Public bug reported: We are trying to configure the vpn tunnels with strongswan. We are getting the following error :
2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -] Failed to enable vpn process on router 224f2a11-affc-48cb-beb8-93dceb8d7a3e 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Traceback (most recent call last): 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/dist-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 260, in enable 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec self.start() 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/dist-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 436, in start 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec self._execute(cmd) 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/dist-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 341, in _execute 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec extra_ok_codes=extra_ok_codes) 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/dist-packages/neutron/agent/linux/ip_lib.py", line 816, in execute 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec extra_ok_codes=extra_ok_codes, **kwargs) 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/dist-packages/neutron/agent/linux/utils.py", line 159, in execute 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec raise RuntimeError(m) 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec RuntimeError: 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'pluto', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--ipsecdir', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/etc/ipsec.secrets', '--virtual_private', '%v4:192.18.10.0/24,%v4:192.18.8.0/24'] 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Exit code: 2 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Stdin: 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Stdout: 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Stderr: /usr/sbin/ipsec: unknown IPsec command `pluto' (`ipsec --help' for list) 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec 2016-02-24 10:02:13.700 4700 ERROR neutron.agent.linux.utils [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -] Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'whack', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--status'] Exit code: 2 We were able to configure the tunnels with openswan(after uninstalling strongswan and making configuration changes for openswan) with the same setup. With strongswan(after uninstalling Openswan and making configuration changes for strongswan driver) , the tunnels remain in PENDING_CREATE state and do not become ACTIVE. We have the following configuration: 1. We have openstack (liberty) installed on the ubuntu 14.04LTS on 1+1 node setup and we are trying to create IKEv1 and IKEv2 tunnels between 2 openstack public clouds. 2. We have installed neutron_vpn-agent along with strongswan package Output of dpkg list for strongswan pakages. ------------------------------------------------------------------------- root@controller:/var/log/neutron# dpkg -l | grep -i strongswan ii libstrongswan 5.1.2-0ubuntu2.4 amd64 strongSwan utility and crypto library ii strongswan 5.1.2-0ubuntu2.4 all IPsec VPN solution metapackage ii strongswan-ike 5.1.2-0ubuntu2.4 amd64 strongSwan Internet Key Exchange (v2) daemon ii strongswan-plugin-openssl 5.1.2-0ubuntu2.4 amd64 strongSwan plugin for OpenSSL ii strongswan-starter 5.1.2-0ubuntu2.4 amd64 strongSwan daemon starter and configuration file parser Output of dpkg list for neutron-vpn-agent ----------------------------------------------------------------------- root@controller:/var/log/neutron# dpkg -l | grep -i vpn-agent ii neutron-vpn-agent 2:7.0.0-0ubuntu1~cloud0 all Neutron is a virtual network service for Openstack - VPN agent 3. The nova-service list and neutron service list are all up and running. Output of nova service-list root@controller:/var/log/neutron# nova service-list +----+------------------+------------+----------+---------+-------+----------------------------+-----------------+ | Id | Binary | Host | Zone | Status | State | Updated_at | Disabled Reason | +----+------------------+------------+----------+---------+-------+----------------------------+-----------------+ | 1 | nova-cert | controller | internal | enabled | up | 2016-02-24T05:42:34.000000 | - | | 2 | nova-consoleauth | controller | internal | enabled | up | 2016-02-24T05:42:34.000000 | - | | 3 | nova-scheduler | controller | internal | enabled | up | 2016-02-24T05:42:38.000000 | - | | 4 | nova-conductor | controller | internal | enabled | up | 2016-02-24T05:42:41.000000 | - | | 7 | nova-compute | compute | nova | enabled | up | 2016-02-24T05:42:35.000000 | - | +----+------------------+------------+----------+---------+-------+----------------------------+-----------------+ Output of neutron agent-list root@controller:/var/log/neutron# neutron agent-list +--------------------------------------+--------------------+------------+-------+----------------+---------------------------+ | id | agent_type | host | alive | admin_state_up | binary | +--------------------------------------+--------------------+------------+-------+----------------+---------------------------+ | 0b2327b7-12b6-425f-af8d-3fe637106d19 | DHCP agent | controller | :-) | True | neutron-dhcp-agent | | 21acf20a-7c20-48ee-b79a-fe6df7c84c69 | Linux bridge agent | controller | :-) | True | neutron-linuxbridge-agent | | 8878cfd5-81e6-4094-94d0-c54930f04acb | Metadata agent | controller | :-) | True | neutron-metadata-agent | | c1a819d8-81be-423c-a60e-ac4b36cf7d4f | L3 agent | controller | :-) | True | neutron-vpn-agent | | c59f8895-082d-4f41-a1d9-71fb74ec81ff | Loadbalancer agent | controller | :-) | True | neutron-lbaas-agent | | e4bf21cf-48c9-4cdd-a02c-b63e02ec740c | Linux bridge agent | compute | :-) | True | neutron-linuxbridge-agent | +--------------------------------------+--------------------+------------+-------+----------------+---------------------------+ Note: As per our observation, strongswan 5.1.x does not have separate pluto interface for IKEv1 policies. It's single binary Charon takes cares of both IKEv1 and IKEv2 policies. However, it appears to us, that somehow strongswan driver(despite the 5.1.X) is still dependent on pluto interface. This is the reason we are getiing message "unknown IPsec command `pluto'" since no pluto is present in 5.1.x. Ideally both IKEv1 and IKEv2 policies should be allowed to be processed independently by strongswan driver with any dependency on openswan. Please let us know if we are missing something and configuring something wrong. Other configuration/logs information given below ====================================================================================================== vpn_agent.ini Configuration file given as follows ---------------------------------------------------- [DEFAULT] # VPN-Agent configuration file # Note vpn-agent inherits l3-agent, so you can use configs on l3-agent also debug=True [vpnagent] # vpn device drivers which vpn agent will use # If we want to use multiple drivers, we need to define this option multiple times. # NOTE: StrongSwan and openSwan cannot be installed at the same time. Thus, both cannot # be enabled for use. In the future when flavors/STF support is available, # this will still constrain the flavors which can be used together. # vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.ipsec.OpenSwanDriver # vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.cisco_ipsec.CiscoCsrIPsecDriver # vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.vyatta_ipsec.VyattaIPSecDriver vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver # vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.fedora_strongswan_ipsec.FedoraStrongSwanDriver # vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver # vpn_device_driver=another_driver [ipsec] # Status check interval # ipsec_status_check_interval=60 # Enable detail logging for ipsec pluto process. # If the flag set to True, the detailed logging will # be written into config_base_dir/<pid>/logs." # NOTE: this applies to OpenSwan and Libraswan, and # that StrongSwan has logging that logs to syslog. # enable_detailed_logging=False [strongswan] # For fedora use: # default_config_area=/usr/share/strongswan/templates/config/strongswan.d # Default is for ubuntu use, /etc/strongswan.d # default_config_area=/etc/strongswan.d [libreswan] # Initial interval in seconds for checking if pluto daemon is shutdown # shutdown_check_timeout=1 # # The maximum number of retries for checking for pluto daemon shutdown # shutdown_check_retries=5 # # A factor to increase the retry interval for each retry # shutdown_check_back_off=1.5 ============================================================================================================================ vpnaas_filter file given as follows ----------------------------------------------------------------------------- # neutron-rootwrap command filters for nodes on which neutron is # expected to control network # # This file should be owned by (and only-writeable by) the root user # format seems to be # cmd-name: filter-name, raw-command, user, args [Filters] ip: IpFilter, ip, root ip_exec: IpNetnsExecFilter, ip, root strongswan: CommandFilter, strongswan, root ipsec: CommandFilter, ipsec, root neutron_netns_wrapper: CommandFilter, neutron-vpn-netns-wrapper, root neutron_netns_wrapper_local: CommandFilter, /usr/local/bin/neutron-vpn-netns-wrapper, root chown: RegExpFilter, chown, root, chown, --from=.*, root.root, .*/ipsec.secrets ============================================================================================================================ vpn_agent logs given as follows ----------------------------------------------------------------------------- 2016-02-24 10:02:13.567 4700 ERROR neutron.agent.linux.utils [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -] Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'whack', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--status'] Exit code: 2 Stdin: Stdout: Stderr: /usr/sbin/ipsec: unknown IPsec command `whack' (`ipsec --help' for list) 2016-02-24 10:02:13.632 4700 ERROR neutron.agent.linux.utils [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -] Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'pluto', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--ipsecdir', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/etc/ipsec.secrets', '--virtual_private', '%v4:192.18.10.0/24,%v4:192.18.8.0/24'] Exit code: 2 Stdin: Stdout: Stderr: /usr/sbin/ipsec: unknown IPsec command `pluto' (`ipsec --help' for list) 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -] Failed to enable vpn process on router 224f2a11-affc-48cb-beb8-93dceb8d7a3e 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Traceback (most recent call last): 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/dist-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 260, in enable 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec self.start() 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/dist-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 436, in start 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec self._execute(cmd) 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/dist-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 341, in _execute 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec extra_ok_codes=extra_ok_codes) 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/dist-packages/neutron/agent/linux/ip_lib.py", line 816, in execute 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec extra_ok_codes=extra_ok_codes, **kwargs) 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/dist-packages/neutron/agent/linux/utils.py", line 159, in execute 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec raise RuntimeError(m) 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec RuntimeError: 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'pluto', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--ipsecdir', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/etc/ipsec.secrets', '--virtual_private', '%v4:192.18.10.0/24,%v4:192.18.8.0/24'] 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Exit code: 2 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Stdin: 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Stdout: 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Stderr: /usr/sbin/ipsec: unknown IPsec command `pluto' (`ipsec --help' for list) 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec 2016-02-24 10:02:13.700 4700 ERROR neutron.agent.linux.utils [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -] Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'whack', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--status'] Exit code: 2 Stdin: Stdout: Stderr: /usr/sbin/ipsec: unknown IPsec command `whack' (`ipsec --help' for list) 2016-02-24 10:02:13.760 4700 ERROR neutron.agent.linux.utils [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -] Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'whack', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--status'] Exit code: 2 Stdin: Stdout: Stderr: /usr/sbin/ipsec: unknown IPsec command `whack' (`ipsec --help' for list) 2016-02-24 10:02:13.840 4700 ERROR neutron.agent.linux.utils [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -] Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'whack', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--status'] Exit code: 2 Stdin: Stdout: Stderr: /usr/sbin/ipsec: unknown IPsec command `whack' (`ipsec --help' for list) 2016-02-24 10:02:13.921 4700 ERROR neutron.agent.linux.utils [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -] Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-7861b7af-e95f-4fe2-9739-068a9aab1022', 'ipsec', 'whack', '--ctlbase', '/var/lib/neutron/ipsec/7861b7af-e95f-4fe2-9739-068a9aab1022/var/run/pluto', '--status'] Exit code: 2 Stdin: Stdout: Stderr: /usr/sbin/ipsec: unknown IPsec command `whack' (`ipsec --help' for list) -------------Keeps on repeating-------------------------- ** Affects: neutron Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1549295 Title: Strongswan Driver is not getting invoked 1+1 Node setup on Liberty/ Ubuntu 14.04 Status in neutron: New Bug description: We are trying to configure the vpn tunnels with strongswan. We are getting the following error : 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -] Failed to enable vpn process on router 224f2a11-affc-48cb-beb8-93dceb8d7a3e 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Traceback (most recent call last): 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/dist-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 260, in enable 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec self.start() 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/dist-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 436, in start 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec self._execute(cmd) 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/dist-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 341, in _execute 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec extra_ok_codes=extra_ok_codes) 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/dist-packages/neutron/agent/linux/ip_lib.py", line 816, in execute 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec extra_ok_codes=extra_ok_codes, **kwargs) 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/dist-packages/neutron/agent/linux/utils.py", line 159, in execute 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec raise RuntimeError(m) 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec RuntimeError: 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'pluto', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--ipsecdir', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/etc/ipsec.secrets', '--virtual_private', '%v4:192.18.10.0/24,%v4:192.18.8.0/24'] 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Exit code: 2 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Stdin: 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Stdout: 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Stderr: /usr/sbin/ipsec: unknown IPsec command `pluto' (`ipsec --help' for list) 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec 2016-02-24 10:02:13.700 4700 ERROR neutron.agent.linux.utils [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -] Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'whack', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--status'] Exit code: 2 We were able to configure the tunnels with openswan(after uninstalling strongswan and making configuration changes for openswan) with the same setup. With strongswan(after uninstalling Openswan and making configuration changes for strongswan driver) , the tunnels remain in PENDING_CREATE state and do not become ACTIVE. We have the following configuration: 1. We have openstack (liberty) installed on the ubuntu 14.04LTS on 1+1 node setup and we are trying to create IKEv1 and IKEv2 tunnels between 2 openstack public clouds. 2. We have installed neutron_vpn-agent along with strongswan package Output of dpkg list for strongswan pakages. ------------------------------------------------------------------------- root@controller:/var/log/neutron# dpkg -l | grep -i strongswan ii libstrongswan 5.1.2-0ubuntu2.4 amd64 strongSwan utility and crypto library ii strongswan 5.1.2-0ubuntu2.4 all IPsec VPN solution metapackage ii strongswan-ike 5.1.2-0ubuntu2.4 amd64 strongSwan Internet Key Exchange (v2) daemon ii strongswan-plugin-openssl 5.1.2-0ubuntu2.4 amd64 strongSwan plugin for OpenSSL ii strongswan-starter 5.1.2-0ubuntu2.4 amd64 strongSwan daemon starter and configuration file parser Output of dpkg list for neutron-vpn-agent ----------------------------------------------------------------------- root@controller:/var/log/neutron# dpkg -l | grep -i vpn-agent ii neutron-vpn-agent 2:7.0.0-0ubuntu1~cloud0 all Neutron is a virtual network service for Openstack - VPN agent 3. The nova-service list and neutron service list are all up and running. Output of nova service-list root@controller:/var/log/neutron# nova service-list +----+------------------+------------+----------+---------+-------+----------------------------+-----------------+ | Id | Binary | Host | Zone | Status | State | Updated_at | Disabled Reason | +----+------------------+------------+----------+---------+-------+----------------------------+-----------------+ | 1 | nova-cert | controller | internal | enabled | up | 2016-02-24T05:42:34.000000 | - | | 2 | nova-consoleauth | controller | internal | enabled | up | 2016-02-24T05:42:34.000000 | - | | 3 | nova-scheduler | controller | internal | enabled | up | 2016-02-24T05:42:38.000000 | - | | 4 | nova-conductor | controller | internal | enabled | up | 2016-02-24T05:42:41.000000 | - | | 7 | nova-compute | compute | nova | enabled | up | 2016-02-24T05:42:35.000000 | - | +----+------------------+------------+----------+---------+-------+----------------------------+-----------------+ Output of neutron agent-list root@controller:/var/log/neutron# neutron agent-list +--------------------------------------+--------------------+------------+-------+----------------+---------------------------+ | id | agent_type | host | alive | admin_state_up | binary | +--------------------------------------+--------------------+------------+-------+----------------+---------------------------+ | 0b2327b7-12b6-425f-af8d-3fe637106d19 | DHCP agent | controller | :-) | True | neutron-dhcp-agent | | 21acf20a-7c20-48ee-b79a-fe6df7c84c69 | Linux bridge agent | controller | :-) | True | neutron-linuxbridge-agent | | 8878cfd5-81e6-4094-94d0-c54930f04acb | Metadata agent | controller | :-) | True | neutron-metadata-agent | | c1a819d8-81be-423c-a60e-ac4b36cf7d4f | L3 agent | controller | :-) | True | neutron-vpn-agent | | c59f8895-082d-4f41-a1d9-71fb74ec81ff | Loadbalancer agent | controller | :-) | True | neutron-lbaas-agent | | e4bf21cf-48c9-4cdd-a02c-b63e02ec740c | Linux bridge agent | compute | :-) | True | neutron-linuxbridge-agent | +--------------------------------------+--------------------+------------+-------+----------------+---------------------------+ Note: As per our observation, strongswan 5.1.x does not have separate pluto interface for IKEv1 policies. It's single binary Charon takes cares of both IKEv1 and IKEv2 policies. However, it appears to us, that somehow strongswan driver(despite the 5.1.X) is still dependent on pluto interface. This is the reason we are getiing message "unknown IPsec command `pluto'" since no pluto is present in 5.1.x. Ideally both IKEv1 and IKEv2 policies should be allowed to be processed independently by strongswan driver with any dependency on openswan. Please let us know if we are missing something and configuring something wrong. Other configuration/logs information given below ====================================================================================================== vpn_agent.ini Configuration file given as follows ---------------------------------------------------- [DEFAULT] # VPN-Agent configuration file # Note vpn-agent inherits l3-agent, so you can use configs on l3-agent also debug=True [vpnagent] # vpn device drivers which vpn agent will use # If we want to use multiple drivers, we need to define this option multiple times. # NOTE: StrongSwan and openSwan cannot be installed at the same time. Thus, both cannot # be enabled for use. In the future when flavors/STF support is available, # this will still constrain the flavors which can be used together. # vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.ipsec.OpenSwanDriver # vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.cisco_ipsec.CiscoCsrIPsecDriver # vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.vyatta_ipsec.VyattaIPSecDriver vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver # vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.fedora_strongswan_ipsec.FedoraStrongSwanDriver # vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver # vpn_device_driver=another_driver [ipsec] # Status check interval # ipsec_status_check_interval=60 # Enable detail logging for ipsec pluto process. # If the flag set to True, the detailed logging will # be written into config_base_dir/<pid>/logs." # NOTE: this applies to OpenSwan and Libraswan, and # that StrongSwan has logging that logs to syslog. # enable_detailed_logging=False [strongswan] # For fedora use: # default_config_area=/usr/share/strongswan/templates/config/strongswan.d # Default is for ubuntu use, /etc/strongswan.d # default_config_area=/etc/strongswan.d [libreswan] # Initial interval in seconds for checking if pluto daemon is shutdown # shutdown_check_timeout=1 # # The maximum number of retries for checking for pluto daemon shutdown # shutdown_check_retries=5 # # A factor to increase the retry interval for each retry # shutdown_check_back_off=1.5 ============================================================================================================================ vpnaas_filter file given as follows ----------------------------------------------------------------------------- # neutron-rootwrap command filters for nodes on which neutron is # expected to control network # # This file should be owned by (and only-writeable by) the root user # format seems to be # cmd-name: filter-name, raw-command, user, args [Filters] ip: IpFilter, ip, root ip_exec: IpNetnsExecFilter, ip, root strongswan: CommandFilter, strongswan, root ipsec: CommandFilter, ipsec, root neutron_netns_wrapper: CommandFilter, neutron-vpn-netns-wrapper, root neutron_netns_wrapper_local: CommandFilter, /usr/local/bin/neutron-vpn-netns-wrapper, root chown: RegExpFilter, chown, root, chown, --from=.*, root.root, .*/ipsec.secrets ============================================================================================================================ vpn_agent logs given as follows ----------------------------------------------------------------------------- 2016-02-24 10:02:13.567 4700 ERROR neutron.agent.linux.utils [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -] Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'whack', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--status'] Exit code: 2 Stdin: Stdout: Stderr: /usr/sbin/ipsec: unknown IPsec command `whack' (`ipsec --help' for list) 2016-02-24 10:02:13.632 4700 ERROR neutron.agent.linux.utils [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -] Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'pluto', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--ipsecdir', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/etc/ipsec.secrets', '--virtual_private', '%v4:192.18.10.0/24,%v4:192.18.8.0/24'] Exit code: 2 Stdin: Stdout: Stderr: /usr/sbin/ipsec: unknown IPsec command `pluto' (`ipsec --help' for list) 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -] Failed to enable vpn process on router 224f2a11-affc-48cb-beb8-93dceb8d7a3e 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Traceback (most recent call last): 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/dist-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 260, in enable 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec self.start() 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/dist-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 436, in start 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec self._execute(cmd) 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/dist-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 341, in _execute 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec extra_ok_codes=extra_ok_codes) 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/dist-packages/neutron/agent/linux/ip_lib.py", line 816, in execute 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec extra_ok_codes=extra_ok_codes, **kwargs) 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/dist-packages/neutron/agent/linux/utils.py", line 159, in execute 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec raise RuntimeError(m) 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec RuntimeError: 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'pluto', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--ipsecdir', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/etc/ipsec.secrets', '--virtual_private', '%v4:192.18.10.0/24,%v4:192.18.8.0/24'] 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Exit code: 2 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Stdin: 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Stdout: 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Stderr: /usr/sbin/ipsec: unknown IPsec command `pluto' (`ipsec --help' for list) 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec 2016-02-24 10:02:13.632 4700 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec 2016-02-24 10:02:13.700 4700 ERROR neutron.agent.linux.utils [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -] Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'whack', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--status'] Exit code: 2 Stdin: Stdout: Stderr: /usr/sbin/ipsec: unknown IPsec command `whack' (`ipsec --help' for list) 2016-02-24 10:02:13.760 4700 ERROR neutron.agent.linux.utils [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -] Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'whack', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--status'] Exit code: 2 Stdin: Stdout: Stderr: /usr/sbin/ipsec: unknown IPsec command `whack' (`ipsec --help' for list) 2016-02-24 10:02:13.840 4700 ERROR neutron.agent.linux.utils [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -] Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-224f2a11-affc-48cb-beb8-93dceb8d7a3e', 'ipsec', 'whack', '--ctlbase', '/var/lib/neutron/ipsec/224f2a11-affc-48cb-beb8-93dceb8d7a3e/var/run/pluto', '--status'] Exit code: 2 Stdin: Stdout: Stderr: /usr/sbin/ipsec: unknown IPsec command `whack' (`ipsec --help' for list) 2016-02-24 10:02:13.921 4700 ERROR neutron.agent.linux.utils [req-6c9d1ac8-16ad-4c68-94a8-adc684b26c00 010aadb1b2a4415a8a5703401761ee7e 5671975a92964a0fad7013c4ba2a0a63 - - -] Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-7861b7af-e95f-4fe2-9739-068a9aab1022', 'ipsec', 'whack', '--ctlbase', '/var/lib/neutron/ipsec/7861b7af-e95f-4fe2-9739-068a9aab1022/var/run/pluto', '--status'] Exit code: 2 Stdin: Stdout: Stderr: /usr/sbin/ipsec: unknown IPsec command `whack' (`ipsec --help' for list) -------------Keeps on repeating-------------------------- To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1549295/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp