[openstack-dev] VPNaaS site to site connection down.

masoom alam masoom.alam at gmail.com
Mon Sep 29 05:38:58 UTC 2014 

Hi Germy

We cannot ping the public interface of the 2nd devstack setup (devstack
West). From our Cirros instance (First devstack -- devstack east), we can
ping our own public ip, but cannot ping the other public ip. I think
problem lies here, if we are reaching the devstack west, how can we make a
VPN connection

Our topology looks like:

*CirrOS --->Qrouter---->Public IP -------publicIP---->Qrouter----->CirrOS*
_________________________             _____________________________
       devstack EAST                                        devstack WEST


Also it is important to note that we are not able to ssh the instance
private ip, without *sudo ip netns qrouter id *so this means we cannot even
ssh with floating ip.


it seems there is a problem in firewall or iptables.

Please guide



On Sunday, September 28, 2014, Germy Lure <germy.lure at gmail.com> wrote:

> Hi,
>
> masoom:
> I think firstly you can just check that if you could ping from left to
> right without installing VPN connection.
> If it worked, then you should cat the system logs to confirm the
> configure's OK.
> You can ping and tcpdump to dialog where packets are blocked.
>
> stackers:
> I think we should give mechanism to show the cause when vpn-connection is
> down. At least, we could extend an attribute to explain this. Maybe the
> VPN-incubator project is a chance?
>
> BR,
> Germy
>
>
> On Sat, Sep 27, 2014 at 7:04 PM, masoom alam <masoom.alam at gmail.com>
> wrote:
>
>> Hi Every one,
>>
>> I am trying to establish the VPN connection by giving the neutron
>> ipsec-site-connection-create.
>>
>> neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address 172.24.4.233 --peer-id 172.24.4.233 --peer-cidr 10.2.0.0/24 --psk secret
>>
>>
>> For the --peer-address I am giving the public interface of the other
>> devstack node. Please note that my two devstack nodes are on different
>> public addresses, so scenario is a little different than the one described
>> here: https://wiki.openstack.org/wiki/Neutron/VPNaaS/HowToInstall
>>
>> The --peer-id is the ip address of the Qrouter connected to the public
>> interface. With this configuration, I am not able to up the VPN site to
>> site connection. Do you think its a firewall issue, I have disabled both
>> firewalls with sudo ufw disable. Any help in this regard. Am I giving the
>> correct parameters?
>>
>> Thanks
>>
>>
>>
>>
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140929/cef872e7/attachment.html>

More information about the OpenStack-dev mailing list