neutron

[RFE] Adding the "rekey" parameter to the api for strongswan like "dpd_action"

Bug #1979044 reported by Mehmet TOPCU
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
New
Wishlist
Unassigned

Bug Description

Adding the rekey parameter to the api for strongswan like dpd_action

1. When using strongswan driver on some devices, it is mandatory to define rekey=no for ipsec connection.

2. Other than that, rekey=yes is mandatory for vpnaas to vpnaas.

3. For this reason, it seems like a necessary feature that the rekey parameter can be defined with the api request.

Sample
dpdaction={{ipsec_site_connection.dpd_action}} parameter is defined in strongswan/ipsec.conf.template file.

Thank you in advance for your answers.

Tags: rfe vpnaas
Miguel Lavalle (minsel)
summary: - Adding the "rekey" parameter to the api for strongswan like "dpd_action"
+ [RFE] Adding the "rekey" parameter to the api for strongswan like
+ "dpd_action"
Changed in neutron:
importance: Undecided → Medium
Miguel Lavalle (minsel)
Changed in neutron-vpnaas-dashboard:
status: New → Invalid
no longer affects: neutron-vpnaas-dashboard
Changed in neutron:
importance: Medium → Wishlist
Revision history for this message
Lajos Katona (lajos-katona) wrote :

As this is an RFE for neutron-vpnaas, we will discuss this during the next drivers meeting (Friday, 14:00 UTC, https://meetings.opendev.org/#Neutron_drivers_Meeting ).

tags: added: rfe
tags: added: vpnaas
Revision history for this message
Mohammed Naser (mnaser) wrote :

Hi there,

We discuss this issue today in the neutron meeting and we came to the conclusion that we wanted to understand what is the reasoning behind you wanting to disable this option. While looking into all of the other different site to site VPN services, none of them seem to actually offer the ability to disable rekeying, and on paper it seems that disabling rekeying doesn’t sound like a good idea.

Can you please provide some more explanations on this?

Thanks

Revision history for this message
Lajos Katona (lajos-katona) wrote :

For the discussion on the Drivers meeting the logs:
https://meetings.opendev.org/meetings/neutron_drivers/2022/neutron_drivers.2022-07-08-14.00.log.html#l-15

Revision history for this message
Mehmet TOPCU (mehmettopcu) wrote :

Hi there,

Sorry for replying late.
Basically, my problem was the VPN connection problem with the Juniper devices.
Strongswan wants to call rekey job for CHILD_SA every 20 minutes after connection starts. The problem occurs when strongswan call rekey job for CHILD_SA. The connection is active. But there is no traffic (ping or mtr). In different tests, the rekey=no option was solving the problem. However, as I mentioned in the Description, this cannot be a default option between two openstack private networks.

After reporting the problem to you, I continued my investigations. I kept trying different ipsec parameters. I was using IKEv2 when this issue occurred. The same problem did not occur when I used IKEv1.

My conclusion is that Juniper devices and strongswan (just with multi-subnets or Traffic-selectors) do not agree with the IKEv2 protocol.

Ref: https://wiki.strongswan.org/issues/945
I'm sorry if I took up your precious time.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.