Uploaded image for project: 'CloudStack'
  1. CloudStack
  2. CLOUDSTACK-9801

IPSec VPN does not work after vRouter reboot or recreate

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 4.9.0, 4.9.2.0, 4.9.0.1
    • Fix Version/s: 4.9.3.0
    • Component/s: Virtual Router
    • Security Level: Public (Anyone can view this level - this is the default.)
    • Environment:
      Tested in XenServer as hypervisor. With RemoteAccess VPN enabled. Both Remote Access VPN and Site to Site VPN functionality won't work.
    • Flags:
      Patch

      Description

      After a vRouter is recreated (which happens when a reboot via CloudStack UI for example) and Remote Access VPN enabled, VPN won't work anymore. Here is the abbreviated output of "ipsec auto -status" while we were having the issue:

      root@r-10-VM:~# ipsec auto --status
      000 using kernel interface: netkey
      000 interface lo/lo 127.0.0.1
      000 interface lo/lo 127.0.0.1
      000 interface eth0/eth0 169.254.1.45
      000 interface eth0/eth0 169.254.1.45
      000 %myid = (none)

      Notice that only eth0 is shown, not the public interface eth1. Because of that ipsec is broken.

      However, if we manually stopped and started ipsec, then issued a "ipsec auto -status", the abbreviated output would be:

      root@r-10-VM:~# ipsec auto --status
      000 using kernel interface: netkey
      000 interface lo/lo 127.0.0.1
      000 interface lo/lo 127.0.0.1
      000 interface eth0/eth0 169.254.1.45
      000 interface eth0/eth0 169.254.1.45
      000 interface eth1/eth1 xxx.xxx.xxx.172
      000 interface eth1/eth1 xxx.xxx.xxx.172
      000 interface eth2/eth2 192.168.1.1
      000 interface eth2/eth2 192.168.1.1
      000 %myid = (none)

      eth1 interface IP is masked, but now ipsec sees all the interfaces and VPN works.

      Looks like this bug was introduced by Pull Request #1423

      https://github.com/apache/cloudstack/pull/1423

      It added code to start ipsec (cloudstack/systemvm/patches/debian/config/opt/cloud/bin/configure.py)

      if vpnconfig['create']:
      logging.debug("Enabling remote access vpn on "+ public_ip)
      CsHelper.start_if_stopped("ipsec")
      self.configure_l2tpIpsec(public_ip, self.dbag[public_ip])

      The issue is that if a reboot is issued from the CloudStack UI (as opposed to manually by logging into the vRouter), the NICS (except eth0) are not added to the VM until the cloud service is running.

      Since ipsec was started before the nics were added to the VM and before the public IP address is added to the nic, ipsec is not listening on the public IP address and all VPNs are broken.

      This is not a problem with the Site2Site VPN section of configure.py, because that section does not start ipsec if the public IP is not on the system yet...

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                slair1 Sean Lair
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 24h
                  24h
                  Remaining:
                  Remaining Estimate - 24h
                  24h
                  Logged:
                  Time Spent - Not Specified
                  Not Specified