Ok, looking at the logs it looks like an encoding problem of sorts, when terraform is making the calls, the policy appears as: sha1-aes256%3Bmodp2048
When cloudmonkey makes the calls (successfully) the policy looks like it should: aes128-sha256;modp2048 Ideas? https://paste.fedoraproject.org/paste/HpGdigqa33ZjTeIDrAwE9w -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro ----- Original Message ----- > From: "Nux!" <n...@li.nux.ro> > To: "dev" <dev@cloudstack.apache.org> > Sent: Wednesday, 22 November, 2017 09:11:28 > Subject: Re: Fail with vpn customer gateway creation through terraform > Hi guys, > > sha1-aes256;modp3072 works if I use the UI or cloudmonkey, that's why I am > thinking it must be terraform or some weird encoding issues. > > I tried replacing ; with - and also using modp2048, to no avail. > > "* cloudstack_vpn_customer_gateway.default: Error creating VPN Customer > Gateway > test-vpc: Undefined error: {"errorcode":431,"errortext":"The customer gateway > IKE policy sha1-aes256-modp2048 is invalid! Verify the required Diffie > Hellman > (DH) group is specified."}" > > > Logs here > > https://paste.fedoraproject.org/paste/HpGdigqa33ZjTeIDrAwE9w > > -- > Sent from the Delta quadrant using Borg technology! > > Nux! > www.nux.ro > > ----- Original Message ----- >> From: "Jayapal Uradi" <jayapal.ur...@accelerite.com> >> To: "dev" <dev@cloudstack.apache.org> >> Sent: Wednesday, 22 November, 2017 04:20:53 >> Subject: Re: Fail with vpn customer gateway creation through terraform > >> Hi Lucian, >> >> Try the the following in config, ‘-‘ instead of ‘;’ after the aes256 in the >> config. >> >> New: "sha1-aes256-modp3072” >> Old: "sha1-aes256;modp3072” >> >> Thanks, >> Jayapal >> On Nov 22, 2017, at 5:44 AM, Pierre-Luc Dion >> <pd...@cloudops.com<mailto:pd...@cloudops.com>> wrote: >> >> Hi Nux, >> >> Could it be your cloudstack version ? modp3072 is recent I think in >> CloudStack so if you run a older version maybe it's not there? >> >> >> >> On Tue, Nov 21, 2017 at 6:55 PM, Nux! <n...@li.nux.ro<mailto:n...@li.nux.ro>> >> wrote: >> >> Thanks Chiradeep, >> >> Checked but brain says no. What should I have learned from there? >> >> AFAIK this is a terraform fail. >> >> Lucian >> >> -- >> Sent from the Delta quadrant using Borg technology! >> >> Nux! >> www.nux.ro<http://www.nux.ro> >> >> ----- Original Message ----- >> From: "Chiradeep Vittal" <chirade...@gmail.com> >> To: "dev" <dev@cloudstack.apache.org> >> Sent: Tuesday, 21 November, 2017 19:14:16 >> Subject: Re: Fail with vpn customer gateway creation through terraform >> >> Check >> https://github.com/apache/cloudstack/blob/77864992fe8f80dbabd1240f6373d2 >> ba3e98713c/utils/src/main/java/com/cloud/utils/net/NetUtils.java#L1221 >> >> On Tue, Nov 21, 2017 at 10:11 AM, Nux! <n...@li.nux.ro> wrote: >> >> Hi, >> >> I'm trying out terraform and had success so far, except for the vpn >> customer gateway feature. >> For some reason, terraform fails to create it, though I use the same >> options as in UI/cloudmonkey where it works just fine. >> >> The snippet for it is: >> >> resource "cloudstack_vpn_customer_gateway" "default" { >> name = "test-vpc" >> cidr = "10.0.0.0/24" >> esp_policy = "aes256-sha1" >> gateway = "1.2.3.4" >> ike_policy = "sha1-aes256;modp3072" >> ipsec_psk = "terraformxyz7" >> } >> >> It always complains about the ike_policy: >> * cloudstack_vpn_customer_gateway.default: Error creating VPN Customer >> Gateway test-vpc: Undefined error: {"errorcode":431,"errortext":"The >> customer gateway IKE policy sha1-aes256;modp3072 is invalid! Verify the >> required Diffie Hellman (DH) group is specified."} >> >> I tried all sorts of ways to write the ike_policy, escaped, web >> encoded/decoded, nothing worked. What am I missing? >> The example terraform docs provide suffers the same fate. >> >> Lucian >> >> -- >> Sent from the Delta quadrant using Borg technology! >> >> Nux! >> www.nux.ro >> >> >> DISCLAIMER >> ========== >> This e-mail may contain privileged and confidential information which is the >> property of Accelerite, a Persistent Systems business. It is intended only >> for >> the use of the individual or entity to which it is addressed. If you are not >> the intended recipient, you are not authorized to read, retain, copy, print, >> distribute or use this message. If you have received this communication in >> error, please notify the sender and delete all copies of this message. >> Accelerite, a Persistent Systems business does not accept any liability for > > virus infected mails.
