[GitHub] cloudstack issue #872: Strongswan vpn feature

Fri, 14 Oct 2016 15:19:52 -0700 

Github user swill commented on the issue:

    https://github.com/apache/cloudstack/pull/872
  
    The more I dig into this the deeper the rabbit hole goes.  Here are a few 
things I have found which I need to address.
    - When a VPN connection, gateway, etc is deleted, the configuration is not 
actually cleaned up.
    - When a new configuration is defined, it only has the ability to add to or 
modify the current configuration, it does not have the ability to remove config 
items.  Combined with the above point, this means that if you ever turn on 
`dpd` for example, it is not possible to ever turn it off.
    - The configuration files on the VR do not reflect the running config in 
`ipsec`.  You can have identical configurations and it will work sometimes and 
it wont work other times.  I have been able to reset the config to make the 
running config match the defined config by doing a `ipsec restart`, but I have 
to close the gap as to why it is not consistent and where the divergence 
happens.  I believe it is due to the PSK not actually getting updated with a 
`ipsec rereadsecrets`, but because of other issues, I can't even get code 
blocks to execute when they should be on changes.  
    - There appears to be a problem with the `if secret.is_changed() or 
file.is_changed()` logic which is causing logic not to run when it should.  I 
am still working out why this is the case.
    
    All to say, I still have a lot to work through before this is ready for 
primetime.  I think I have the Remote Access VPN functionality working as 
expected and relatively stable now, but I am still working through a lot of 
issues with the S2S VPN feature(s).  I have given a code drop of the Remote 
Access VPN functionality to one of our operations teams to continue testing 
that feature as I work through the S2S issues.  Hopefully I will have better 
news next week.
    
    Have a nice weekend everyone...


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

Reply via email to