[Neutron] [VPNaaS] VMs unable to hit tunnel remote cidr
Hi Neutron/VPNaaS teams. We run an openstack which neutron runs on the following VPNaaS setup: service_provider: VPN:strongswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default L3-agent vpn_device_driver: neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver With Neutron running the following service plugins: service_plugins: neutron_dynamic_routing.services.bgp.bgp_plugin.BgpPlugin,neutron.services.l3_router.l3_router_plugin.L3RouterPlugin,router,vpnaas,trunk,segments,bgp And Ml2 config Openvswitch_agent -> Security Group -> firewall driver: openvswitch We have an IPSec tunnel up between a remote site (Fortinet device) and us. Computers within the remote site can reach the VM’s internal IP’s on Openstack across the tunnel, however VM’s from openstack cannot reach the internal network on the remote side. A traceroute from the VM to a known IP on the remote side shows the IP instead transiting out the router gateway. Has anyone seen this before? It looks like something isn’t being picked up/a route not being set. Any assistance would be greatly appreciated. Thanks, Karl.
Hi Teams, Anyone able to give me a little time on this? I am also happy to pay for someone’s hourly rate to help in this matter. Thanks, Karl. From: Karl Kloppenborg <kkloppenborg@resetdata.com.au> Date: Sunday, 14 April 2024 at 6:57 am To: openstack-discuss@lists.openstack.org <openstack-discuss@lists.openstack.org> Subject: [Neutron] [VPNaaS] VMs unable to hit tunnel remote cidr Hi Neutron/VPNaaS teams. We run an openstack which neutron runs on the following VPNaaS setup: service_provider: VPN:strongswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default L3-agent vpn_device_driver: neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver With Neutron running the following service plugins: service_plugins: neutron_dynamic_routing.services.bgp.bgp_plugin.BgpPlugin,neutron.services.l3_router.l3_router_plugin.L3RouterPlugin,router,vpnaas,trunk,segments,bgp And Ml2 config Openvswitch_agent -> Security Group -> firewall driver: openvswitch We have an IPSec tunnel up between a remote site (Fortinet device) and us. Computers within the remote site can reach the VM’s internal IP’s on Openstack across the tunnel, however VM’s from openstack cannot reach the internal network on the remote side. A traceroute from the VM to a known IP on the remote side shows the IP instead transiting out the router gateway. Has anyone seen this before? It looks like something isn’t being picked up/a route not being set. Any assistance would be greatly appreciated. Thanks, Karl.
Hi Karl, I don't really have any good ideas, it's been years since I dealt with VPNaaS in OpenStack, probably Rocky or something. But maybe you could provide more details about this issue. Which OpenStack version are your running? Has it worked in other releases and now it doesn't anymore? Or does it work for some tunnels only or doesn't it work at all? Maybe you could also provide some network details as well. Regards, Eugen Zitat von Karl Kloppenborg <kkloppenborg@resetdata.com.au>:
Hi Teams,
Anyone able to give me a little time on this? I am also happy to pay for someone’s hourly rate to help in this matter.
Thanks, Karl.
From: Karl Kloppenborg <kkloppenborg@resetdata.com.au> Date: Sunday, 14 April 2024 at 6:57 am To: openstack-discuss@lists.openstack.org <openstack-discuss@lists.openstack.org> Subject: [Neutron] [VPNaaS] VMs unable to hit tunnel remote cidr Hi Neutron/VPNaaS teams.
We run an openstack which neutron runs on the following VPNaaS setup: service_provider: VPN:strongswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default L3-agent vpn_device_driver: neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver
With Neutron running the following service plugins: service_plugins: neutron_dynamic_routing.services.bgp.bgp_plugin.BgpPlugin,neutron.services.l3_router.l3_router_plugin.L3RouterPlugin,router,vpnaas,trunk,segments,bgp
And Ml2 config Openvswitch_agent -> Security Group -> firewall driver: openvswitch
We have an IPSec tunnel up between a remote site (Fortinet device) and us. Computers within the remote site can reach the VM’s internal IP’s on Openstack across the tunnel, however VM’s from openstack cannot reach the internal network on the remote side.
A traceroute from the VM to a known IP on the remote side shows the IP instead transiting out the router gateway.
Has anyone seen this before? It looks like something isn’t being picked up/a route not being set.
Any assistance would be greatly appreciated.
Thanks, Karl.
Hi Eugen, That’s okay, this is Openstack 2023.2. and it appears this issue only came along after we changed from the iptables hybrid ovs firewall driver to the ovs driver. We’re trying to migrate to OVN as part of a because change set. Do you know if VPNaaS has compatibility problems with OVN as well? We’re going to deploy VPN VM’s for the moment to get around this issue. Thanks, Karl. From: Eugen Block <eblock@nde.ag> Date: Monday, 22 April 2024 at 5:50 pm To: openstack-discuss@lists.openstack.org <openstack-discuss@lists.openstack.org> Subject: Re: [Neutron] [VPNaaS] VMs unable to hit tunnel remote cidr Hi Karl, I don't really have any good ideas, it's been years since I dealt with VPNaaS in OpenStack, probably Rocky or something. But maybe you could provide more details about this issue. Which OpenStack version are your running? Has it worked in other releases and now it doesn't anymore? Or does it work for some tunnels only or doesn't it work at all? Maybe you could also provide some network details as well. Regards, Eugen Zitat von Karl Kloppenborg <kkloppenborg@resetdata.com.au>:
Hi Teams,
Anyone able to give me a little time on this? I am also happy to pay for someone’s hourly rate to help in this matter.
Thanks, Karl.
From: Karl Kloppenborg <kkloppenborg@resetdata.com.au> Date: Sunday, 14 April 2024 at 6:57 am To: openstack-discuss@lists.openstack.org <openstack-discuss@lists.openstack.org> Subject: [Neutron] [VPNaaS] VMs unable to hit tunnel remote cidr Hi Neutron/VPNaaS teams.
We run an openstack which neutron runs on the following VPNaaS setup: service_provider: VPN:strongswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default L3-agent vpn_device_driver: neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver
With Neutron running the following service plugins: service_plugins: neutron_dynamic_routing.services.bgp.bgp_plugin.BgpPlugin,neutron.services.l3_router.l3_router_plugin.L3RouterPlugin,router,vpnaas,trunk,segments,bgp
And Ml2 config Openvswitch_agent -> Security Group -> firewall driver: openvswitch
We have an IPSec tunnel up between a remote site (Fortinet device) and us. Computers within the remote site can reach the VM’s internal IP’s on Openstack across the tunnel, however VM’s from openstack cannot reach the internal network on the remote side.
A traceroute from the VM to a known IP on the remote side shows the IP instead transiting out the router gateway.
Has anyone seen this before? It looks like something isn’t being picked up/a route not being set.
Any assistance would be greatly appreciated.
Thanks, Karl.
Hey, Vpnaas implementation is completely different for ovn just in case, as it needs to have a separate from the logical router IP, so I have no idea if migration is possible and how it's gonna look like, as either router or VPN IP must change. And it also implemented as a standalone agent, and neutron plugin name should be ovn-vpnaas instead of vpnaas. Moreover, OVN support for vpnaas had landed only for 2024.1: https://review.opendev.org/c/openstack/neutron-vpnaas/+/765353 I played with it a while in our OVN sandbox and it worked nicely on 2024.1, just in case. On Tue, Apr 23, 2024, 07:13 Karl Kloppenborg <kkloppenborg@resetdata.com.au> wrote:
Hi Eugen,
That’s okay, this is Openstack 2023.2. and it appears this issue only came along after we changed from the iptables hybrid ovs firewall driver to the ovs driver.
We’re trying to migrate to OVN as part of a because change set.
Do you know if VPNaaS has compatibility problems with OVN as well?
We’re going to deploy VPN VM’s for the moment to get around this issue.
Thanks,
Karl.
*From: *Eugen Block <eblock@nde.ag> *Date: *Monday, 22 April 2024 at 5:50 pm *To: *openstack-discuss@lists.openstack.org < openstack-discuss@lists.openstack.org> *Subject: *Re: [Neutron] [VPNaaS] VMs unable to hit tunnel remote cidr
Hi Karl,
I don't really have any good ideas, it's been years since I dealt with VPNaaS in OpenStack, probably Rocky or something. But maybe you could provide more details about this issue. Which OpenStack version are your running? Has it worked in other releases and now it doesn't anymore? Or does it work for some tunnels only or doesn't it work at all? Maybe you could also provide some network details as well.
Regards, Eugen
Zitat von Karl Kloppenborg <kkloppenborg@resetdata.com.au>:
Hi Teams,
Anyone able to give me a little time on this? I am also happy to pay for someone’s hourly rate to help in this matter.
Thanks, Karl.
From: Karl Kloppenborg <kkloppenborg@resetdata.com.au> Date: Sunday, 14 April 2024 at 6:57 am To: openstack-discuss@lists.openstack.org <openstack-discuss@lists.openstack.org> Subject: [Neutron] [VPNaaS] VMs unable to hit tunnel remote cidr Hi Neutron/VPNaaS teams.
We run an openstack which neutron runs on the following VPNaaS setup: service_provider:
VPN:strongswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default
L3-agent vpn_device_driver:
neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver
With Neutron running the following service plugins: service_plugins:
neutron_dynamic_routing.services.bgp.bgp_plugin.BgpPlugin,neutron.services.l3_router.l3_router_plugin.L3RouterPlugin,router,vpnaas,trunk,segments,bgp
And Ml2 config Openvswitch_agent -> Security Group -> firewall driver: openvswitch
We have an IPSec tunnel up between a remote site (Fortinet device) and
us.
Computers within the remote site can reach the VM’s internal IP’s on Openstack across the tunnel, however VM’s from openstack cannot reach the internal network on the remote side.
A traceroute from the VM to a known IP on the remote side shows the IP instead transiting out the router gateway.
Has anyone seen this before? It looks like something isn’t being picked up/a route not being set.
Any assistance would be greatly appreciated.
Thanks, Karl.
participants (3)
-
Dmitriy Rabotyagov
-
Eugen Block
-
Karl Kloppenborg