[
https://issues.apache.org/jira/browse/CLOUDSTACK-8685?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14696709#comment-14696709
]
ASF GitHub Bot commented on CLOUDSTACK-8685:
--------------------------------------------
Github user jayapal commented on the pull request:
https://github.com/apache/cloudstack/pull/693#issuecomment-131026551
Guys wrong tag.
Myuser name is jayapal and actual commiter was jayapalu
On Fri, Aug 14, 2015 at 1:47 PM, Remi Bergsma <[email protected]>
wrote:
> This is work done together with @Jayapal <https://github.com/Jayapal> on
> fixing the site2site VPN. The first part was done in PR #690
> <https://github.com/apache/cloudstack/pull/690> by @Jayapal
> <https://github.com/Jayapal>. On top of that, some other fixes were
> needed and those are added in this PR. It made sense to make a new PR
which
> includes all fixes so we can actually test it.
>
> The original PR #690 <https://github.com/apache/cloudstack/pull/690> is
> already merged into this one, so can be closed. Since the commit ids are
> kept the same, merging this will close both.
>
> I closely compared the 4.4/4.5 implementation with the new 4.6 one. I did
> not only make it work, but also added some security improvements (some of
> which were also in 4.4/4.5). I noticed the pre shared key was being
logged,
> so removed that as well.
>
> This is how I tested and verified it:
>
>
https://github.com/schubergphilis/MCT-shared/tree/master/helper_scripts/cloudstack/vpn_tests
> When I have some time available, I'll write a Marvin test for it that we
> can include in the repo.
>
> It now works(tm) with one manual step due to CLOUDSTACK-8685:
> We need a default gateway before site-to-site VPN will actually work. It
> will connect, but not forward packets. The reason for this, is due to the
> iptables setup. VM1 has router1 as gateway, but router1 does not know the
> route to VM2 so it will give up. With a default gateway, the packets are
> about to be forwarded to the default gateway but when they reach eth1 the
> public nic, iptables kicks in, does some magic and forwards it through the
> ipsec tunnel. So, you need a default gw set to upstream.
>
> Workaround for now is setting the route manually:
> route add default gw 1.2.3.4 or ip route add default via 1.2.3.4
>
> In other words, we need to fix CLOUDSTACK-8685 soon, too.
>
> @Jayapal <https://github.com/Jayapal> @snuf <https://github.com/snuf>
> could you please review this?
> ------------------------------
> You can view, comment on, or merge this pull request online at:
>
> https://github.com/apache/cloudstack/pull/693
> Commit Summary
>
> - CLOUDSTACK-8710: Fixed applying iptables rules for s2s vpn
> - CLOUDSTACK-8730: fix s2s iptables rules and ipsec config
> - tighten security of site-to-site VPN
> - do not log sensitive site-to-site VPN PSK
> - Merge pull request #690 from jayapalu/vpn
>
> File Changes
>
> - *M* systemvm/patches/debian/config/opt/cloud/bin/configure.py
> <https://github.com/apache/cloudstack/pull/693/files#diff-0> (18)
> - *M* systemvm/patches/debian/config/opt/cloud/bin/cs/CsFile.py
> <https://github.com/apache/cloudstack/pull/693/files#diff-1> (5)
>
> Patch Links:
>
> - https://github.com/apache/cloudstack/pull/693.patch
> - https://github.com/apache/cloudstack/pull/693.diff
>
> —
> Reply to this email directly or view it on GitHub
> <https://github.com/apache/cloudstack/pull/693>.
>
> [VPC_VR] Default route is not configured on VPC VR
> --------------------------------------------------
>
> Key: CLOUDSTACK-8685
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8685
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Network Controller
> Affects Versions: 4.6.0
> Environment: Advanced zone with VPC. Latest build from ACS master.
> Reporter: Sanjeev N
> Priority: Critical
> Attachments: management-server.zip
>
>
> [VPC_VR] Default route is not configured on VPC VR
> Steps to reproduce:
> ================
> 1.Bring up CS in advanced zone
> 2.Create VPC and wait for the VR to come into running state
> 3.Connect to VR and verify route table information
> Result:
> ======
> Default route is not configured on VPC VR.
> root@r-9-VM:/var/cache/cloud# route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
> 10.1.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3
> 10.220.128.0 0.0.0.0 255.255.224.0 U 0 0 0 eth1
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
> root@r-9-VM:/var/cache/cloud#
> Observations:
> ===========
> When vr boots up, we run cloud-early-config. This will clean if there is any
> default route exists on VR. Then we execute vpc_ipassoc.sh to configure
> public nic and default route via public nic. However, in the latest ACS
> master we are not executing vpc_ipassoc.sh.
> For any configuration on VR , we are creating configuration file and applying
> it with update_config.py.
> Looks like adding default route is missing in the confguration file.
> Following is the configuration file genearted on VR :
> 015-07-29 05:20:39,132 DEBUG [c.c.h.x.r.CitrixResourceBase]
> (DirectAgent-402:ctx-83549002) VR Config file
> VR-d3b73941-7b3d-489a-bcc6-47c6a777c950.cfg got created in VR, ip
> 169.254.0.54 with content
> #Apache CloudStack Virtual Router Config File
> <version>
> 1.0
> </version>
> <file>
> /var/cache/cloud/ip_associations.json
> {"ip_address":[{"public_ip":"10.220.135.97","source_nat":false,"add":true,"one_to_one_nat":false,"first_i_p":false,"gateway":"10.220.128.1","netmask":"255.255.224.0","vif_mac_address":"06:dd:e0:00:00:0e","nic_dev_id":1,"new_nic":false},{"public_ip":"10.220.135.99","source_nat":false,"add":true,"one_to_one_nat":true,"first_i_p":false,"gateway":"10.220.128.1","netmask":"255.255.224.0","vif_mac_address":"06:dd:e0:00:00:0e","nic_dev_id":1,"new_nic":false}],"type":"ips"}
> </file>
> <script>
> /opt/cloud/bin/update_config.py ip_associations.json
> </script>
> <file>
> /var/cache/cloud/staticnat_rules.json
> {"rules":[{"revoke":false,"source_ip_address":"10.220.135.99","source_port_range":"0:0","destination_ip_address":"10.1.1.36"}],"type":"staticnatrules"}
> </file>
> <script>
> /opt/cloud/bin/update_config.py staticnat_rules.json
> </script>
> <file>
> /var/cache/cloud/forwarding_rules.json
> {"rules":[{"revoke":false,"protocol":"tcp","source_ip_address":"10.220.135.97","source_port_range":"22:22","destination_ip_address":"10.1.1.194","destination_port_range":"22:22"}],"type":"forwardrules"}
> </file>
> <script>
> /opt/cloud/bin/update_config.py forwarding_rules.json
> </script>
> <file>
> /var/cache/cloud/network_acl.json
> {"device":"eth2","mac_address":"02:00:7c:a8:00:02","private_gateway_acl":false,"nic_ip":"10.1.1.1","nic_netmask":"24","ingress_rules":[{"type":"tcp","first_port":22,"last_port":22,"cidr":"0.0.0.0/0","allowed":true}],"egress_rules":[{"type":"icmp","icmp_type":-1,"icmp_code":-1,"cidr":"0.0.0.0/0","allowed":true}],"type":"networkacl"}
> </file>
> <script>
> /opt/cloud/bin/update_config.py network_acl.json
> </script>
> <file>
> /var/cache/cloud/vm_dhcp_entry.json
> {"host_name":"VM-403a0536-ba54-404f-a664-1b14d039497c","mac_address":"02:00:10:ca:00:01","ipv4_adress":"10.1.1.194","ipv6_duid":"00:03:00:01:02:00:10:ca:00:01","default_gateway":"10.1.1.1","default_entry":true,"type":"dhcpentry"}
> </file>
> <script>
> /opt/cloud/bin/update_config.py vm_dhcp_entry.json
> </script>
> <file>
> /var/cache/cloud/vm_dhcp_entry.json
> {"host_name":"VM-4c5e69ab-65dd-4315-b8fb-702f5599ede0","mac_address":"02:00:0f:22:00:03","ipv4_adress":"10.1.1.36","ipv6_duid":"00:03:00:01:02:00:0f:22:00:03","default_gateway":"10.1.1.1","default_entry":true,"type":"dhcpentry"}
> </file>
> <script>
> /opt/cloud/bin/update_config.py vm_dhcp_entry.json
> </script>
> <file>
> /var/cache/cloud/vm_metadata.json
> {"vm_ip_address":"10.1.1.194","vm_metadata":[["userdata","user-data",null],["metadata","service-offering","Tiny
>
> Instance"],["metadata","availability-zone","XenRT-Zone-0"],["metadata","local-ipv4","10.1.1.194"],["metadata","local-hostname","VM-403a0536-ba54-404f-a664-1b14d039497c"],["metadata","public-ipv4","10.220.135.96"],["metadata","public-hostname","10.220.135.96"],["metadata","instance-id","403a0536-ba54-404f-a664-1b14d039497c"],["metadata","vm-id","403a0536-ba54-404f-a664-1b14d039497c"],["metadata","public-keys",null],["metadata","cloud-identifier","CloudStack-{5bcd0291-2ac9-4d68-9887-bda6ae6596c2}"]],"type":"vmdata"}
> </file>
> <script>
> /opt/cloud/bin/update_config.py vm_metadata.json
> </script>
> <file>
> /var/cache/cloud/vm_metadata.json
> {"vm_ip_address":"10.1.1.36","vm_metadata":[["userdata","user-data",null],["metadata","service-offering","Tiny
>
> Instance"],["metadata","availability-zone","XenRT-Zone-0"],["metadata","local-ipv4","10.1.1.36"],["metadata","local-hostname","VM-4c5e69ab-65dd-4315-b8fb-702f5599ede0"],["metadata","public-ipv4","10.220.135.96"],["metadata","public-hostname","10.220.135.96"],["metadata","instance-id","4c5e69ab-65dd-4315-b8fb-702f5599ede0"],["metadata","vm-id","4c5e69ab-65dd-4315-b8fb-702f5599ede0"],["metadata","public-keys",null],["metadata","cloud-identifier","CloudStack-{5bcd0291-2ac9-4d68-9887-bda6ae6596c2}"]],"type":"vmdata"}
> </file>
> <script>
> /opt/cloud/bin/update_config.py vm_metadata.json
> </script>
> 2015-07-29 05:20:39,132 DEBUG [c.c.h.x.r.CitrixResourceBase]
> (DirectAgent-402:ctx-83549002) Executing command in VR:
> /opt/cloud/bin/router_proxy.sh vr_cfg.sh 169.254.0.54 -c
> /var/cache/cloud/VR-d3b73941-7b3d-489a-bcc6-47c6a777c950.cfg
> Please look for job-115 in the attached MS log file for the sequence of
> events happened when we rebooted VPC VR
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
