Public bug reported: Any attempt to create IPSec site connection with policy that specifies AH protocol instead of ESP leads to the following error:
2015-07-21 13:41:28.948 ERROR neutron.agent.linux.utils [req-e3237103-fb81-4c23-8a69-98c755c177c9 admin 4733f78a7cd749f38b20bc134b9675a0] Command: ['ip', 'netns', 'exec', u'qrouter-3d68e902-ce44-411a-bd4e-6ff9a33d8a85', 'ipsec', 'addconn', '--ctlbase', u'/opt/stack/data/neutron/ipsec/3d68e902-ce44-411a-bd4e-6ff9a33d8a85/var/run/pluto.ctl', '--defaultroutenexthop', u'172.24.4.3', '--config', u'/opt/stack/data/neutron/ipsec/3d68e902-ce44-411a-bd4e-6ff9a33d8a85/etc/ipsec.conf', u'd0fa8bac-b8eb-4c33-a023-8c96560c99ec'] Exit code: 34 Stdin: Stdout: 034 esp string error: Non initial digit found for auth keylen, just after "aes128-" (old_state=ST_AA_END) Stderr: 2015-07-21 13:41:28.949 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec [req-e3237103-fb81-4c23-8a69-98c755c177c9 admin 4733f78a7cd749f38b20bc134b9675a0] Failed to enable vpn process on router 3d68e902-ce44-411a-bd4e-6ff9a33d8a85 2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Traceback (most recent call last): 2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec File "/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 255, in enable 2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec self.start() 2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec File "/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 437, in start 2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec ipsec_site_conn['id'] 2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec File "/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 336, in _execute 2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec extra_ok_codes=extra_ok_codes) 2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/agent/linux/ip_lib.py", line 701, in execute 2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec extra_ok_codes=extra_ok_codes, **kwargs) 2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/agent/linux/utils.py", line 138, in execute 2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec raise RuntimeError(m) 2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec RuntimeError: 2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Command: ['ip', 'netns', 'exec', u'qrouter-3d68e902-ce44-411a-bd4e-6ff9a33d8a85', 'ipsec', 'addconn', '--ctlbase', u'/opt/stack/data/neutron/ipsec/3d68e902-ce44-411a-bd4e-6ff9a33d8a85/var/run/pluto.ctl', '--defaultroutenexthop', u'172.24.4.3', '--config', u'/opt/stack/data/neutron/ipsec/3d68e902-ce44-411a-bd4e-6ff9a33d8a85/etc/ipsec.conf', u'd0fa8bac-b8eb-4c33-a023-8c96560c99ec'] 2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Exit code: 34 2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdin: 2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdout: 034 esp string error: Non initial digit found for auth keylen, just after "aes128-" (old_state=ST_AA_END) 2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec 2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stderr: 2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec The reason is that AH protocol doesn't have any encryption. That is why phase2alg in ipsec.conf template should be modified to exclude encryption for AH. ** Affects: neutron Importance: Undecided Assignee: Elena Ezhova (eezhova) Status: New ** Tags: vpnaas ** Tags added: vpnaas ** Changed in: neutron Assignee: (unassigned) => Elena Ezhova (eezhova) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1476681 Title: VPNaaS: Fix phase2alg for AH in ipsec.conf.template Status in neutron: New Bug description: Any attempt to create IPSec site connection with policy that specifies AH protocol instead of ESP leads to the following error: 2015-07-21 13:41:28.948 ERROR neutron.agent.linux.utils [req-e3237103-fb81-4c23-8a69-98c755c177c9 admin 4733f78a7cd749f38b20bc134b9675a0] Command: ['ip', 'netns', 'exec', u'qrouter-3d68e902-ce44-411a-bd4e-6ff9a33d8a85', 'ipsec', 'addconn', '--ctlbase', u'/opt/stack/data/neutron/ipsec/3d68e902-ce44-411a-bd4e-6ff9a33d8a85/var/run/pluto.ctl', '--defaultroutenexthop', u'172.24.4.3', '--config', u'/opt/stack/data/neutron/ipsec/3d68e902-ce44-411a-bd4e-6ff9a33d8a85/etc/ipsec.conf', u'd0fa8bac-b8eb-4c33-a023-8c96560c99ec'] Exit code: 34 Stdin: Stdout: 034 esp string error: Non initial digit found for auth keylen, just after "aes128-" (old_state=ST_AA_END) Stderr: 2015-07-21 13:41:28.949 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec [req-e3237103-fb81-4c23-8a69-98c755c177c9 admin 4733f78a7cd749f38b20bc134b9675a0] Failed to enable vpn process on router 3d68e902-ce44-411a-bd4e-6ff9a33d8a85 2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Traceback (most recent call last): 2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec File "/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 255, in enable 2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec self.start() 2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec File "/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 437, in start 2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec ipsec_site_conn['id'] 2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec File "/opt/stack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 336, in _execute 2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec extra_ok_codes=extra_ok_codes) 2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/agent/linux/ip_lib.py", line 701, in execute 2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec extra_ok_codes=extra_ok_codes, **kwargs) 2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec File "/opt/stack/neutron/neutron/agent/linux/utils.py", line 138, in execute 2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec raise RuntimeError(m) 2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec RuntimeError: 2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Command: ['ip', 'netns', 'exec', u'qrouter-3d68e902-ce44-411a-bd4e-6ff9a33d8a85', 'ipsec', 'addconn', '--ctlbase', u'/opt/stack/data/neutron/ipsec/3d68e902-ce44-411a-bd4e-6ff9a33d8a85/var/run/pluto.ctl', '--defaultroutenexthop', u'172.24.4.3', '--config', u'/opt/stack/data/neutron/ipsec/3d68e902-ce44-411a-bd4e-6ff9a33d8a85/etc/ipsec.conf', u'd0fa8bac-b8eb-4c33-a023-8c96560c99ec'] 2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Exit code: 34 2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdin: 2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdout: 034 esp string error: Non initial digit found for auth keylen, just after "aes128-" (old_state=ST_AA_END) 2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec 2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stderr: 2015-07-21 13:41:28.949 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec The reason is that AH protocol doesn't have any encryption. That is why phase2alg in ipsec.conf template should be modified to exclude encryption for AH. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1476681/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp