: Connected       | False : False  |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| OK     | aes128-sha1;modp1536 | True  | False | 86400    | 3600     | True : True   | Disconnected
: Disconnected | False : False  |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| OK     | aes128-sha1;modp1536 | True  | False | 86400    | 3600     | False : True  | Connected
: Disconnected    | False : False  |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| OK     | aes128-sha1;modp1536 | False | False | 86400    | 3600     | False : False | Connected
: Connected       | False : False  |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| OK     | aes128-sha1;modp1536 | False | False | 86400    | 3600     | True : False  | Disconnected
: Connected    | False : False  |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| OK     | aes128-sha1;modp1536 | False | False | 86400    | 3600     | True : True   | Disconnected
: Disconnected | False : False  |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| OK     | aes128-sha1;modp1536 | False | False | 86400    | 3600     | False : True  | Connected
: Disconnected    | False : False  |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| SKIP   | aes128-sha1          | True  | False | 86400    | 3600     | True : False  | Disconnected
: Error        | True : False   |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| SKIP   | aes128-sha1          | False | False | 86400    | 3600     | True : False  | Disconnected
: Error        | True : False   |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| FAIL   | aes128-sha1          | True  | False | 86400    | 3600     | True : True   | Disconnected
: Disconnected | True : True    |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| SKIP   | aes128-sha1          | True  | False | 86400    | 3600     | False : False | Connected
: Error           | False : False  |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
```

* pr/1741:
  complete implementation of the StrongSwan VPN feature

Signed-off-by: Rajani Karuturi <rajani.karuturi@accelerite.com>


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/13bfdd71
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/13bfdd71
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/13bfdd71

Branch: refs/heads/master
Commit: 13bfdd71e6fffff52d2f613a802b3d16c9b40af7
Parents: 2aeca0d f045d65
Author: Rajani Karuturi <rajani.karuturi@accelerite.com>
Authored: Tue Feb 14 17:59:17 2017 +0530
Committer: Rajani Karuturi <rajani.karuturi@accelerite.com>
Committed: Tue Feb 14 17:59:17 2017 +0530

----------------------------------------------------------------------
 .../network/vpn/Site2SiteVpnManagerImpl.java    |  18 +--
 .../patches/debian/config/etc/logrotate.conf    |   5 +-
 .../debian/config/opt/cloud/bin/checks2svpn.sh  |  13 +-
 .../debian/config/opt/cloud/bin/configure.py    |  61 +++++-----
 .../debian/config/opt/cloud/bin/cs_ip.py        |  16 +--
 systemvm/patches/debian/vpn/etc/ipsec.conf      |   8 +-
 .../patches/debian/vpn/etc/ipsec.d/l2tp.conf    |   9 +-
 systemvm/patches/debian/vpn/etc/ipsec.secrets   |   2 +-
 test/integration/component/maint/test_vpc.py    |   2 +-
 test/integration/component/test_vpc.py          |   2 +-
 .../configure_systemvm_services.sh              |   6 +
 .../install_systemvm_packages.sh                |   4 +-
 ui/scripts/network.js                           | 121 ++++++++++++++-----
 .../main/java/com/cloud/utils/net/NetUtils.java |  16 ++-
 .../java/com/cloud/utils/net/NetUtilsTest.java  |  31 +++--
 15 files changed, 200 insertions(+), 114 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/13bfdd71/systemvm/patches/debian/config/opt/cloud/bin/configure.py
----------------------------------------------------------------------


Mime
View raw message