Hey, 

Vpnaas implementation is completely different for ovn just in case, as it needs to have a separate from the logical router IP, so I have no idea if migration is possible and how it's gonna look like, as either router or VPN IP must change. And it also implemented as a standalone agent, and neutron plugin name should be ovn-vpnaas instead of vpnaas.

Moreover, OVN support for vpnaas had landed only for 2024.1:
https://review.opendev.org/c/openstack/neutron-vpnaas/+/765353

I played with it a while in our OVN sandbox and it worked nicely on 2024.1, just in case.


On Tue, Apr 23, 2024, 07:13 Karl Kloppenborg <kkloppenborg@resetdata.com.au> wrote:

Hi Eugen,

 

That’s okay, this is Openstack 2023.2. and it appears this issue only came along after we changed from the iptables hybrid ovs firewall driver to the ovs driver.

 

We’re trying to migrate to OVN as part of a because change set.

 

Do you know if VPNaaS has compatibility problems with OVN as well?

 

We’re going to deploy VPN VM’s for the moment to get around this issue.


Thanks,

Karl.

 

From: Eugen Block <eblock@nde.ag>
Date: Monday, 22 April 2024 at 5:50 pm
To: openstack-discuss@lists.openstack.org <openstack-discuss@lists.openstack.org>
Subject: Re: [Neutron] [VPNaaS] VMs unable to hit tunnel remote cidr

Hi Karl,

I don't really have any good ideas, it's been years since I dealt with 
VPNaaS in OpenStack, probably Rocky or something. But maybe you could 
provide more details about this issue. Which OpenStack version are 
your running? Has it worked in other releases and now it doesn't 
anymore? Or does it work for some tunnels only or doesn't it work at 
all?
Maybe you could also provide some network details as well.

Regards,
Eugen

Zitat von Karl Kloppenborg <kkloppenborg@resetdata.com.au>:

> Hi Teams,
>
> Anyone able to give me a little time on this?
> I am also happy to pay for someone’s hourly rate to help in this matter.
>
> Thanks,
> Karl.
>
> From: Karl Kloppenborg <kkloppenborg@resetdata.com.au>
> Date: Sunday, 14 April 2024 at 6:57 am
> To: openstack-discuss@lists.openstack.org 
> <openstack-discuss@lists.openstack.org>
> Subject: [Neutron] [VPNaaS] VMs unable to hit tunnel remote cidr
> Hi Neutron/VPNaaS teams.
>
> We run an openstack which neutron runs on the following VPNaaS setup:
> service_provider: 
> VPN:strongswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default
> L3-agent vpn_device_driver: 
> neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver
>
> With Neutron running the following service plugins:
> service_plugins: 
> neutron_dynamic_routing.services.bgp.bgp_plugin.BgpPlugin,neutron.services.l3_router.l3_router_plugin.L3RouterPlugin,router,vpnaas,trunk,segments,bgp
>
> And Ml2 config
> Openvswitch_agent -> Security Group -> firewall driver: openvswitch
>
> We have an IPSec tunnel up between a remote site (Fortinet device) and us.
> Computers within the remote site can reach the VM’s internal IP’s on 
> Openstack across the tunnel, however VM’s from openstack cannot 
> reach the internal network on the remote side.
>
> A traceroute from the VM to a known IP on the remote side shows the 
> IP instead transiting out the router gateway.
>
> Has anyone seen this before? It looks like something isn’t being 
> picked up/a route not being set.
>
> Any assistance would be greatly appreciated.
>
> Thanks,
> Karl.