GitHub user swill opened a pull request:
https://github.com/apache/cloudstack/pull/1741
Updated StrongSwanVPN Implementation
This PR is a merge of @jayapalu changes in #872 and the changes I had to
make to get the functionality working.
I have done pretty extensive testing of this code so far and we are looking
to be in pretty good shape. One thing to note is that a `Diffie-Hellman` group
**is required** in order for this feature to work correctly. It is not
highlighted in the tests below, but I have shown that the `PFS` is not required
for this feature to work. In #872 I have shown a more exhaustive set of tests
of this code, but I have limited this set of tests to a recommended `IKE` and
`ESP` configuration in order to reduce the noise and test the other areas of
functionality.
**Test Results**
I am testing this functionality by creating two VPCs with VMs in each and
creating a S2S VPN connection between the two VPCs. Then I SSH into a VM in one
VPC and I ping the private IP of a VM in the other VPC. Then I tear it down and
try a different configuration.
_Setup_
```
VPC 1 VPC 2
===== =====
VPN Gateway VPN Gateway
VPN Customer Gateway VPN Customer Gateway
VPN Connection <---> VPN Connection
- Passive = True - Passive = False
```
_Legend_
`SKIP` => At least one of the VPN Connections did not come up, so no test
was run.
`OK` => The ping test was successful over the S2S VPN connection.
`FAIL` => The ping test failed over the S2S VPN connection.
`Passive` => Specifies if either the `<vpc_1> : <vpc_2>` sides of the VPN
Connection is set to passive.
`Conn State` => Specifies the connection status of the `<vpc_1> : <vpc_2>`
VPN Connection in the UI.
`Requires Reset` => If the ping test does not result in an `OK`, then a VPN
Connection Reset is performed on either `<vpc_1> : <vpc_2>` sides of the VPN
Connection based on which side is not showing `Connected`. The results in the
`Status` column is the final result after the reset is performed.
_Results_
```
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| Status | IKE & ESP | DPD | Encap | IKE Life | ESP Life |
Passive | Conn State | Requires Reset |
+========+======================+=======+=======+==========+==========+===============+=============================+================+
| OK | aes128-sha1;modp1536 | True | False | 86400 | 3600 |
True : False | Disconnected : Connected | False : False |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| OK | aes128-sha1;modp1536 | False | False | 86400 | 3600 |
True : False | Disconnected : Connected | False : False |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| OK | aes128-sha1;modp1536 | True | True | 86400 | 3600 |
True : False | Disconnected : Connected | False : False |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| OK | aes128-sha1;modp1536 | True | False | | 3600 |
True : False | Disconnected : Connected | False : False |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| OK | aes128-sha1;modp1536 | True | False | 86400 | |
True : False | Disconnected : Connected | False : False |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| OK | aes128-sha1;modp1536 | True | False | | |
True : False | Disconnected : Connected | False : False |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| OK | aes128-sha1;modp1536 | True | False | 86400 | 3600 |
False : False | Connected : Connected | False : False |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| OK | aes128-sha1;modp1536 | True | False | 86400 | 3600 |
True : True | Disconnected : Disconnected | False : False |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| SKIP | aes128-sha1 | True | False | 86400 | 3600 |
True : False | Disconnected : Error | True : False |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| SKIP | aes128-sha1 | False | False | 86400 | 3600 |
True : False | Disconnected : Error | True : False |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| FAIL | aes128-sha1 | True | False | 86400 | 3600 |
True : True | Disconnected : Disconnected | True : True |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| SKIP | aes128-sha1 | True | False | 86400 | 3600 |
False : False | Connected : Error | False : False |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
```
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/swill/cloudstack strongswanvpn
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/cloudstack/pull/1741.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1741
----
commit 68d9cb152e534f95af5e8198a2a2d5fe6ecc5a9d
Author: Will Stevens <williamstev...@gmail.com>
Date: 2016-10-27T12:54:58Z
merging jayapalu and swill's strongswan vpn changes into a single commit
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
