<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">See in-line @PCM<div><br></div><div><br><div apple-content-edited="true">
<div><div>PCM (Paul Michali)</div><div><br></div><div>MAIL …..…. <a href="mailto:pcm@cisco.com">pcm@cisco.com</a></div><div>IRC ……..… pcm_ (<a href="http://irc.freenode.com">irc.freenode.com</a>)</div><div>TW ………... @pmichali</div><div>GPG Key … 4525ECC253E31A83</div><div>Fingerprint .. 307A 96BB 1A4C D2C7 931D 8D2D 4525 ECC2 53E3 1A83</div></div><div><br></div><br class="Apple-interchange-newline">
</div>
<br><div><div>On Sep 30, 2014, at 11:31 PM, masoom alam <<a href="mailto:masoom.alam@gmail.com">masoom.alam@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><div dir="ltr">Hi Paul, <div><br></div><div>Apologies for late response. I was having throat infection. </div><div><br></div><div><br></div><div class="gmail_extra"><br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex;"><div style="word-wrap: break-word;"><div><br></div><div>Can you show the ipsec-site-connection-create command used on each end?<div><div></div></div></div></div></blockquote><div><br></div><div><br></div><div><span style="color: rgb(51, 51, 51); font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; font-size: 13px; line-height: 20px; white-space: pre-wrap; background-color: rgb(245, 245, 245);">neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address <public address> --peer-id <q-router-ip> --peer-cidr <a href="http://10.2.0.0/24">10.2.0.0/24</a> --psk secret</span></div><div><span style="color: rgb(51, 51, 51); font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; font-size: 13px; line-height: 20px; white-space: pre-wrap; background-color: rgb(245, 245, 245);"><br></span></div><ul><li>In the above command: --peer-address is the public ip of the node having devstack setup -- you can call it devstack West<br></li><li>--peer-id: we are giving the ip of the q-router<br></li></ul><br>Make sense?<div><br></div><div> </div><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex;"><div style="word-wrap: break-word;"><div>Can you show the topology with IP addresses used (and indicate how the two clouds are connected)?</div><div>Are you using devstack? Two physical nodes? How are they interconnected?</div></div></blockquote><div><br></div><div>We are using exactly the same topology as shown below even the floating ip addresses are same one mentioned below. However, Our Internet gateway is a public ip. Similarly, other Internet GW is also a public ip. </div></div></div></div></div></blockquote><div><br></div>@PCM So is the public IP for the router (172.24.4.226) an internet on the Internet? In the example, IIRC, the quantum router has an IP on the public network, and the GW IP is also on the same network (172.24.4.225). I think the latter, is assigned to the external bridge on the host (br-ex). Is that what you have?</div><div><br></div><div><br><blockquote type="cite"><div style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div><br></div><div><pre style="padding: 9.5px; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; font-size: 13px; color: rgb(51, 51, 51); border-top-left-radius: 4px; border-top-right-radius: 4px; border-bottom-right-radius: 4px; border-bottom-left-radius: 4px; margin-top: 0px; margin-bottom: 10px; line-height: 20px; word-break: break-all; word-wrap: break-word; white-space: pre-wrap; border: 1px solid rgba(0, 0, 0, 0.14902); background-color: rgb(245, 245, 245);"> (<a href="http://10.1.0.0/24">10.1.0.0/24</a> - DevStack <b>East</b>)
|
| 10.1.0.1
[Quantum Router]
| 172.24.4.226
|
| 172.24.4.225
[Internet GW]
|
|
[Internet GW]
| 172.24.4.232
|
| 172.24.4.233
[Quantum Router]
| 10.2.0.1
|
(<a href="http://10.2.0.0/24">10.2.0.0/24</a> DevStack <b>West</b>)
</pre><h4 style="margin: 10px 0px; font-family: 'PT Sans', sans-serif; line-height: 20px; color: rgb(51, 51, 51); font-size: 17.5px;"><br></h4></div><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex;"><div style="word-wrap: break-word;"><div><br></div><div>First thing would be to ensure that you can ping from one host to another over the public IPs involved. You can then go to the namespace of the router and see if you can ping the public I/F of the other end’s router.</div></div></blockquote><div><br></div><div>We can ping anything on the host having devstack setup for example<span class="Apple-converted-space"> </span><a href="http://google.com/">google.com</a>, but GW of the other host. </div></div></div></div></div></blockquote><div><br></div>@PCM Are you saying that the host for devstack East can ping on the Internet, but cannot ping the GW IP of the other Devstack setup (also on the internet)?</div><div><br></div><div>I guess I need to understand what the “GW” actually is, in your setup. For the example given, it is the host’s br-ex interface and is on the same subnet as the router’s public interface.</div><div><br></div><div><br><blockquote type="cite"><div style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div>However, we cannot ping from within the CirrOS instance. I have run the traceroute command and we are reaching till <span style="color: rgb(51, 51, 51); font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; font-size: 13px; line-height: 20px; white-space: pre-wrap; background-color: rgb(245, 245, 245);">172.24.4.225 </span>but not beyond this point.</div></div></div></div></div></blockquote><div><br></div>@PCM By 172.24.4.225 do you mean the Internet IP for the br-ex interface on the local host? The cirrus VM, irrespective of VPN, should be able to ping the router’s public IP, the gateway IP and the far end public IPs. I’m struggling to understand what you have setup. Is the internet GW just the br-ex or some external router?</div><div><br></div><div>Should like you have some connectivity issues outside of VPN. From the Cirros VM should should be able to ping everything, except the Cirros VMs on the other side.</div><div><br></div><div><br><blockquote type="cite"><div style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div> BTW we did some other experiments as well. For example, when we tried to explicitly link our br-ex (<span style="color: rgb(51, 51, 51); font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; font-size: 13px; line-height: 20px; white-space: pre-wrap; background-color: rgb(245, 245, 245);">172.24.4.225</span>) with eth0 (Internet GW), machine got corrupted. Same is the issue if we do a hard reboot, Neutron gets corrupted :)</div></div></div></div></div></blockquote><div><br></div>@PCM This seems to be the point of confusion. On the example, br-ex would have an IP on the public network. Sounds like that is not the case here. The br-ex would have, a port that is the interface that is actually connected to the public network. For example, I may have eth1 on my system added to br-ex, and eth1 would be connected to a switch that connects this to the other node (in a simple lab environment).</div><div><br></div><div>Not sure I understand what you mean by “machine got corrupted” and “Neutron gets corrupted”. Can you elaborate?</div><div><br></div><div>When I set up this in a lab, I add the interface to br-ex and then I stack. In the localrc, the interface is specified, along with br-ex.</div><div><br></div><div><br><blockquote type="cite"><div style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div> </div><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; position: static; z-index: auto;"><div style="word-wrap: break-word;"><div><br></div><div>You can look at the screen-q-vpn.log (assuming devstack used) to see if any errors during setup.</div><div><br></div><div>Note: When I stack, I turn off neutron security groups and then set nova security groups to allow SSH and ICMP. I imagine the alternative would be to setup neutron security groups to allow these two protocols.</div></div></blockquote></div></div></div></div></blockquote><div><br></div>@PCM What are you doing for security groups? I disable Neutron security groups and have set Nova to allow ICMP and SSH. I think you can instead, do:</div><div><br></div><div>LIBVIRT_FIREWALL_DRIVER=nova.virt.firewall.NoopFirewallDriver</div><div><br></div><div>HTHs,</div><div><br></div><div>PCM</div><div><br></div><div><br></div><div><blockquote type="cite"><div style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; position: static; z-index: auto;"><div style="word-wrap: break-word;"><div><br></div><div>I didn’t quite follow what you meant by "Please note that my two devstack nodes are on different public addresses, so scenario is a little different than the one described here: <a href="https://wiki.openstack.org/wiki/Neutron/VPNaaS/HowToInstall" target="_blank">https://wiki.openstack.org/wiki/Neutron/VPNaaS/HowToInstall</a>”. Can you elaborate (showing the commands and topology will help)?</div><div><br></div><div>Germy,</div><div><br></div><div>I have created this BP during Juno (unfortunately no progress on it however), regarding being able to see more status information for troubleshooting: <a href="https://blueprints.launchpad.net/neutron/+spec/l3-svcs-vendor-status-report" target="_blank">https://blueprints.launchpad.net/neutron/+spec/l3-svcs-vendor-status-report</a></div><div><br></div><div>It was targeted for vendor implementations, but would include reference implementation status too. Right now, if a VPN connection negotiation fails, there’s no indication of what went wrong.</div><div><br></div><div>Regards,</div><div><br></div><div><br><div><div><div>PCM (Paul Michali)</div><div><br></div><div>MAIL …..….<span class="Apple-converted-space"> </span><a href="mailto:pcm@cisco.com" target="_blank">pcm@cisco.com</a></div><div>IRC ……..… pcm_ (<a href="http://irc.freenode.com/" target="_blank">irc.freenode.com</a>)</div><div>TW ………... @pmichali</div><div>GPG Key … 4525ECC253E31A83</div><div>Fingerprint .. 307A 96BB 1A4C D2C7 931D 8D2D 4525 ECC2 53E3 1A83</div></div><div><br></div><br></div><div><div class="h5"><br><div><div>On Sep 29, 2014, at 1:38 AM, masoom alam <<a href="mailto:masoom.alam@gmail.com" target="_blank">masoom.alam@gmail.com</a>> wrote:</div><br><blockquote type="cite"><div dir="ltr">Hi Germy<div><br></div><div>We cannot ping the public interface of the 2nd devstack setup (devstack West). From our Cirros instance (First devstack -- devstack east), we can ping our own public ip, but cannot ping the other public ip. I think problem lies here, if we are reaching the devstack west, how can we make a VPN connection</div><div><br></div><div>Our topology looks like:</div><div><br></div><div><b>CirrOS --->Qrouter---->Public IP -------publicIP---->Qrouter----->CirrOS</b></div><div>_________________________ _____________________________</div><div> devstack EAST devstack WEST</div><div><br></div><div><br></div><div>Also it is important to note that we are not able to ssh the instance private ip, without<span class="Apple-converted-space"> </span><b>sudo ip netns qrouter id<span class="Apple-converted-space"> </span></b>so this means we cannot even ssh with floating ip.</div><div><b><br></b></div><div><b><br></b></div><div>it seems there is a problem in firewall or iptables. </div><div><b><br></b></div><div>Please guide</div><div><b><br></b></div><div><br><br>On Sunday, September 28, 2014, Germy Lure <<a href="mailto:germy.lure@gmail.com" target="_blank">germy.lure@gmail.com</a>> wrote:<br><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex;"><div dir="ltr">Hi,<div><br></div><div>masoom:</div><div>I think firstly you can just check that if you could ping from left to right without installing VPN connection.</div><div>If it worked, then you should cat the system logs to confirm the configure's OK.</div><div>You can ping and tcpdump to dialog where packets are blocked.</div><div><br></div><div>stackers:</div><div>I think we should give mechanism to show the cause when vpn-connection is down. At least, we could extend an attribute to explain this. Maybe the VPN-incubator project is a chance?</div><div><br></div><div>BR,</div><div>Germy</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Sep 27, 2014 at 7:04 PM, masoom alam<span class="Apple-converted-space"> </span><span dir="ltr"><<a>masoom.alam@gmail.com</a>></span><span class="Apple-converted-space"> </span>wrote:<br><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex;"><div dir="ltr">Hi Every one, <div><br></div><div>I am trying to establish the VPN connection by giving the <span style="color: rgb(51, 51, 51); font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; font-size: 13px; line-height: 20px; white-space: pre-wrap; background-color: rgb(245, 245, 245);">neutron ipsec-site-connection-create.</span></div><div><br></div><div><pre style="padding: 9.5px; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; font-size: 13px; color: rgb(51, 51, 51); border-top-left-radius: 4px; border-top-right-radius: 4px; border-bottom-right-radius: 4px; border-bottom-left-radius: 4px; margin-top: 0px; margin-bottom: 10px; line-height: 20px; word-break: break-all; word-wrap: break-word; white-space: pre-wrap; border: 1px solid rgba(0, 0, 0, 0.14902); background-color: rgb(245, 245, 245);">neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address 172.24.4.233 --peer-id 172.24.4.233 --peer-cidr <a href="http://10.2.0.0/24" target="_blank">10.2.0.0/24</a> --psk secret</pre></div><div><br></div><div>For the --peer-address I am giving the public interface of the other devstack node. Please note that my two devstack nodes are on different public addresses, so scenario is a little different than the one described here: <a href="https://wiki.openstack.org/wiki/Neutron/VPNaaS/HowToInstall" target="_blank">https://wiki.openstack.org/wiki/Neutron/VPNaaS/HowToInstall</a></div><div><br></div><div>The --peer-id is the ip address of the Qrouter connected to the public interface. With this configuration, I am not able to up the VPN site to site connection. Do you think its a firewall issue, I have disabled both firewalls with sudo ufw disable. Any help in this regard. Am I giving the correct parameters?</div><div><br></div><div>Thanks</div><div><br></div><div><br></div><div><br></div><div><br></div></div><br>_______________________________________________<br>OpenStack-dev mailing list<br><a>OpenStack-dev@lists.openstack.org</a><br><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br><br></blockquote></div><br></div></blockquote></div></div>_______________________________________________<br>OpenStack-dev mailing list<br><a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br></blockquote></div><br></div></div></div></div><br>_______________________________________________<br>OpenStack-dev mailing list<br><a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a></blockquote></div></div></div></div></blockquote></div><br></div></body></html>