vpnaas problem:ipsec pluto not running centos 8 victoria wallaby

Hello, excuse my question, I don't know the procedure.
Can we have an idea for the correction of this bug? Will these be patches to apply? How do we know about it?
How long does it take?
Will it be present in a future version?

Thanks in advance.

Hello
It's still not working under xena.
My workaround:

modify in neutron_l3_agent container
/var/lib/kolla/venv/lib/python3.6/site-packages/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py
    def start_pluto(self):
        cmd = ['pluto',
               '--use-netkey', #delete it
               '--uniqueids']

/var/lib/kolla/venv/lib/python3.6/site-packages/neutron_vpnaas/services/vpn/device_drivers/template/openswan/ipsec.conf.template
config setup
    #nat_traversal=yes # hash it

--use-netkey is only available in older libreswan releases - newer versions doesn't support this switch.

It goes for all distros (ubuntu, debian, centos * stream etc etc)

Just remove the line.

New error with ipsec.conf:3 nat_traversal - which is obsolete and shouldn't be there.

With todays problem, i recommend the following:

git diff
diff --git a/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py b/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py
index 90731f7a4..5b5f648b2 100644
--- a/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py
+++ b/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py
@@ -106,7 +106,6 @@ class LibreSwanProcess(ipsec.OpenSwanProcess):

     def start_pluto(self):
         cmd = ['pluto',
- '--use-netkey',
                '--uniqueids']

         if self.conf.ipsec.enable_detailed_logging:
diff --git a/neutron_vpnaas/services/vpn/device_drivers/template/openswan/ipsec.conf.template b/neutron_vpnaas/services/vpn/device_drivers/template/openswan/ipsec.conf.template
index 450bef517..bf06cd95d 100644
--- a/neutron_vpnaas/services/vpn/device_drivers/template/openswan/ipsec.conf.template
+++ b/neutron_vpnaas/services/vpn/device_drivers/template/openswan/ipsec.conf.template
@@ -1,6 +1,5 @@
 # Configuration for {{vpnservice.id}}
 config setup
- nat_traversal=yes
     virtual_private={{virtual_privates}}
 conn %default
     keylife=60m

Reference:
https://manpages.debian.org/experimental/libreswan/ipsec.conf.5.en.html

nat_traversal

OBSOLETE. Support for NAT Traversal is always enabled.

---

log:
023-04-17 12:47:14.358 2524 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec cannot load config '/etc/ipsec.conf': /etc/ipsec.conf:3: syntax error, unexpected STRING [nat_traversal]

Hi.
Thanks a lot for this help.
I haven't tried Vpnaas for 18 months. I no longer know where I was. But I absolutely have to find a solution because it worked really well and it was really educational for my students.
Thanks again.

Franck VED
Dép. Réseaux Informatiques & Télécoms
IUT1 - Univ GRENOBLE Alpes
0476824462
Stages, Alternance, Emploi.

> Le 17 avr. 2023 à 13:34, Ian Kumlien <email address hidden> a écrit :
>
> Reference:
> https://manpages.debian.org/experimental/libreswan/ipsec.conf.5.en.html
>
> nat_traversal
>
> OBSOLETE. Support for NAT Traversal is always enabled.
>
> ---
>
> log:
> 023-04-17 12:47:14.358 2524 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec cannot load config '/etc/ipsec.conf': /etc/ipsec.conf:3: syntax error, unexpected STRING [nat_traversal]
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1938571
>
> Title:
> vpnaas problem:ipsec pluto not running centos 8 victoria wallaby
>
> Status in neutron:
> Triaged
>
> Bug description:
> Hello.
> I apologize if I don't do things right to explain the bug.
> I am using Centos 8 and I install openstak with, kolla ansible. Whether it is Ussuri, Victoria or Wallaby, when establishing the connection between the 2 networks(with vpnaas), the error message is as follows:
> ipsec whack --status" (no "/run/pluto/pluto.ctl")
>
> The problem would be present with the Libreswan version 4.X which does not include the option "--use-netkey " used by the ipsec pluto command
> This option was present in Libreswan 3.X.
> So the command "ipsec pluto....." failed , so no "/run/pluto/pluto.ctl".
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/neutron/+bug/1938571/+subscriptions
>

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron-vpnaas/+/895824

The patch above does not try to maintain compatibility with libreswan 3.x. v4 is out for 3 years already, so I didn't try a more complicated approach to also cope with v3.

Thanks a lot for this.
I will try the patch as soon as possible.

Franck VEDEL
Dép. Réseaux Informatiques & Télécoms
IUT1 - Univ GRENOBLE Alpes
0476824462
Stages, Alternance, Emploi.

> Le 19 sept. 2023 à 17:46, Bodo Petermann <email address hidden> a écrit :
>
> The patch above does not try to maintain compatibility with libreswan
> 3.x. v4 is out for 3 years already, so I didn't try a more complicated
> approach to also cope with v3.
>
> ** Changed in: neutron
> Assignee: (unassigned) => Bodo Petermann (bpetermann)
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1938571
>
> Title:
> vpnaas problem:ipsec pluto not running centos 8 victoria wallaby
>
> Status in neutron:
> In Progress
>
> Bug description:
> Hello.
> I apologize if I don't do things right to explain the bug.
> I am using Centos 8 and I install openstak with, kolla ansible. Whether it is Ussuri, Victoria or Wallaby, when establishing the connection between the 2 networks(with vpnaas), the error message is as follows:
> ipsec whack --status" (no "/run/pluto/pluto.ctl")
>
> The problem would be present with the Libreswan version 4.X which does not include the option "--use-netkey " used by the ipsec pluto command
> This option was present in Libreswan 3.X.
> So the command "ipsec pluto....." failed , so no "/run/pluto/pluto.ctl".
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/neutron/+bug/1938571/+subscriptions
>