mirror of
https://github.com/apache/cloudstack.git
synced 2025-10-26 08:42:29 +01:00
13bfdd71e6
Updated StrongSwan VPN ImplementationThis PR is a merge of @jayapalu changes in #872 and the changes I had to make to get the functionality working. I have done pretty extensive testing of this code so far and we are looking to be in pretty good shape. One thing to note is that a `Diffie-Hellman` group **is required** in order for this feature to work correctly. It is not highlighted in the tests below, but I have shown that the `PFS` is not required for this feature to work. In #872 I have shown a more exhaustive set of tests of this code, but I have limited this set of tests to a recommended `IKE` and `ESP` configuration in order to reduce the noise and test the other areas of functionality. **Test Results** I am testing this functionality by creating two VPCs with VMs in each and creating a S2S VPN connection between the two VPCs. Then I SSH into a VM in one VPC and I ping the private IP of a VM in the other VPC. Then I tear it down and try a different configuration. _Setup_ ``` VPC 1 VPC 2 ===== ===== VPN Gateway VPN Gateway VPN Customer Gateway VPN Customer Gateway VPN Connection <---> VPN Connection - Passive = True - Passive = False ``` _Legend_ `SKIP` => At least one of the VPN Connections did not come up, so no test was run. `OK` => The ping test was successful over the S2S VPN connection. `FAIL` => The ping test failed over the S2S VPN connection. `Passive` => Specifies if either the `<vpc_1> : <vpc_2>` sides of the VPN Connection is set to passive. `Conn State` => Specifies the connection status of the `<vpc_1> : <vpc_2>` VPN Connection in the UI. `Requires Reset` => If the ping test does not result in an `OK`, then a VPN Connection Reset is performed on either `<vpc_1> : <vpc_2>` sides of the VPN Connection based on which side is not showing `Connected`. The results in the `Status` column is the final result after the reset is performed. _Results_ ``` +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+ | Status | IKE & ESP | DPD | Encap | IKE Life | ESP Life | Passive | Conn State | Requires Reset | +========+======================+=======+=======+==========+==========+===============+=============================+================+ | OK | aes128-sha1;modp1536 | True | False | 86400 | 3600 | True : False | Disconnected : Connected | False : False | +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+ | OK | aes128-sha1;modp1536 | True | True | 86400 | 3600 | True : False | Disconnected : Connected | False : False | +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+ | OK | aes128-sha1;modp1536 | True | False | | 3600 | True : False | Disconnected : Connected | False : False | +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+ | OK | aes128-sha1;modp1536 | True | False | 86400 | | True : False | Disconnected : Connected | False : False | +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+ | OK | aes128-sha1;modp1536 | True | False | | | True : False | Disconnected : Connected | False : False | +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+ | OK | aes128-sha1;modp1536 | True | False | 86400 | 3600 | False : False | Connected : Connected | False : False | +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+ | OK | aes128-sha1;modp1536 | True | False | 86400 | 3600 | True : True | Disconnected : Disconnected | False : False | +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+ | OK | aes128-sha1;modp1536 | True | False | 86400 | 3600 | False : True | Connected : Disconnected | False : False | +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+ | OK | aes128-sha1;modp1536 | False | False | 86400 | 3600 | False : False | Connected : Connected | False : False | +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+ | OK | aes128-sha1;modp1536 | False | False | 86400 | 3600 | True : False | Disconnected : Connected | False : False | +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+ | OK | aes128-sha1;modp1536 | False | False | 86400 | 3600 | True : True | Disconnected : Disconnected | False : False | +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+ | OK | aes128-sha1;modp1536 | False | False | 86400 | 3600 | False : True | Connected : Disconnected | False : False | +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+ | SKIP | aes128-sha1 | True | False | 86400 | 3600 | True : False | Disconnected : Error | True : False | +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+ | SKIP | aes128-sha1 | False | False | 86400 | 3600 | True : False | Disconnected : Error | True : False | +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+ | FAIL | aes128-sha1 | True | False | 86400 | 3600 | True : True | Disconnected : Disconnected | True : True | +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+ | SKIP | aes128-sha1 | True | False | 86400 | 3600 | False : False | Connected : Error | False : False | +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+ ``` * pr/1741: complete implementation of the StrongSwan VPN feature Signed-off-by: Rajani Karuturi <rajani.karuturi@accelerite.com>
####################################################
Note there is a new systemvm build script based on
Veewee(Vagrant) under tools/appliance.
####################################################
1. The buildsystemvm.sh script builds a 32-bit system vm disk based on the Debian Squeeze distro. This system vm can boot on any hypervisor thanks to the pvops support in the kernel. It is fully automated
2. The files under config/ are the specific tweaks to the default Debian configuration that are required for CloudStack operation.
3. The variables at the top of the buildsystemvm.sh script can be customized:
IMAGENAME=systemvm # dont touch this
LOCATION=/var/lib/images/systemvm #
MOUNTPOINT=/mnt/$IMAGENAME/ # this is where the image is mounted on your host while the vm image is built
IMAGELOC=$LOCATION/$IMAGENAME.img
PASSWORD=password # password for the vm
APT_PROXY= #you can put in an APT cacher such as apt-cacher-ng
HOSTNAME=systemvm # dont touch this
SIZE=2000 # dont touch this for now
DEBIAN_MIRROR=ftp.us.debian.org/debian
MINIMIZE=true # if this is true, a lot of docs, fonts, locales and apt cache is wiped out
4. The systemvm includes the (non-free) Sun JRE. You can put in the standard debian jre-headless package instead but it pulls in X and bloats the image.
5. You need to be 'root' to run the buildsystemvm.sh script
6. The image is a raw image. You can run the convert.sh tool to produce images suitable for Citrix Xenserver, VMWare and KVM.
* Conversion to Citrix Xenserver VHD format requires the vhd-util tool. You can use the
-- checked in config/bin/vhd-util) OR
-- build the vhd-util tool yourself as follows:
a. The xen repository has a tool called vhd-util that compiles and runs on any linux system (http://xenbits.xensource.com/xen-4.0-testing.hg?file/8e8dd38374e9/tools/blktap2/vhd/ or full Xen source at http://www.xen.org/products/xen_source.html).
b. Apply this patch: http://lists.xensource.com/archives/cgi-bin/mesg.cgi?a=xen-devel&i=006101cb22f6%242004dd40%24600e97c0%24%40zhuo%40cloudex.cn.
c. Build the vhd-util tool
cd tools/blktap2
make
sudo make install
* Conversion to ova (VMWare) requires the ovf tool, available from
http://communities.vmware.com/community/vmtn/server/vsphere/automationtools/ovf
* Conversion to QCOW2 requires qemu-img