cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daan Hoogland (JIRA)" <>
Subject [jira] [Commented] (CLOUDSTACK-6747) Allowing non rfc1918 networks on the other end of VPC Site 2 Site VPN
Date Wed, 25 Jun 2014 12:40:24 GMT


Daan Hoogland commented on CLOUDSTACK-6747:

fix seems simple: create a more forgiving check and use that instead of the validGuestCidrList

will fix for master but as we ran into this as well we might put effort into backporting

increased level to major as this is counter intuitive and restrictive on the functionality
of ACS

> Allowing non rfc1918 networks on the other end of VPC Site 2 Site VPN
> ---------------------------------------------------------------------
>                 Key: CLOUDSTACK-6747
>                 URL:
>             Project: CloudStack
>          Issue Type: Improvement
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Management Server, Network Controller, Virtual Router
>    Affects Versions: 4.2.0, 4.3.0
>            Reporter: Erik Weber
>            Assignee: Daan Hoogland
>             Fix For: Future
> When you configure a Site 2 Site VPN Customer gateway the other end from CloudStack point
of view is not allowed to be outside rfc1918 address scope.
> There are use cases where the client / remote networks use official/public addresses
and you want to encrypt / secure the traffic with VPN.
> Log excerpt:
> 2014-05-21 12:30:42,326 WARN  [c.c.u.n.NetUtils] (API-Job-Executor-7:job-3072 ctx-bf3922b1)
cidr is not RFC 1918 compliant
> 2014-05-21 12:30:42,335 ERROR [c.c.a.ApiAsyncJobDispatcher] (API-Job-Executor-7:job-3072)
Unexpected exception while executing org.apache.cloudstack.api.command.user.vpn.CreateVpnCustomerGatewayCmd
> The customer gateway guest cidr list is invalid guest cidr!
> at
> Expected behavior is that guest cidr should be allowed as long as it's a valid cidr,
including if it's outside of RFC1918

This message was sent by Atlassian JIRA

View raw message