[GitHub] cloudstack pull request #1966: CLOUDSTACK-9801: IPSec VPN does not work afte...

Thu, 23 Feb 2017 16:41:37 -0800 

GitHub user Slair1 opened a pull request:

    https://github.com/apache/cloudstack/pull/1966

    CLOUDSTACK-9801: IPSec VPN does not work after vRouter reboot or recreate

    After a vRouter is recreated  (e.g. reboot via CloudStack UI) and Remote 
Access VPN enabled, VPN won't work anymore. Here is the abbreviated output of 
"ipsec auto -status" while we were having the issue:
    
    ```
    root@r-10-VM:~# ipsec auto --status
    000 using kernel interface: netkey
    000 interface lo/lo 127.0.0.1
    000 interface lo/lo 127.0.0.1
    000 interface eth0/eth0 169.254.1.45
    000 interface eth0/eth0 169.254.1.45
    000 %myid = (none)
    ```
    
    After this commit, the following occurs and VPNs work:
    ```
    
    root@r-10-VM:~# ipsec auto --status
    000 using kernel interface: netkey
    000 interface lo/lo 127.0.0.1
    000 interface lo/lo 127.0.0.1
    000 interface eth0/eth0 169.254.1.45
    000 interface eth0/eth0 169.254.1.45
    000 interface eth1/eth1 xxx.xxx.xxx.172
    000 interface eth1/eth1 xxx.xxx.xxx.172
    000 interface eth2/eth2 192.168.1.1
    000 interface eth2/eth2 192.168.1.1
    000 %myid = (none)
    
    ```
    eth1 interface IP is masked, but now ipsec sees all the interfaces and VPN 
works.
    
    Looks like this bug was introduced by Pull Request #1423
    
    It added code to start ipsec 
(cloudstack/systemvm/patches/debian/config/opt/cloud/bin/configure.py)
    
    ```
    if vpnconfig['create']:
        logging.debug("Enabling remote access vpn on "+ public_ip)
        CsHelper.start_if_stopped("ipsec")
    ```

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/Slair1/cloudstack 
CLOUDSTACK-9801--IPSec-VPN-does-not-work-after-vRouter-reboot-or-recreate

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/cloudstack/pull/1966.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #1966
    
----

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

Reply via email to