cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From remibergsma <>
Subject [GitHub] cloudstack pull request: Fix site-to-site VPN feature
Date Fri, 14 Aug 2015 08:17:50 GMT
GitHub user remibergsma opened a pull request:

    Fix site-to-site VPN feature

    This is work done together with @Jayapal on fixing the site2site VPN. The first part was
done in PR #690 by @Jayapal. On top of that, some other fixes were needed and those are added
in this PR. It made sense to make a new PR which includes all fixes so we can actually test
    The original PR #690 is already merged into this one, so can be closed. Since the commit
ids are kept the same, merging this will close both.
    I closely compared the 4.4/4.5 implementation with the new 4.6 one. I did not only make
it work, but also added some security improvements (some of which were also in 4.4/4.5). I
noticed the pre shared key was being logged, so removed that as well.
    This is how I tested and verified it:
    When I have some time available, I'll write a Marvin test for it that we can include in
the repo.
    It now works(tm) with one manual step due to CLOUDSTACK-8685: 
    We need a default gateway before site-to-site VPN will actually work. It will connect,
but not forward packets. The reason for this, is due to the iptables setup. VM1 has router1
as gateway, but router1 does not know the route to VM2 so it will give up. With a default
gateway, the packets are about to be forwarded to the default gateway but when they reach
eth1 the public nic, iptables kicks in, does some magic and forwards it through the ipsec
tunnel. So, you need a default gw set to upstream.
    Workaround for now is setting the route manually:
    ``route add default gw``  or  ``ip route add default via``
    In other words, we need to fix CLOUDSTACK-8685 soon, too.
    @Jayapal @snuf could you please review this?

You can merge this pull request into a Git repository by running:

    $ git pull s2svpn-fixes

Alternatively you can review and apply these changes as the patch at:

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #693
commit da9e757b8e48c54a4ecbd3bdb027b573ac5a3314
Author: Jayapal <>
Date:   2015-08-13T08:37:12Z

    CLOUDSTACK-8710: Fixed applying iptables rules for s2s vpn

commit 382458317ead1ded0149b0fa43d41cd527d22e50
Author: Remi Bergsma <>
Date:   2015-08-13T19:35:44Z

    CLOUDSTACK-8730: fix s2s iptables rules and ipsec config
    For site2site VPN to work, we need a default gateway to be set.
    See CLOUDSTACK-8685

commit 9b97719c5c7839215fa4ff4392995af28055f803
Author: Remi Bergsma <>
Date:   2015-08-14T07:05:59Z

    tighten security of site-to-site VPN
    It was like this in 4.4 and 4.5

commit 4f8ab51f7f2a1d8b78e754981d92c3904408fb30
Author: Remi Bergsma <>
Date:   2015-08-14T07:07:25Z

    do not log sensitive site-to-site VPN PSK
    Logging before:
    2015-08-12 16:30:07,126 Searching for  and replacing with
PSK "preSharedKey"
    Logging after:
    2015-08-12 16:30:07,126 Searching for  and replacing with
PSK "****"

commit 7ddec661ca6d17fbf9ecbc0ee60e34d68f97a94d
Author: Remi Bergsma <>
Date:   2015-08-14T07:10:28Z

    Merge pull request #690 from jayapalu/vpn
    CLOUDSTACK-8710: Fixed applying iptables rules for s2s vpn
    @remibergsma @wilderrodrigues
    Moved applying iptables rules apply after vpn configuration so that vpn specific rules
also get applied
    * pr/690:
      CLOUDSTACK-8710: Fixed applying iptables rules for s2s vpn
    This closes #690
    Signed-off-by: Remi Bergsma <>


If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at or file a JIRA ticket
with INFRA.

View raw message