cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-10010) Some S2S VPN configurations fail to establish a connection
Date Sat, 02 Dec 2017 13:53:00 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-10010?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16275565#comment-16275565
] 

ASF GitHub Bot commented on CLOUDSTACK-10010:
---------------------------------------------

rhtyd commented on issue #2190: CLOUDSTACK-10010: Fixed the negotiation of S2S VPN connections
URL: https://github.com/apache/cloudstack/pull/2190#issuecomment-348693472
 
 
   @swill /cc @syed I fixed fixed the issue and got the marvin test to pass, see my notes
on this PR. My fix is on this PR: https://github.com/apache/cloudstack/pull/2211.
   
   I've done three major things:
   - Increased retry count by 3, and ping the rightpeer:
   ```
   +        for i in xrange(3):
   +            result = CsHelper.execute('ipsec status vpn-%s | grep "%s"' % (rightpeer,
peerlist.split(",", 1)[0]))
   +            if len(result) > 0:
   +                break
   +            time.sleep(1)
   +
   +        # With 'auto=route', connections are established with an attempt to communicate
over the S2S VPN
   +        # Attempt to ping the other side to initialize the connection of the S2S VPN configuration
   +        CsHelper.execute("timeout 2 ping -c 2 %s" % (rightpeer))
   ```
   - In the tests, I've used `wait_until` to poll upto 60 seconds on the passive VPN connection
(docs says it may take upto 30s for the VPN connection to transition into `Connected` state)
   - Fixed strongswan 5.5 compatible configs

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> Some S2S VPN configurations fail to establish a connection
> ----------------------------------------------------------
>
>                 Key: CLOUDSTACK-10010
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10010
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Virtual Router
>    Affects Versions: 4.10.0.0
>            Reporter: Will Stevens
>
> I am not sure if a regression was introduced with this PR #2062, but we have found issues
with this configuration now that we have it in production.
> The core of this change is to change the S2S VPN config from {{auto=start}} to {{auto=route}}.
Read more about this setting here: https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
> We found there to be issues when using {{auto=start}} for both sides of the connection
as there was problem negotiating the connection. Instead the {{auto=route}} config will only
establish a connection once there is an attempt to send traffic over the connection. In order
to attempt to open the connection as soon as the VPN connection is configured, a ping to the
other side of the connection has been added to establish the connection.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message