[Yahoo-eng-team] [Bug 1476681] [NEW] VPNaaS: Fix phase2alg for AH in ipsec.conf.template

Elena Ezhova Tue, 21 Jul 2015 06:56:51 -0700

Public bug reported:

Any attempt to create IPSec site connection with policy that specifies
AH protocol instead of ESP leads to the following error:


2015-07-21 13:41:28.948 ERROR neutron.agent.linux.utils 
[req-e3237103-fb81-4c23-8a69-98c755c177c9 admin 
4733f78a7cd749f38b20bc134b9675a0] 
Command: ['ip', 'netns', 'exec', 
u'qrouter-3d68e902-ce44-411a-bd4e-6ff9a33d8a85', 'ipsec', 'addconn', 
'--ctlbase', 
u'/opt/stack/data/neutron/ipsec/3d68e902-ce44-411a-bd4e-6ff9a33d8a85/var/run/pluto.ctl',
 '--defaultroutenexthop', u'172.24.4.3', '--config', 
u'/opt/stack/data/neutron/ipsec/3d68e902-ce44-411a-bd4e-6ff9a33d8a85/etc/ipsec.conf',
 u'd0fa8bac-b8eb-4c33-a023-8c96560c99ec']
Exit code: 34
Stdin: 
Stdout: 034 esp string error: Non initial digit found for auth keylen, just 
after "aes128-" (old_state=ST_AA_END)

Stderr: 
2015-07-21 13:41:28.949 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec 
[req-e3237103-fb81-4c23-8a69-98c755c177c9 admin 
4733f78a7cd749f38b20bc134b9675a0] Failed to enable vpn process on router 
3d68e902-ce44-411a-bd4e-6ff9a33d8a85
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec 
Traceback (most recent call last):
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec  
 File 
"/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py",
 line 255, in enable
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec  
   self.start()
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec  
 File 
"/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py",
 line 437, in start
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec  
   ipsec_site_conn['id']
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec  
 File 
"/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py",
 line 336, in _execute
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec  
   extra_ok_codes=extra_ok_codes)
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec  
 File "/opt/stack/neutron/neutron/agent/linux/ip_lib.py", line 701, in execute
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec  
   extra_ok_codes=extra_ok_codes, **kwargs)
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec  
 File "/opt/stack/neutron/neutron/agent/linux/utils.py", line 138, in execute
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec  
   raise RuntimeError(m)
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec 
RuntimeError:
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec 
Command: ['ip', 'netns', 'exec', 
u'qrouter-3d68e902-ce44-411a-bd4e-6ff9a33d8a85', 'ipsec', 'addconn', 
'--ctlbase', 
u'/opt/stack/data/neutron/ipsec/3d68e902-ce44-411a-bd4e-6ff9a33d8a85/var/run/pluto.ctl',
 '--defaultroutenexthop', u'172.24.4.3', '--config', 
u'/opt/stack/data/neutron/ipsec/3d68e902-ce44-411a-bd4e-6ff9a33d8a85/etc/ipsec.conf',
 u'd0fa8bac-b8eb-4c33-a023-8c96560c99ec']
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec 
Exit code: 34
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec 
Stdin:
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec 
Stdout: 034 esp string error: Non initial digit found for auth keylen, just 
after "aes128-" (old_state=ST_AA_END)
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec 
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec 
Stderr:
2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec 


The reason is that AH protocol doesn't have any encryption. That is why 
phase2alg in ipsec.conf template should be modified to exclude encryption for 
AH.

** Affects: neutron
     Importance: Undecided
     Assignee: Elena Ezhova (eezhova)
         Status: New


** Tags: vpnaas

** Tags added: vpnaas

** Changed in: neutron
     Assignee: (unassigned) => Elena Ezhova (eezhova)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1476681

Title:
  VPNaaS: Fix phase2alg for AH in ipsec.conf.template

Status in neutron:
  New

Bug description:
  Any attempt to create IPSec site connection with policy that specifies
  AH protocol instead of ESP leads to the following error:

  2015-07-21 13:41:28.948 ERROR neutron.agent.linux.utils 
[req-e3237103-fb81-4c23-8a69-98c755c177c9 admin 
4733f78a7cd749f38b20bc134b9675a0] 
  Command: ['ip', 'netns', 'exec', 
u'qrouter-3d68e902-ce44-411a-bd4e-6ff9a33d8a85', 'ipsec', 'addconn', 
'--ctlbase', 
u'/opt/stack/data/neutron/ipsec/3d68e902-ce44-411a-bd4e-6ff9a33d8a85/var/run/pluto.ctl',
 '--defaultroutenexthop', u'172.24.4.3', '--config', 
u'/opt/stack/data/neutron/ipsec/3d68e902-ce44-411a-bd4e-6ff9a33d8a85/etc/ipsec.conf',
 u'd0fa8bac-b8eb-4c33-a023-8c96560c99ec']
  Exit code: 34
  Stdin: 
  Stdout: 034 esp string error: Non initial digit found for auth keylen, just 
after "aes128-" (old_state=ST_AA_END)

  Stderr: 
  2015-07-21 13:41:28.949 ERROR 
neutron_vpnaas.services.vpn.device_drivers.ipsec 
[req-e3237103-fb81-4c23-8a69-98c755c177c9 admin 
4733f78a7cd749f38b20bc134b9675a0] Failed to enable vpn process on router 
3d68e902-ce44-411a-bd4e-6ff9a33d8a85
  2015-07-21 13:41:28.949 TRACE 
neutron_vpnaas.services.vpn.device_drivers.ipsec Traceback (most recent call 
last):
  2015-07-21 13:41:28.949 TRACE 
neutron_vpnaas.services.vpn.device_drivers.ipsec   File 
"/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py",
 line 255, in enable
  2015-07-21 13:41:28.949 TRACE 
neutron_vpnaas.services.vpn.device_drivers.ipsec     self.start()
  2015-07-21 13:41:28.949 TRACE 
neutron_vpnaas.services.vpn.device_drivers.ipsec   File 
"/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py",
 line 437, in start
  2015-07-21 13:41:28.949 TRACE 
neutron_vpnaas.services.vpn.device_drivers.ipsec     ipsec_site_conn['id']
  2015-07-21 13:41:28.949 TRACE 
neutron_vpnaas.services.vpn.device_drivers.ipsec   File 
"/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py",
 line 336, in _execute
  2015-07-21 13:41:28.949 TRACE 
neutron_vpnaas.services.vpn.device_drivers.ipsec     
extra_ok_codes=extra_ok_codes)
  2015-07-21 13:41:28.949 TRACE 
neutron_vpnaas.services.vpn.device_drivers.ipsec   File 
"/opt/stack/neutron/neutron/agent/linux/ip_lib.py", line 701, in execute
  2015-07-21 13:41:28.949 TRACE 
neutron_vpnaas.services.vpn.device_drivers.ipsec     
extra_ok_codes=extra_ok_codes, **kwargs)
  2015-07-21 13:41:28.949 TRACE 
neutron_vpnaas.services.vpn.device_drivers.ipsec   File 
"/opt/stack/neutron/neutron/agent/linux/utils.py", line 138, in execute
  2015-07-21 13:41:28.949 TRACE 
neutron_vpnaas.services.vpn.device_drivers.ipsec     raise RuntimeError(m)
  2015-07-21 13:41:28.949 TRACE 
neutron_vpnaas.services.vpn.device_drivers.ipsec RuntimeError:
  2015-07-21 13:41:28.949 TRACE 
neutron_vpnaas.services.vpn.device_drivers.ipsec Command: ['ip', 'netns', 
'exec', u'qrouter-3d68e902-ce44-411a-bd4e-6ff9a33d8a85', 'ipsec', 'addconn', 
'--ctlbase', 
u'/opt/stack/data/neutron/ipsec/3d68e902-ce44-411a-bd4e-6ff9a33d8a85/var/run/pluto.ctl',
 '--defaultroutenexthop', u'172.24.4.3', '--config', 
u'/opt/stack/data/neutron/ipsec/3d68e902-ce44-411a-bd4e-6ff9a33d8a85/etc/ipsec.conf',
 u'd0fa8bac-b8eb-4c33-a023-8c96560c99ec']
  2015-07-21 13:41:28.949 TRACE 
neutron_vpnaas.services.vpn.device_drivers.ipsec Exit code: 34
  2015-07-21 13:41:28.949 TRACE 
neutron_vpnaas.services.vpn.device_drivers.ipsec Stdin:
  2015-07-21 13:41:28.949 TRACE 
neutron_vpnaas.services.vpn.device_drivers.ipsec Stdout: 034 esp string error: 
Non initial digit found for auth keylen, just after "aes128-" 
(old_state=ST_AA_END)
  2015-07-21 13:41:28.949 TRACE 
neutron_vpnaas.services.vpn.device_drivers.ipsec 
  2015-07-21 13:41:28.949 TRACE 
neutron_vpnaas.services.vpn.device_drivers.ipsec Stderr:
  2015-07-21 13:41:28.949 TRACE 
neutron_vpnaas.services.vpn.device_drivers.ipsec 

  
  The reason is that AH protocol doesn't have any encryption. That is why 
phase2alg in ipsec.conf template should be modified to exclude encryption for 
AH.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1476681/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 1476681] [NEW] VPNaaS: Fix phase2alg for AH in ipsec.conf.template

Reply via email to