Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id E34D7200C36 for ; Fri, 24 Feb 2017 00:41:51 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id E056A160B67; Thu, 23 Feb 2017 23:41:51 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 317C0160B64 for ; Fri, 24 Feb 2017 00:41:51 +0100 (CET) Received: (qmail 63537 invoked by uid 500); 23 Feb 2017 23:41:50 -0000 Mailing-List: contact issues-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list issues@cloudstack.apache.org Received: (qmail 63528 invoked by uid 500); 23 Feb 2017 23:41:50 -0000 Delivered-To: apmail-incubator-cloudstack-issues@incubator.apache.org Received: (qmail 63525 invoked by uid 99); 23 Feb 2017 23:41:50 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 23 Feb 2017 23:41:50 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id C030BC092D for ; Thu, 23 Feb 2017 23:41:49 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.999 X-Spam-Level: X-Spam-Status: No, score=0.999 tagged_above=-999 required=6.31 tests=[KAM_LAZY_DOMAIN_SECURITY=1, RP_MATCHES_RCVD=-0.001] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id 2j5UHhaeJMNr for ; Thu, 23 Feb 2017 23:41:48 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 3672D5FBB0 for ; Thu, 23 Feb 2017 23:41:48 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 48577E043B for ; Thu, 23 Feb 2017 23:41:44 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 05FC921D62 for ; Thu, 23 Feb 2017 23:41:44 +0000 (UTC) Date: Thu, 23 Feb 2017 23:41:44 +0000 (UTC) From: "Sean Lair (JIRA)" To: cloudstack-issues@incubator.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Created] (CLOUDSTACK-9801) IPSec VPN does not work after vRouter reboot or recreate MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Thu, 23 Feb 2017 23:41:52 -0000 Sean Lair created CLOUDSTACK-9801: ------------------------------------- Summary: IPSec VPN does not work after vRouter reboot or recreate Key: CLOUDSTACK-9801 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9801 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: Virtual Router Affects Versions: 4.9.0.1, 4.9.0, 4.9.2.0 Environment: Tested in XenServer as hypervisor. With RemoteAccess VPN enabled. Both Remote Access VPN and Site to Site VPN functionality won't work. Reporter: Sean Lair Priority: Critical After a vRouter is recreated (which happens when a reboot via CloudStack UI for example) and Remote Access VPN enabled, VPN won't work anymore. Here is the abbreviated output of "ipsec auto -status" while we were having the issue: root@r-10-VM:~# ipsec auto --status 000 using kernel interface: netkey 000 interface lo/lo 127.0.0.1 000 interface lo/lo 127.0.0.1 000 interface eth0/eth0 169.254.1.45 000 interface eth0/eth0 169.254.1.45 000 %myid = (none) Notice that only eth0 is shown, not the public interface eth1. Because of that ipsec is broken. However, if we manually stopped and started ipsec, then issued a "ipsec auto -status", the abbreviated output would be: root@r-10-VM:~# ipsec auto --status 000 using kernel interface: netkey 000 interface lo/lo 127.0.0.1 000 interface lo/lo 127.0.0.1 000 interface eth0/eth0 169.254.1.45 000 interface eth0/eth0 169.254.1.45 000 interface eth1/eth1 xxx.xxx.xxx.172 000 interface eth1/eth1 xxx.xxx.xxx.172 000 interface eth2/eth2 192.168.1.1 000 interface eth2/eth2 192.168.1.1 000 %myid = (none) eth1 interface IP is masked, but now ipsec sees all the interfaces and VPN works. Looks like this bug was introduced by Pull Request #1423 https://github.com/apache/cloudstack/pull/1423 It added code to start ipsec (cloudstack/systemvm/patches/debian/config/opt/cloud/bin/configure.py) if vpnconfig['create']: logging.debug("Enabling remote access vpn on "+ public_ip) CsHelper.start_if_stopped("ipsec") self.configure_l2tpIpsec(public_ip, self.dbag[public_ip]) The issue is that if a reboot is issued from the CloudStack UI (as opposed to manually by logging into the vRouter), the NICS (except eth0) are not added to the VM until the cloud service is running. Since ipsec was started before the nics were added to the VM and before the public IP address is added to the nic, ipsec is not listening on the public IP address and all VPNs are broken. This is not a problem with the Site2Site VPN section of configure.py, because that section does not start ipsec if the public IP is not on the system yet... -- This message was sent by Atlassian JIRA (v6.3.15#6346)