[Openstack] [openstack-dev] [H][Neutron][IPSecVPN]Cannot tunnel two namespace Routers

Akihiro Motoki amotoki at gmail.com
Wed Sep 3 04:38:54 UTC 2014


Hi,

I did the same in the past for demo, and it worked well.
Does secgroup of VM2 allow connections from VM1?


2014年9月3日水曜日、Germy Lure<germy.lure at gmail.com>さんは書きました:

> Hi Stackers,
>
> Network TOPO like this: VM1(net1)--Router1-------IPSec VPN
> tunnel-------Router2--VM2(net2)
> If left and right side deploy on different OpenStack environments, it
> works well. But in the same environment, Router1 and Router2 are namespace
> implement in the same network node. I cannot ping from VM1 to VM2.
>
> In R2(Router2), tcpdump tool tells us that R2 receives ICMP echo request
> packets but doesnt send them out.
>
> *7837C113-D21D-B211-9630-**000000821800:~ # ip netns exec
> qrouter-4fd2e76e-37d0-4d05-**b5a1-dd987c0231ef tcpdump -i any *
> *tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode*
> *listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535
> bytes*
> * 11:50:14.853470 IP 10.10.5.2 > 10.10.5.3 <http://10.10.5.3>:
> ESP(spi=0xc6d65c02,seq=0x1e6), length 132*
> *11:50:14.853470 IP 128.6.25.2 > 128.6.26.2 <http://128.6.26.2>: ICMP echo
> request, id 44567, seq 486, length 64*
> * 11:50:15.853475 IP 10.10.5.2 > 10.10.5.3 <http://10.10.5.3>:
> ESP(spi=0xc6d65c02,seq=0x1e7), length 132*
> *11:50:15.853475 IP 128.6.25.2 > 128.6.26.2 <http://128.6.26.2>: ICMP echo
> request, id 44567, seq 487, length 64*
> * 11:50:16.853461 IP 10.10.5.2 > 10.10.5.3 <http://10.10.5.3>:
> ESP(spi=0xc6d65c02,seq=0x1e8), length 132*
> *11:50:16.853461 IP 128.6.25.2 > 128.6.26.2 <http://128.6.26.2>: ICMP echo
> request, id 44567, seq 488, length 64*
> * 11:50:17.853447 IP 10.10.5.2 > 10.10.5.3 <http://10.10.5.3>:
> ESP(spi=0xc6d65c02,seq=0x1e9), length 132*
> *11:50:17.853447 IP 128.6.25.2 > 128.6.26.2 <http://128.6.26.2>: ICMP echo
> request, id 44567, seq 489, length 64*
> * ^C*
> *8 packets captured*
> *8 packets received by filter*
> *0 packets dropped by kernel*
>
> ip addr in R2:
>
> 7837C113-D21D-B211-9630-000000821800:~ # ip netns exec
> qrouter-4fd2e76e-37d0-4d05-b5a1-dd987c0231ef ip addr
> 187: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
> group default
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 scope host lo
>     inet6 ::1/128 scope host
>        valid_lft forever preferred_lft forever
> 206: qr-4bacb61c-72: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state
> UNKNOWN group default
>     link/ether fa:16:3e:23:10:97 brd ff:ff:ff:ff:ff:ff
>     inet 128.6.26.1/24 brd 128.6.26.255 scope global qr-4bacb61c-72
>     inet6 fe80::f816:3eff:fe23:1097/64 scope link
>        valid_lft forever preferred_lft forever
> 208: qg-4abd4bb0-21: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state
> UNKNOWN group default
>     link/ether fa:16:3e:e6:cd:1a brd ff:ff:ff:ff:ff:ff
>     inet 10.10.5.3/24 brd 10.10.5.255 scope global qg-4abd4bb0-21
>     inet6 fe80::f816:3eff:fee6:cd1a/64 scope link
>        valid_lft forever preferred_lft forever
>
>
> In addition, the kernel counter "/proc/net/snmp" in namespace is
> unchanged. These couters do not work well with namespace?
>
>
> BR,
> Germy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140903/6b07f018/attachment.html>


More information about the Openstack mailing list