cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From swill <...@git.apache.org>
Subject [GitHub] cloudstack pull request #1741: Updated StrongSwanVPN Implementation
Date Thu, 27 Oct 2016 13:15:34 GMT
GitHub user swill opened a pull request:

    https://github.com/apache/cloudstack/pull/1741

    Updated StrongSwanVPN Implementation

    This PR is a merge of @jayapalu changes in #872 and the changes I had to make to get the
functionality working.
    
    I have done pretty extensive testing of this code so far and we are looking to be in pretty
good shape.  One thing to note is that a `Diffie-Hellman` group **is required** in order for
this feature to work correctly.  It is not highlighted in the tests below, but I have shown
that the `PFS` is not required for this feature to work.  In #872 I have shown a more exhaustive
set of tests of this code, but I have limited this set of tests to a recommended `IKE` and
`ESP` configuration in order to reduce the noise and test the other areas of functionality.
    
    **Test Results**
    I am testing this functionality by creating two VPCs with VMs in each and creating a S2S
VPN connection between the two VPCs. Then I SSH into a VM in one VPC and I ping the private
IP of a VM in the other VPC. Then I tear it down and try a different configuration.
    
    _Setup_
    ```
    VPC 1                          VPC 2               
    =====                          =====               
    VPN Gateway                    VPN Gateway         
    VPN Customer Gateway           VPN Customer Gateway
    VPN Connection        <--->    VPN Connection
     - Passive = True               - Passive = False
    ```
    
    _Legend_
    `SKIP` => At least one of the VPN Connections did not come up, so no test was run.
    `OK` => The ping test was successful over the S2S VPN connection.
    `FAIL` => The ping test failed over the S2S VPN connection.
    
    `Passive` => Specifies if either the `<vpc_1> : <vpc_2>` sides of the VPN
Connection is set to passive.
    `Conn State` => Specifies the connection status of the `<vpc_1> : <vpc_2>`
VPN Connection in the UI.
    `Requires Reset` => If the ping test does not result in an `OK`, then a VPN Connection
Reset is performed on either `<vpc_1> : <vpc_2>` sides of the VPN Connection based
on which side is not showing `Connected`.  The results in the `Status` column is the final
result after the reset is performed.
    
    _Results_
    ```
    +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
    | Status | IKE & ESP            | DPD   | Encap | IKE Life | ESP Life | Passive  
    | Conn State                  | Requires Reset |
    +========+======================+=======+=======+==========+==========+===============+=============================+================+
    | OK     | aes128-sha1;modp1536 | True  | False | 86400    | 3600     | True : False 
| Disconnected : Connected    | False : False  |
    +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
    | OK     | aes128-sha1;modp1536 | False | False | 86400    | 3600     | True : False 
| Disconnected : Connected    | False : False  |
    +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
    | OK     | aes128-sha1;modp1536 | True  | True  | 86400    | 3600     | True : False 
| Disconnected : Connected    | False : False  |
    +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
    | OK     | aes128-sha1;modp1536 | True  | False |          | 3600     | True : False 
| Disconnected : Connected    | False : False  |
    +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
    | OK     | aes128-sha1;modp1536 | True  | False | 86400    |          | True : False 
| Disconnected : Connected    | False : False  |
    +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
    | OK     | aes128-sha1;modp1536 | True  | False |          |          | True : False 
| Disconnected : Connected    | False : False  |
    +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
    | OK     | aes128-sha1;modp1536 | True  | False | 86400    | 3600     | False : False
| Connected : Connected       | False : False  |
    +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
    | OK     | aes128-sha1;modp1536 | True  | False | 86400    | 3600     | True : True  
| Disconnected : Disconnected | False : False  |
    +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
    | SKIP   | aes128-sha1          | True  | False | 86400    | 3600     | True : False 
| Disconnected : Error        | True : False   |
    +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
    | SKIP   | aes128-sha1          | False | False | 86400    | 3600     | True : False 
| Disconnected : Error        | True : False   |
    +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
    | FAIL   | aes128-sha1          | True  | False | 86400    | 3600     | True : True  
| Disconnected : Disconnected | True : True    |
    +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
    | SKIP   | aes128-sha1          | True  | False | 86400    | 3600     | False : False
| Connected : Error           | False : False  |
    +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
    ```

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/swill/cloudstack strongswanvpn

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/cloudstack/pull/1741.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #1741
    
----
commit 68d9cb152e534f95af5e8198a2a2d5fe6ecc5a9d
Author: Will Stevens <williamstevens@gmail.com>
Date:   2016-10-27T12:54:58Z

    merging jayapalu and swill's strongswan vpn changes into a single commit

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

Mime
View raw message