[jira] [Commented] (CLOUDSTACK-5501) Unable to create more than one vpnConnection per vpn customer gateway
[ https://issues.apache.org/jira/browse/CLOUDSTACK-5501?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14239199#comment-14239199 ] ASF GitHub Bot commented on CLOUDSTACK-5501: Github user asfgit closed the pull request at: https://github.com/apache/cloudstack/pull/54 > Unable to create more than one vpnConnection per vpn customer gateway > - > > Key: CLOUDSTACK-5501 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5501 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: Management Server >Affects Versions: 4.3.0 >Reporter: Alena Prokharchyk >Assignee: Sheng Yang >Priority: Critical > Fix For: 4.4.0 > > > There is currently a limitation in the CS code when you can't create more > than one vpn connection per customer gateway. There are no technical reasons > for this kind of limitation, so we should remove it as the customers might > want to use his customer gateway cross zones if he owns VPCs in diff zones. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CLOUDSTACK-5501) Unable to create more than one vpnConnection per vpn customer gateway
[ https://issues.apache.org/jira/browse/CLOUDSTACK-5501?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14238219#comment-14238219 ] ASF GitHub Bot commented on CLOUDSTACK-5501: GitHub user remibergsma opened a pull request: https://github.com/apache/cloudstack/pull/54 make the VPN feature work more reliable and secure At Schuberg Philis we wanted to use the VPN feature, but found it hard to make it work in a reliable way. When we dove into it, we found some bugs and problems that we solved along the way. Since this change, the VPN connections are created and destroyed as expected. Also, we tightened the iptable rules to make it more secure. The patched ipsectunnel.sh script works fine in our tests on 4.4, 4.5 and 4.6. Possibly also on 4.3.x when the fix for CLOUDSTACK-5501 is merged. Also, after rebooting a VPC the VPN connection reconnected as one would expect. We tested this change by using the shell script below (based on CloudMonkey). The script will create a VPN connection between each VPN customer gateway it finds, like in a mesh network. Regards, Remi Bergsma / Funs Kessen #!/bin/bash vpncustgws=`cloudmonkey list vpncustomergateways | grep ^id | awk ' { print $3 }'` vpngws=`cloudmonkey list vpngateways | grep ^id | awk ' { print $3 }'` for vpngw in $vpngws do pubip=`cloudmonkey list vpngateways id=$vpngw | grep ^publicip | awk '{print $3}'` echo "dealing with $vpngw, $pubip" for vpncustgw in $vpncustgws do custgw=`cloudmonkey list vpncustomergateways id=$vpncustgw | grep ^gateway | awk '{print $3}'` if [ $custgw == $pubip ] then echo "$pubip is me, $vpncustgw, $custgw, $vpngw!" else echo "creating vpn: $custgw, $pubip" echo "cloudmonkey create vpnconnection s2scustomergatewayid=$vpncustgw s2svpngatewayid=$vpngw" fi done done You can merge this pull request into a Git repository by running: $ git pull https://github.com/remibergsma/cloudstack master Alternatively you can review and apply these changes as the patch at: https://github.com/apache/cloudstack/pull/54.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #54 commit 8b412ce194eaf195dc77531379687de43e14a088 Author: Remi Bergsma Date: 2014-12-08T17:53:18Z remove biglock usage from ipsectunnel.sh Biglock breaks creating VPN's when other scripts run at the same time that also use the same biglock. These other scripts do nothing that could harm our deployment and even multiple vpn's can safely be created simultaniously. commit 8b2563a216b012ab1905e65f446c8b6b1435b983 Author: Remi Bergsma Date: 2014-12-08T17:54:27Z renamed $leftgw to $leftnexthop to make clear what it does commit b95addd3efb45f61b129584ade49bad7bbaa16f8 Author: Remi Bergsma Date: 2014-12-08T17:55:35Z starting the tunnel will make it keep trying until it connects Changed 'auto=add' to 'auto=start' to make sure the tunnel starts. When both sides are there they will connect. This resolves the issue that there is only a small time frame in which the VPN would connect. commit f8d718e3e31ad517969663d24647fcbd9b50cc3d Author: Remi Bergsma Date: 2014-12-08T17:59:16Z add a flag -c whether or not to check the VPN on create Changed default to no, as the other side may not be up yet. If this check fails, the VPN enters Error state and will not work. It's safe to just let it connect on its own so it will connect when it can. commit 7f33f7c3969d3b217ad6977f01bb487ebeee665d Author: Remi Bergsma Date: 2014-12-08T18:00:59Z prevent CloudStack from removing the VPN connection If connecting the VPN takes some time, for example because the other end is not (yet) up, CloudStack will delete the VPN because the ipsectunnel.sh does not return in time. The VPN connection then enters the Error state. This change makes sure ipsectunnel.sh returns in time, and lets ipsec connect in the background. If it all fails, the connection enters Disconnected. commit ef3b4bb4e3342f166489034fa7149540d2ef1383 Author: Remi Bergsma Date: 2014-12-08T18:06:55Z made iptables for the VPN connection more secure Added destination and source definition. Flag -S can be used to ignore this. It's the new default as it is more secure and does not impact the way things work (backwords compatible). > Unable to create more than one vpnConnection per vpn customer gateway > - > > Key: CLOUDSTACK-5501 > URL: https://issues.apache.or
[jira] [Commented] (CLOUDSTACK-5501) Unable to create more than one vpnConnection per vpn customer gateway
[ https://issues.apache.org/jira/browse/CLOUDSTACK-5501?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14226601#comment-14226601 ] ASF subversion and git services commented on CLOUDSTACK-5501: - Commit e9c5a03fb0253261b466fd1e3b496cbd500a8049 in cloudstack's branch refs/heads/4.3 from [~yasker] [ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=e9c5a03 ] CLOUDSTACK-5501: Allow one vpn customer gateway with multiple connections This restriction was purposely avoid confusion of VPN setup, but later found too strictly and cause troubles for deployment. Removed after testing one customer gateway with multiple connections. (cherry picked from commit 0a62eb8380390acc7b76a211ef802de0e19aaf13) Signed-off-by: Rohit Yadav Conflicts: server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java > Unable to create more than one vpnConnection per vpn customer gateway > - > > Key: CLOUDSTACK-5501 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5501 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: Management Server >Affects Versions: 4.3.0 >Reporter: Alena Prokharchyk >Assignee: Sheng Yang >Priority: Critical > Fix For: 4.4.0 > > > There is currently a limitation in the CS code when you can't create more > than one vpn connection per customer gateway. There are no technical reasons > for this kind of limitation, so we should remove it as the customers might > want to use his customer gateway cross zones if he owns VPCs in diff zones. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CLOUDSTACK-5501) Unable to create more than one vpnConnection per vpn customer gateway
[ https://issues.apache.org/jira/browse/CLOUDSTACK-5501?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13996189#comment-13996189 ] ASF subversion and git services commented on CLOUDSTACK-5501: - Commit ed7bd0022e23352c8ec57bdd832b49451db88e73 in cloudstack's branch refs/heads/4.4 from [~yasker] [ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=ed7bd00 ] CLOUDSTACK-5501: Allow one vpn customer gateway with multiple connections This restriction was purposely avoid confusion of VPN setup, but later found too strictly and cause troubles for deployment. Removed after testing one customer gateway with multiple connections. > Unable to create more than one vpnConnection per vpn customer gateway > - > > Key: CLOUDSTACK-5501 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5501 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: Management Server >Affects Versions: 4.3.0 >Reporter: Alena Prokharchyk >Assignee: Sheng Yang >Priority: Critical > Fix For: 4.4.0 > > > There is currently a limitation in the CS code when you can't create more > than one vpn connection per customer gateway. There are no technical reasons > for this kind of limitation, so we should remove it as the customers might > want to use his customer gateway cross zones if he owns VPCs in diff zones. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (CLOUDSTACK-5501) Unable to create more than one vpnConnection per vpn customer gateway
[ https://issues.apache.org/jira/browse/CLOUDSTACK-5501?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13995936#comment-13995936 ] ASF subversion and git services commented on CLOUDSTACK-5501: - Commit a3e9d0ff12deb36fa304795a089345869cc29a08 in cloudstack's branch refs/heads/4.4-forward from [~yasker] [ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=a3e9d0f ] CLOUDSTACK-5501: Allow one vpn customer gateway with multiple connections This restriction was purposely avoid confusion of VPN setup, but later found too strictly and cause troubles for deployment. Removed after testing one customer gateway with multiple connections. > Unable to create more than one vpnConnection per vpn customer gateway > - > > Key: CLOUDSTACK-5501 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5501 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: Management Server >Affects Versions: 4.3.0 >Reporter: Alena Prokharchyk >Assignee: Sheng Yang >Priority: Critical > Fix For: 4.4.0 > > > There is currently a limitation in the CS code when you can't create more > than one vpn connection per customer gateway. There are no technical reasons > for this kind of limitation, so we should remove it as the customers might > want to use his customer gateway cross zones if he owns VPCs in diff zones. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (CLOUDSTACK-5501) Unable to create more than one vpnConnection per vpn customer gateway
[ https://issues.apache.org/jira/browse/CLOUDSTACK-5501?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13995941#comment-13995941 ] ASF subversion and git services commented on CLOUDSTACK-5501: - Commit 0a62eb8380390acc7b76a211ef802de0e19aaf13 in cloudstack's branch refs/heads/master from [~yasker] [ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=0a62eb8 ] CLOUDSTACK-5501: Allow one vpn customer gateway with multiple connections This restriction was purposely avoid confusion of VPN setup, but later found too strictly and cause troubles for deployment. Removed after testing one customer gateway with multiple connections. > Unable to create more than one vpnConnection per vpn customer gateway > - > > Key: CLOUDSTACK-5501 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5501 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: Management Server >Affects Versions: 4.3.0 >Reporter: Alena Prokharchyk >Assignee: Sheng Yang >Priority: Critical > Fix For: 4.4.0 > > > There is currently a limitation in the CS code when you can't create more > than one vpn connection per customer gateway. There are no technical reasons > for this kind of limitation, so we should remove it as the customers might > want to use his customer gateway cross zones if he owns VPCs in diff zones. -- This message was sent by Atlassian JIRA (v6.2#6252)