Github user swill commented on the issue: https://github.com/apache/cloudstack/pull/872 The more I dig into this the deeper the rabbit hole goes. Here are a few things I have found which I need to address. - When a VPN connection, gateway, etc is deleted, the configuration is not actually cleaned up. - When a new configuration is defined, it only has the ability to add to or modify the current configuration, it does not have the ability to remove config items. Combined with the above point, this means that if you ever turn on `dpd` for example, it is not possible to ever turn it off. - The configuration files on the VR do not reflect the running config in `ipsec`. You can have identical configurations and it will work sometimes and it wont work other times. I have been able to reset the config to make the running config match the defined config by doing a `ipsec restart`, but I have to close the gap as to why it is not consistent and where the divergence happens. I believe it is due to the PSK not actually getting updated with a `ipsec rereadsecrets`, but because of other issues, I can't even get code blocks to execute when they should be on changes. - There appears to be a problem with the `if secret.is_changed() or file.is_changed()` logic which is causing logic not to run when it should. I am still working out why this is the case. All to say, I still have a lot to work through before this is ready for primetime. I think I have the Remote Access VPN functionality working as expected and relatively stable now, but I am still working through a lot of issues with the S2S VPN feature(s). I have given a code drop of the Remote Access VPN functionality to one of our operations teams to continue testing that feature as I work through the S2S issues. Hopefully I will have better news next week. Have a nice weekend everyone...
--- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---