[GitHub] cloudstack issue #872: Strongswan vpn feature

Wed, 19 Oct 2016 05:32:44 -0700 

Github user swill commented on the issue:

    https://github.com/apache/cloudstack/pull/872
  
    @jayapalu the issues are harder to notice if the connection is always 
coming up.  The problem is if you do a configuration which the connection does 
not come up.  Because of the logic I pointed out above, the 
`stopVpnConnection()` function is never called in the java, so the VRs are 
never directed to remove the S2S VPN configuration from the VR.
    
    > Each time we configure the s2s vpn we suppose to overwrite config file 
(ipsec.vpn-.conf).
    > Even if the file not got deleted next time the config get overwritten.
    
    This is not actually the case.  If the Connection state is `Disconnected`, 
then the config files are not deleted from the VR.  In that case, for example, 
if you had `dpd=true`, then it will add the following items to the config file.
    
    ```
    dpddelay=30
    dpdtimeout=120
    dpdaction=restart
    ```
    
    Now let's assume that we need to set `dpd=false`, so we remove the 
configuration from ACS ([the files won't get deleted because it is in 
`Disconnected` 
state](https://github.com/apache/cloudstack/blob/master/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java#L520)).
  Then when the new configuration is applied to the VR, it will see the 
`dpd=false` and will not attempt to modify those lines.  Which means that since 
the config already had those `dpd` lines in the config, they will not be 
removed and every config will include those `dpd` config options even though 
ACS has specified that those config options should not be present.
    
    I have updated the java code to delete the configs from the VR even if the 
connection is disconnected.  I will continue testing and will send a PR to your 
PR soon.
    
    I see you have made changes to this PR.  Are the changes a result of 
testing and these changes fix some bad behavior?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

Reply via email to