<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">Just more data…<div><br></div><div>I keep consistently seeing that on private subnet, the VM can only access router (as expected), but on privateB subnet, the VM <b><u>can</u></b> access the private I/F of router1 on private subnet. From the router’s namespace, I cannot ping the local VM (why not?). Oddly, I <u style="font-weight: bold;">can</u> ping router1’s private IP from router2 namespace!</div><div><br></div><div>I tried these commands to create security group rules (are they wrong?):</div><div><br></div><div><div># There are two default groups created by DevStack</div><div>group=`neutron security-group-list | grep default | cut -f 2 -d' ' | head -1`</div><div>neutron security-group-rule-create --protocol ICMP $group</div><div>neutron security-group-rule-create --protocol tcp --port-range-min 22 --port-range-max 22 $group</div><div>group=`neutron security-group-list | grep default | cut -f 2 -d' ' | tail -1`</div><div>neutron security-group-rule-create --protocol ICMP $group</div><div>neutron security-group-rule-create --protocol tcp --port-range-min 22 --port-range-max 22 $group</div></div><div><br></div><div>The only change that happens, when I do these commands, is that the VM in privateB subnet can now ping the VM from private subnet, but not vice versa. From router1 namespace, it can then access local VMs. From router2 namespace it can access local VMs <u style="font-weight: bold;">and</u> VMs in private subnet (all access).</div><div><br></div><div>It seems like I have some issue with security groups, and I need to square that away, before I can test VPN out.</div><div><br></div><div>Am I creating the security group rules correctly?</div><div>My goal is that the private nets can access the public net, but not each other (until VPN connection is established).</div><div><br></div><div>Lastly, in this latest try, I set OVS_PHYSICAL_BRIDGE=br-ex. In earlier runs w/o that, there were QVO interfaces, but no QVB or QBR interfaces at all. It didn’t seem to change connectivity, however.</div><div><br></div><div>Ideas?</div><div><br></div><div><div apple-content-edited="true"><div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div><div>PCM (Paul Michali)</div><div><br></div><div>MAIL …..…. <a href="mailto:pcm@cisco.com">pcm@cisco.com</a></div><div>IRC ……..… pc_m (<a href="http://irc.freenode.com">irc.freenode.com</a>)</div><div>TW ………... @pmichali</div><div>GPG Key … 4525ECC253E31A83</div><div>Fingerprint .. 307A 96BB 1A4C D2C7 931D 8D2D 4525 ECC2 53E3 1A83</div></div><div><br></div></div><br class="Apple-interchange-newline"><br class="Apple-interchange-newline">
</div>
<br><div><div>On Dec 31, 2014, at 10:33 AM, Paul Michali (pcm) <<a href="mailto:pcm@cisco.com">pcm@cisco.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><meta http-equiv="Content-Type" content="text/html charset=windows-1252"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">I’ve been playing a bit with trying to get VPNaaS working post-repo split, and haven’t been successful. I’m trying it a few ways with DevStack, and I’m not sure whether I have a config error, setup issue, or there is something due to the split.<div><br></div><div>In the past (and it’s been a few months since I verified VPN operation), I used two bare metal machines and an external switch connecting them. With a DevStack cloud running on each. That configuration is currently setup for a vendor VPN solution, so I wanted to try different methods to test the reference VPN implementation. I’ve got two ideas to do this:</div><div><br></div><div>A) Run DevStack and create two routers with a shared “public” network, and two private networks, setting up a VPN connection between the private nets.</div><div>B) Run two DevStack instances (on two VMs) and try to setup a provider network between them.</div><div><br></div><div><div>I’m starting with A (though I did try B quickly, but it didn’t work), and I spun up the stack, added a second router (all under the same tenant), created another private network, and booted a Cirros VM in each private net.</div><div><br></div><div>Before even trying VPN, I checked pings. From the first private net VM (10.1.0.4), I could ping on the pubic net, including the public IP of the second private net’s public interface for its router. I cannot ping the VM from the host. That seems all expected to me.</div><div><br></div><div>What seems wrong is the other VM (this is on the post stack net I created). Like the other VM, I can ping public net IPs. However, I can also ping the private net address of the first network’s router (10.1.0.1)! Shouldn’t that have failed (at least that was what I was expecting)? I can’t ping the VM on that side though. Another curiosity is that the VM got the second IP on the subnet (10.2.0.2), unlike the other private net, where DHCP and a compute probe got the 2nd and 3rd IPs. There is DHCP enabled on this private network.</div><div><br></div><div>When I tried VPN, both connections show as DOWN, and all I see are phase 1 ident packets. I cannot ping from VM to VM. I don’t see any logging for the OpenSwan processes, so not to sure how to debug. Maybe I can try some ipsec show command?</div><div><br></div><div>I’m not too sure what is wrong with this setup.</div><div><br></div><div>For a comparison, I decided to do the same thing, using <b>stable/juno</b>. So, I fired up a VM and cloned DevStack with stable/juno and stacked. This time, things are even worse! When I try to boot a VM, and then check the status, the VM is in PAUSED power state. I can’t seem to unpause (nor do I know why it is in this state). Verified this with both Cirros 3.3, 3.2, and Ubuntu cloud images:</div><div><br></div><div><div><font face="Courier">+--------------------------------------+----------------------------------------------------------------+</font></div><div><font face="Courier">| Property | Value |</font></div><div><font face="Courier">+--------------------------------------+----------------------------------------------------------------+</font></div><div><font face="Courier">| OS-DCF:diskConfig | MANUAL |</font></div><div><font face="Courier">| OS-EXT-AZ:availability_zone | nova |</font></div><div><font face="Courier">| OS-EXT-SRV-ATTR:host | juno |</font></div><div><font face="Courier">| OS-EXT-SRV-ATTR:hypervisor_hostname | juno |</font></div><div><font face="Courier">| OS-EXT-SRV-ATTR:instance_name | instance-00000001 |</font></div><div><font face="Courier">| <b>OS-EXT-STS:power_state | 3 </b> |</font></div><div><font face="Courier">| OS-EXT-STS:task_state | - |</font></div><div><font face="Courier">| OS-EXT-STS:vm_state | active |</font></div><div><font face="Courier">| OS-SRV-USG:launched_at | 2014-12-31T15:15:33.000000 |</font></div><div><font face="Courier">| OS-SRV-USG:terminated_at | - |</font></div><div><font face="Courier">| accessIPv4 | |</font></div><div><font face="Courier">| accessIPv6 | |</font></div><div><font face="Courier">| config_drive | |</font></div><div><font face="Courier">| created | 2014-12-31T15:15:24Z |</font></div><div><font face="Courier">| flavor | m1.tiny (1) |</font></div><div><font face="Courier">| hostId | 5b0c48250ccc0ac3fca8a821e29e4b154ec0b101f9cc0a0b27071a3f |</font></div><div><font face="Courier">| id | ec5c8d70-ae80-4cc3-a5bb-b68019170dd6 |</font></div><div><font face="Courier">| image | cirros-0.3.3-x86_64-uec (797e4dee-8c03-497f-8dac-a44b9351dfa3) |</font></div><div><font face="Courier">| key_name | - |</font></div><div><font face="Courier">| metadata | {} |</font></div><div><font face="Courier">| name | peter |</font></div><div><font face="Courier">| os-extended-volumes:volumes_attached | [] |</font></div><div><font face="Courier">| private network | 10.0.0.4 |</font></div><div><font face="Courier">| progress | 0 |</font></div><div><font face="Courier">| security_groups | default |</font></div><div><font face="Courier">| status | ACTIVE |</font></div><div><font face="Courier">| tenant_id | 7afb5bc1d88d462c8d57178437d3c277 |</font></div><div><font face="Courier">| updated | 2014-12-31T15:15:34Z |</font></div><div><font face="Courier">| user_id | 4ff18bdbeb4d436ea4ff1bcd29e269a9 |</font></div><div><font face="Courier">+--------------------------------------+————————————————————————————————+</font></div></div><div><font face="Courier"><br></font></div><div><div><font face="Courier">+--------------------------------------+-------+--------+------------+-------------+------------------+</font></div><div><font face="Courier">| ID | Name | Status | Task State | Power State | Networks |</font></div><div><font face="Courier">+--------------------------------------+-------+--------+------------+-------------+------------------+</font></div><div><font face="Courier">| ec5c8d70-ae80-4cc3-a5bb-b68019170dd6 | peter | ACTIVE | - | Paused | private=10.0.0.4 |</font></div><div><font face="Courier">+--------------------------------------+-------+--------+------------+-------------+—————————+</font></div></div><div><br></div><div>Any ideas why the VM won’t start up correctly? I didn’t see anything on a google search.</div><div><br></div><div>For reference, here is my local.conf currently:</div><div><br></div><div><div>[[local|localrc]]</div><div>GIT_BASE=<a href="https://github.com/">https://github.com</a></div><div>DEST=/opt/stack</div><div><br></div><div>disable_service n-net</div><div>enable_service q-svc</div><div>enable_service q-agt</div><div>enable_service q-dhcp</div><div>enable_service q-l3</div><div>enable_service q-meta</div><div>enable_service neutron</div><div>enable_service q-vpn</div><div><br></div><div># FIXED_RANGE=10.1.0.0/24</div><div># FIXED_NETWORK_SIZE=256</div><div># NETWORK_GATEWAY=10.1.0.1</div><div># PRIVATE_SUBNET_NAME=privateA</div><div><br></div><div>PUBLIC_SUBNET_NAME=public-subnet</div><div># FLOATING_RANGE=172.24.4.0/24</div><div># PUBLIC_NETWORK_GATEWAY=172.24.4.10</div><div># Q_FLOATING_ALLOCATION_POOL="start=172.24.4.11,end=172.24.4.29"</div><div># Q_USE_SECGROUP=True # was False</div><div><br></div><div># VIRT_DRIVER=libvirt</div><div>IMAGE_URLS="<a href="http://cloud-images.ubuntu.com/releases/14.04.1/release/ubuntu-14.04-server-cloudimg-amd64.tar.gz,http://download.cirros-cloud.net/0.3.3/cirros-0.3.3-x86_64-uec.tar.gz">http://cloud-images.ubuntu.com/releases/14.04.1/release/ubuntu-14.04-server-cloudimg-amd64.tar.gz,http://download.cirros-cloud.net/0.3.3/cirros-0.3.3-x86_64-uec.tar.gz</a>"</div><div><br></div><div>SCREEN_LOGDIR=/opt/stack/screen-logs</div><div>SYSLOG=True</div><div>LOGFILE=~/devstack/stack.sh.log</div><div><br></div><div>ADMIN_PASSWORD=password</div><div>MYSQL_PASSWORD=password</div><div>RABBIT_PASSWORD=password</div><div>SERVICE_PASSWORD=password</div><div>SERVICE_TOKEN=tokentoken</div><div><br></div><div>Q_USE_DEBUG_COMMAND=True</div><div><br></div><div>RECLONE=No</div><div># RECLONE=yes</div><div>OFFLINE=False</div></div><div><br></div><div>Originally, I had floating pool lines and net names, but even with all these commented out, I have the same issue with the VM (didn’t think they were related).</div><div><br></div><div>For this stable/juno, Devstack is using commit 817e9b6, and Neutron is using 57e8ea8.</div><div><br></div><div><br></div><div>I’ll try to play with option B some more as well, though I need to figure out how to setup the provider network correctly. If I can get time, I’ll reconfigure the bare metal setup I have in the lab to try stable/juno and then kilo reference VPN as well.</div><div><br></div><div>If anyone has done this with a VM (either one or two), using juno or kilo, please pass along your local.conf, so I can compare.</div><div><br><div apple-content-edited="true">
<div style="letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div><div>PCM (Paul Michali)</div><div><br></div><div>MAIL …..…. <a href="mailto:pcm@cisco.com">pcm@cisco.com</a></div><div>IRC ……..… pc_m (<a href="http://irc.freenode.com/">irc.freenode.com</a>)</div><div>TW ………... @pmichali</div><div>GPG Key … 4525ECC253E31A83</div><div>Fingerprint .. 307A 96BB 1A4C D2C7 931D 8D2D 4525 ECC2 53E3 1A83</div></div><div><br></div></div><br class="Apple-interchange-newline"><br class="Apple-interchange-newline">
</div>
<br></div></div></div>_______________________________________________<br>OpenStack-dev mailing list<br><a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev<br></blockquote></div><br></div></body></html>