Public bug reported: I used this patch (VPNaaS: Fedora support for StrongSwan) for vpnaas on centos referring this bug https://bugs.launchpad.net/neutron/+bug/1441788
1. I used a single node with 2 routers, create ike/ipsec/vpn-service/site vpn, the tunnels came up fine kilo-vpnaas-centos71 10.10.10.x/24--------R1-------------R2-------------20.20.20.x/24 R1 to R2 on 192.168.122.202, 192.168.122.203. 2. When i added one more interface to r1 and r2, 30.30.30.x and 40.40.40.x respectively, created ike/ipsec/vpn-service/site-vpn, it did not create a new conn in ipsec.conf file, rather, it over wrote the existing(10.10.10.x) conn in ipsec.conf file. [root@ceos71 ~]# cat /var/lib/neutron/ipsec/70e88c46-c6b2-4c8d-afad-76ebd77b55cb/etc/strongswan/ipsec.conf # Configuration for vpn10 config setup conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 authby=psk mobike=no conn 221c6d37-e7a1-4afc-8d0f-4de32df3818b #### this for 10.10.10.x keyexchange=ikev2 left=192.168.122.202 leftsubnet=10.10.10.0/24 leftid=192.168.122.202 leftfirewall=yes right=192.168.122.203 rightsubnet=20.20.20.0/24 rightid=192.168.122.203 auto=route ### added 1 more subnet 30.30.30.x [root@ceos71 ~]# cat /var/lib/neutron/ipsec/70e88c46-c6b2-4c8d-afad-76ebd77b55cb/etc/strongswan/ipsec.conf # Configuration for vpn30 config setup conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 authby=psk mobike=no conn 7b57fc83-3581-4e86-a193-e14474eef295 ### this is for 30.30.30.x, it over wrote the 10.10.10.x conn keyexchange=ikev2 left=192.168.122.202 leftsubnet=30.30.30.0/24 <<<<<<<<<<<<< leftid=192.168.122.202 leftfirewall=yes right=192.168.122.203 rightsubnet=40.40.40.0/24 rightid=192.168.122.203 auto=route 3. My understanding is that, it should add new conn to ipsec.conf file, than overwriting the existing conn. am i right ??? ** Affects: neutron Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1478778 Title: VPNaas: strongswan: cannnot add more than one subnet to ipsec Status in neutron: New Bug description: I used this patch (VPNaaS: Fedora support for StrongSwan) for vpnaas on centos referring this bug https://bugs.launchpad.net/neutron/+bug/1441788 1. I used a single node with 2 routers, create ike/ipsec/vpn-service/site vpn, the tunnels came up fine kilo-vpnaas-centos71 10.10.10.x/24--------R1-------------R2-------------20.20.20.x/24 R1 to R2 on 192.168.122.202, 192.168.122.203. 2. When i added one more interface to r1 and r2, 30.30.30.x and 40.40.40.x respectively, created ike/ipsec/vpn-service/site-vpn, it did not create a new conn in ipsec.conf file, rather, it over wrote the existing(10.10.10.x) conn in ipsec.conf file. [root@ceos71 ~]# cat /var/lib/neutron/ipsec/70e88c46-c6b2-4c8d-afad-76ebd77b55cb/etc/strongswan/ipsec.conf # Configuration for vpn10 config setup conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 authby=psk mobike=no conn 221c6d37-e7a1-4afc-8d0f-4de32df3818b #### this for 10.10.10.x keyexchange=ikev2 left=192.168.122.202 leftsubnet=10.10.10.0/24 leftid=192.168.122.202 leftfirewall=yes right=192.168.122.203 rightsubnet=20.20.20.0/24 rightid=192.168.122.203 auto=route ### added 1 more subnet 30.30.30.x [root@ceos71 ~]# cat /var/lib/neutron/ipsec/70e88c46-c6b2-4c8d-afad-76ebd77b55cb/etc/strongswan/ipsec.conf # Configuration for vpn30 config setup conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 authby=psk mobike=no conn 7b57fc83-3581-4e86-a193-e14474eef295 ### this is for 30.30.30.x, it over wrote the 10.10.10.x conn keyexchange=ikev2 left=192.168.122.202 leftsubnet=30.30.30.0/24 <<<<<<<<<<<<< leftid=192.168.122.202 leftfirewall=yes right=192.168.122.203 rightsubnet=40.40.40.0/24 rightid=192.168.122.203 auto=route 3. My understanding is that, it should add new conn to ipsec.conf file, than overwriting the existing conn. am i right ??? To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1478778/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp