[Yahoo-eng-team] [Bug 1316724] [NEW] IKE Policy on peer site mismatched parameter still the ipsec site connection shows in active state

Tue, 06 May 2014 11:31:49 -0700 

Public bug reported:

Steps to Reproduce: 
1. Create vpn site with one ike policy with encryption_algorithm  aes-256 and 
other site as aes-128.
2. Create the ipsec-siteconnection and other operation like vpn-services and 
ipsec policy onto both the sites.
3. Check the status of vpn service
 
+--------------------------------------+------+--------------------------------------+--------+
| id                                   | name | router_id                       
     | status |
+--------------------------------------+------+--------------------------------------+--------+
| 530c3dfb-9224-403c-b285-a224c9a7036d | vpn1 | 
cd288ec1-cad5-48e4-a402-882103ac6ec5 | ACTIVE |
| 77d0b36f-35e3-46d9-8d33-1b989092cecf | vpn2 | 
224c35b8-01b3-4e9b-a148-2751840a1b18 | ACTIVE |
+--------------------------------------+------+--------------------------------------+--------+
4. Check the status of ipsec site connection.

+--------------------------------------+-------+--------------+----------------+------------+-----------+--------+
| id                                   | name  | peer_address | peer_cidrs     
| route_mode | auth_mode | status |
+--------------------------------------+-------+--------------+----------------+------------+-----------+--------+
| a158f5d5-128e-47ba-9260-34dc9ff315b0 | site1 | $peer_address2 | "$Peer_cidr2" 
| static     | psk       | ACTIVE |
| a9486296-bc36-439b-b0a8-4d4b0417486d | site2 | $Peer_address1 | "$Peer_cidr1" 
| static     | psk       | ACTIVE |
+--------------------------------------+-------+--------------+----------------+------------+-----------+--------+
5. List the ike policy
+--------------------------------------+------+----------------+----------------------+-------------+--------+
| id                                   | name | auth_algorithm | 
encryption_algorithm | ike_version | pfs    |
+--------------------------------------+------+----------------+----------------------+-------------+--------+
| b04d74ad-ec1f-44b0-8ae6-802872bf4ca0 | IKE1 | sha1           | aes-128        
      | v1          | group5 |
| e5be37ec-9888-46a7-b884-083b5b5336aa | IKE2 | sha1           | aes-256        
      | v1          | group5 |
+--------------------------------------+------+----------------+----------------------+-------------+--------+
6. List the ipsec-policy
+--------------------------------------+--------+----------------+----------------------+--------+
| id                                   | name   | auth_algorithm | 
encryption_algorithm | pfs    |
+--------------------------------------+--------+----------------+----------------------+--------+
| 12c9db3b-8122-4e1e-9aad-8e6e87225a1f | IPSEC1 | sha1           | aes-256      
       | group5 |
| d38bba51-ecdd-43ef-822c-4f1c86507c9a | IPSEC2 | sha1           | aes-256      
        | group5 |
+--------------------------------------+--------+----------------+----------------------+--------+

Actual Results: Ipsec site connection show as active with mismatched
version of encryption algorithm in the ikepolicy

Expected Results: Ipsec site connection should show as down state since
mismatched version of encryption algorithm in the ikepolicy is provided.

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1316724

Title:
  IKE Policy on peer site mismatched parameter still the ipsec site
  connection shows in active state

Status in OpenStack Neutron (virtual network service):
  New

Bug description:
  Steps to Reproduce: 
  1. Create vpn site with one ike policy with encryption_algorithm  aes-256 and 
other site as aes-128.
  2. Create the ipsec-siteconnection and other operation like vpn-services and 
ipsec policy onto both the sites.
  3. Check the status of vpn service
   
  
+--------------------------------------+------+--------------------------------------+--------+
  | id                                   | name | router_id                     
       | status |
  
+--------------------------------------+------+--------------------------------------+--------+
  | 530c3dfb-9224-403c-b285-a224c9a7036d | vpn1 | 
cd288ec1-cad5-48e4-a402-882103ac6ec5 | ACTIVE |
  | 77d0b36f-35e3-46d9-8d33-1b989092cecf | vpn2 | 
224c35b8-01b3-4e9b-a148-2751840a1b18 | ACTIVE |
  
+--------------------------------------+------+--------------------------------------+--------+
  4. Check the status of ipsec site connection.

  
+--------------------------------------+-------+--------------+----------------+------------+-----------+--------+
  | id                                   | name  | peer_address | peer_cidrs    
 | route_mode | auth_mode | status |
  
+--------------------------------------+-------+--------------+----------------+------------+-----------+--------+
  | a158f5d5-128e-47ba-9260-34dc9ff315b0 | site1 | $peer_address2 | 
"$Peer_cidr2" | static     | psk       | ACTIVE |
  | a9486296-bc36-439b-b0a8-4d4b0417486d | site2 | $Peer_address1 | 
"$Peer_cidr1" | static     | psk       | ACTIVE |
  
+--------------------------------------+-------+--------------+----------------+------------+-----------+--------+
  5. List the ike policy
  
+--------------------------------------+------+----------------+----------------------+-------------+--------+
  | id                                   | name | auth_algorithm | 
encryption_algorithm | ike_version | pfs    |
  
+--------------------------------------+------+----------------+----------------------+-------------+--------+
  | b04d74ad-ec1f-44b0-8ae6-802872bf4ca0 | IKE1 | sha1           | aes-128      
        | v1          | group5 |
  | e5be37ec-9888-46a7-b884-083b5b5336aa | IKE2 | sha1           | aes-256      
        | v1          | group5 |
  
+--------------------------------------+------+----------------+----------------------+-------------+--------+
  6. List the ipsec-policy
  
+--------------------------------------+--------+----------------+----------------------+--------+
  | id                                   | name   | auth_algorithm | 
encryption_algorithm | pfs    |
  
+--------------------------------------+--------+----------------+----------------------+--------+
  | 12c9db3b-8122-4e1e-9aad-8e6e87225a1f | IPSEC1 | sha1           | aes-256    
         | group5 |
  | d38bba51-ecdd-43ef-822c-4f1c86507c9a | IPSEC2 | sha1           | aes-256    
          | group5 |
  
+--------------------------------------+--------+----------------+----------------------+--------+

  Actual Results: Ipsec site connection show as active with mismatched
  version of encryption algorithm in the ikepolicy

  Expected Results: Ipsec site connection should show as down state
  since mismatched version of encryption algorithm in the ikepolicy is
  provided.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1316724/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to