Return-Path: <issues-return-85447-archive-asf-public=cust-asf.ponee.io@cloudstack.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 44D64200D52
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Sat,  2 Dec 2017 16:27:06 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id 43714160BF7; Sat,  2 Dec 2017 15:27:06 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 88C1A160BF8
	for <archive-asf-public@cust-asf.ponee.io>; Sat,  2 Dec 2017 16:27:05 +0100 (CET)
Received: (qmail 19480 invoked by uid 500); 2 Dec 2017 15:27:04 -0000
Mailing-List: contact issues-help@cloudstack.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@cloudstack.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@cloudstack.apache.org>
List-Post: <mailto:issues@cloudstack.apache.org>
List-Id: <issues.cloudstack.apache.org>
Reply-To: dev@cloudstack.apache.org
Delivered-To: mailing list issues@cloudstack.apache.org
Received: (qmail 19471 invoked by uid 500); 2 Dec 2017 15:27:04 -0000
Delivered-To: apmail-incubator-cloudstack-issues@incubator.apache.org
Received: (qmail 19468 invoked by uid 99); 2 Dec 2017 15:27:04 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 02 Dec 2017 15:27:04 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id DF6EE180891
	for <cloudstack-issues@incubator.apache.org>; Sat,  2 Dec 2017 15:27:03 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -99.202
X-Spam-Level: 
X-Spam-Status: No, score=-99.202 tagged_above=-999 required=6.31
	tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001,
	SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled
Received: from mx1-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024)
	with ESMTP id Y4LTx5_x7x1e
	for <cloudstack-issues@incubator.apache.org>;
	Sat,  2 Dec 2017 15:27:02 +0000 (UTC)
Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139])
	by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 5447C5F666
	for <cloudstack-issues@incubator.apache.org>; Sat,  2 Dec 2017 15:27:02 +0000 (UTC)
Received: from jira-lw-us.apache.org (unknown [207.244.88.139])
	by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 49AD0E099C
	for <cloudstack-issues@incubator.apache.org>; Sat,  2 Dec 2017 15:27:01 +0000 (UTC)
Received: from jira-lw-us.apache.org (localhost [127.0.0.1])
	by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 5B4C0255C4
	for <cloudstack-issues@incubator.apache.org>; Sat,  2 Dec 2017 15:27:00 +0000 (UTC)
Date: Sat, 2 Dec 2017 15:27:00 +0000 (UTC)
From: "ASF GitHub Bot (JIRA)" <jira@apache.org>
To: cloudstack-issues@incubator.apache.org
Message-ID: <JIRA.13088872.1500579904000.371745.1512228420371@Atlassian.JIRA>
In-Reply-To: <JIRA.13088872.1500579904000@Atlassian.JIRA>
References: <JIRA.13088872.1500579904000@Atlassian.JIRA> <JIRA.13088872.1500579904136@jira-lw-us.apache.org>
Subject: [jira] [Commented] (CLOUDSTACK-10010) Some S2S VPN configurations
 fail to establish a connection
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Sat, 02 Dec 2017 15:27:06 -0000


    [ https://issues.apache.org/jira/browse/CLOUDSTACK-10010?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16275609#comment-16275609 ] 

ASF GitHub Bot commented on CLOUDSTACK-10010:
---------------------------------------------

rhtyd commented on a change in pull request #2190: CLOUDSTACK-10010: Fixed the negotiation of S2S VPN connections
URL: https://github.com/apache/cloudstack/pull/2190#discussion_r154496797
 
 

 ##########
 File path: systemvm/patches/debian/config/opt/cloud/bin/configure.py
 ##########
 @@ -582,10 +582,21 @@ def configure_ipsec(self, obj):
             logging.info("Configured vpn %s %s", leftpeer, rightpeer)
             CsHelper.execute("ipsec rereadsecrets")
 
-        # This will load the new config and start the connection when needed since auto=start in the config
+        # This will load the new config
         CsHelper.execute("ipsec reload")
         os.chmod(vpnsecretsfile, 0400)
 
+        # Check that the ipsec config is ready
+        for i in range(2):
+            result = CsHelper.execute('ipsec status vpn-%s | grep "%s"' % (rightpeer, peerlist.split(",", 1)[0]))
+            if len(result) > 0:
+                break
+            time.sleep(1)
+
+        # With 'auto=route', connections are established with an attempt to communicate over the S2S VPN
+        # Attempt to ping the other side to initialize the connection of the S2S VPN configuration
+        CsHelper.execute("timeout 0.5 ping -c 1 %s" % (peerlist.split("/", 1)[0]))
 
 Review comment:
   Here the timeout maybe too small and the ping `IP` may be something like 10.0.0.0 (for a peer cidr of 10.0.0.0/16) instead of say 10.1.1.1. It's better to ping right peer or ping the peerlist cidr replacing `.0` with `.1`?

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> Some S2S VPN configurations fail to establish a connection
> ----------------------------------------------------------
>
>                 Key: CLOUDSTACK-10010
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10010
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Virtual Router
>    Affects Versions: 4.10.0.0
>            Reporter: Will Stevens
>
> I am not sure if a regression was introduced with this PR #2062, but we have found issues with this configuration now that we have it in production.
> The core of this change is to change the S2S VPN config from {{auto=start}} to {{auto=route}}. Read more about this setting here: https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
> We found there to be issues when using {{auto=start}} for both sides of the connection as there was problem negotiating the connection. Instead the {{auto=route}} config will only establish a connection once there is an attempt to send traffic over the connection. In order to attempt to open the connection as soon as the VPN connection is configured, a ping to the other side of the connection has been added to establish the connection.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)