cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From swill <>
Subject [GitHub] cloudstack issue #872: Strongswan vpn feature
Date Fri, 14 Oct 2016 22:19:32 GMT
Github user swill commented on the issue:
    The more I dig into this the deeper the rabbit hole goes.  Here are a few things I have
found which I need to address.
    - When a VPN connection, gateway, etc is deleted, the configuration is not actually cleaned
    - When a new configuration is defined, it only has the ability to add to or modify the
current configuration, it does not have the ability to remove config items.  Combined with
the above point, this means that if you ever turn on `dpd` for example, it is not possible
to ever turn it off.
    - The configuration files on the VR do not reflect the running config in `ipsec`.  You
can have identical configurations and it will work sometimes and it wont work other times.
 I have been able to reset the config to make the running config match the defined config
by doing a `ipsec restart`, but I have to close the gap as to why it is not consistent and
where the divergence happens.  I believe it is due to the PSK not actually getting updated
with a `ipsec rereadsecrets`, but because of other issues, I can't even get code blocks to
execute when they should be on changes.  
    - There appears to be a problem with the `if secret.is_changed() or file.is_changed()`
logic which is causing logic not to run when it should.  I am still working out why this is
the case.
    All to say, I still have a lot to work through before this is ready for primetime.  I
think I have the Remote Access VPN functionality working as expected and relatively stable
now, but I am still working through a lot of issues with the S2S VPN feature(s).  I have given
a code drop of the Remote Access VPN functionality to one of our operations teams to continue
testing that feature as I work through the S2S issues.  Hopefully I will have better news
next week.
    Have a nice weekend everyone...

If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at or file a JIRA ticket
with INFRA.

View raw message