Public bug reported: Code repo: neutron-vpnaas master OS: Centos7 ipsec device driver: libreswan-3.15-5.el7_1.x86_64
In /etc/neutron/vpn_agent.ini, vpn_device_driver is neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver. Before running neutron-vpn-agent, I had checked ipsec status, it seems normal: # ipsec verify Verifying installed system and configuration files Version check and ipsec on-path [OK] Libreswan 3.15 (netkey) on 3.10.0-123.el7.x86_64 Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [OK] ICMP default/accept_redirects [OK] XFRM larval drop [OK] Pluto ipsec.conf syntax [OK] Hardware random device [N/A] Two or more interfaces found, checking IP forwarding [OK] Checking rp_filter [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE/NAT-T on udp 4500 [OK] Pluto ipsec.secret syntax [OK] Checking 'ip' command [OK] Checking 'iptables' command [OK] Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK] Opportunistic Encryption [DISABLED] After create ikepolicy, ipsecpolicy and vpn service, create an ipsec-site-connection failed, ipsec whack --ctlbase status code in vpn-agent.log returns 1 which means not running. Then I trace the code, I think the problem is in function enable(), call self.ensure_configs()[1] may have some problems. ensure_configs[2] in libreswan_ipsec.py will override, I'm not confirm the root cause is ipsec checknss (which create nssdb). If call self.ensure_configs() failed, we can't start ipsec pluto daemon. Here is the running ipsec process: # ps aux |grep ipsec root 22223 0.0 0.0 9648 1368 pts/17 S+ 12:59 0:00 /bin/sh /sbin/ipsec checknss /opt/stack/data/neutron/ipsec/f75151f6-ef01-4a68-9747-eb52f4e629f5/etc root 22224 0.0 0.0 37400 3300 pts/17 S+ 12:59 0:00 certutil -N -d sql:/etc/ipsec.d --empty-password root 25893 0.0 0.0 9040 668 pts/0 S+ 13:40 0:00 grep --color=auto ipsec root 26396 0.0 0.1 335268 4588 ? Ssl 08:58 0:00 /usr/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork [1] https://github.com/openstack/neutron-vpnaas/blob/master/neutron_vpnaas/services/vpn/device_drivers/ipsec.py#L304 [2] https://github.com/openstack/neutron-vpnaas/blob/master/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py#L59 ** Affects: neutron Importance: Undecided Status: New ** Tags: vpnaas -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1605066 Title: [Neutron][VPNaaS] Failed to create ipsec site connection Status in neutron: New Bug description: Code repo: neutron-vpnaas master OS: Centos7 ipsec device driver: libreswan-3.15-5.el7_1.x86_64 In /etc/neutron/vpn_agent.ini, vpn_device_driver is neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver. Before running neutron-vpn-agent, I had checked ipsec status, it seems normal: # ipsec verify Verifying installed system and configuration files Version check and ipsec on-path [OK] Libreswan 3.15 (netkey) on 3.10.0-123.el7.x86_64 Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [OK] ICMP default/accept_redirects [OK] XFRM larval drop [OK] Pluto ipsec.conf syntax [OK] Hardware random device [N/A] Two or more interfaces found, checking IP forwarding [OK] Checking rp_filter [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE/NAT-T on udp 4500 [OK] Pluto ipsec.secret syntax [OK] Checking 'ip' command [OK] Checking 'iptables' command [OK] Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK] Opportunistic Encryption [DISABLED] After create ikepolicy, ipsecpolicy and vpn service, create an ipsec-site-connection failed, ipsec whack --ctlbase status code in vpn-agent.log returns 1 which means not running. Then I trace the code, I think the problem is in function enable(), call self.ensure_configs()[1] may have some problems. ensure_configs[2] in libreswan_ipsec.py will override, I'm not confirm the root cause is ipsec checknss (which create nssdb). If call self.ensure_configs() failed, we can't start ipsec pluto daemon. Here is the running ipsec process: # ps aux |grep ipsec root 22223 0.0 0.0 9648 1368 pts/17 S+ 12:59 0:00 /bin/sh /sbin/ipsec checknss /opt/stack/data/neutron/ipsec/f75151f6-ef01-4a68-9747-eb52f4e629f5/etc root 22224 0.0 0.0 37400 3300 pts/17 S+ 12:59 0:00 certutil -N -d sql:/etc/ipsec.d --empty-password root 25893 0.0 0.0 9040 668 pts/0 S+ 13:40 0:00 grep --color=auto ipsec root 26396 0.0 0.1 335268 4588 ? Ssl 08:58 0:00 /usr/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork [1] https://github.com/openstack/neutron-vpnaas/blob/master/neutron_vpnaas/services/vpn/device_drivers/ipsec.py#L304 [2] https://github.com/openstack/neutron-vpnaas/blob/master/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py#L59 To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1605066/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp