Monday, 2018-03-19

*** yamamoto has joined #openstack-vpnaas00:13
*** yamamoto has quit IRC00:18
*** huntxu has joined #openstack-vpnaas00:44
*** yamamoto has joined #openstack-vpnaas01:13
*** yamamoto has quit IRC01:19
*** yamamoto has joined #openstack-vpnaas01:41
*** hoangcx has joined #openstack-vpnaas01:54
*** ChanServ sets mode: +o hoangcx01:54
*** dsteuww[m] has joined #openstack-vpnaas03:36
*** dsteuww[m] has quit IRC03:36
*** openstackgerrit has joined #openstack-vpnaas03:58
openstackgerritMerged openstack/neutron-vpnaas master: Avoid tox-install.sh  https://review.openstack.org/55305603:58
hoangcxhuntxu: ping04:31
hoangcxhuntxu: I am testing with https://review.openstack.org/#/c/547347/04:31
hoangcxhuntxu: Having a problem as follow:  http://paste.openstack.org/show/704080/04:32
hoangcxhuntxu: Did you meet this problem before or have you test with latest neutron?04:32
hoangcxhuntxu: thanks04:32
openstackgerritMerged openstack/neutron-vpnaas master: Updated from global requirements  https://review.openstack.org/55236105:00
openstackgerritMerged openstack/neutron-vpnaas master: use plugin common utils from neutron-lib  https://review.openstack.org/55099205:16
huntxuhoangcx: no, I didn't meet it before, the addconn exit code 5 is new to me05:37
hoangcxhuntxu: I wonder whether it is affected by recent wire community change?05:39
hoangcxhuntxu: Re: [openstack-dev] [horizon][neutron][kolla] tools/tox_install changes - breakage with constraints05:40
hoangcxamotoki: ^^05:40
huntxuhoangcx: I guess not, looks like it should be a problem of libreswan itself05:40
huntxuhoangcx: I'll update my setup to the newest and see whether I can reproduce this05:41
hoangcxhuntxu: I think so, as it show the problem with "nat_traversal" that included in the patch05:41
hoangcxhuntxu: I see. thank you.05:42
huntxuhoangcx: the nat_traversal part is a bit misleading, it is just a warning and it doesn't matter in my previous tests05:43
huntxuhoangcx: the exit code 5 is what caused the ProcessExecutionError05:43
hoangcxhuntxu: +105:44
hoangcxhuntxu: will wait for your update on it. Thanks again05:44
hoangcxhuntxu: note that I have just test with default auth algorithm of ike and ipsec (not test with sha384/sha512 yet)05:46
*** openstackgerrit has quit IRC05:49
huntxuhoangcx: ok, I'll keep using the defaults (as I always do, just copying the simplest commands from the devstack doc)05:50
hoangcxhuntxu: +1 This script (need to update for OSC later) is used for quick test https://git.openstack.org/cgit/openstack/neutron-vpnaas/tree/tools/test_script.sh05:52
huntxuhoangcx: ping, still around?06:36
huntxuhoangcx: would you try to update the test_script.sh with a stronger secret and see whether it will work normally06:36
hoangcxhuntxu: You mean   neutron ipsec-site-connection-create --name conn_west --vpnservice-id vpn_west --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address $EAST_IP --peer-id $EAST_IP --peer-cidr $EAST_SUBNET --psk secret06:38
hoangcxhuntxu: the --psk option?06:38
huntxuhoangcx: yes, I use "--psk Not@wEAK5ecreT"06:38
hoangcxhuntxu:06:39
hoangcxhuntxu: OK. I will try06:39
hoangcxhuntxu: hi07:36
hoangcxhuntxu: It works with stronger --psk :) But still need to address for "nat_travelse" thing07:37
hoangcxhuntxu: logged here http://paste.openstack.org/show/704247/ Maybe you also see this07:37
huntxuhoangcx: yes, I also observed that. Seems the root cause of the previous problem is in fact 'ipsec whack --listen' failed with an exit code 3. With a stronger psk the connection will work well07:39
hoangcxhuntxu: +107:39
huntxuhoangcx: we have a workaround for openswan, https://github.com/openstack/neutron-vpnaas/blob/master/neutron_vpnaas/services/vpn/device_drivers/ipsec.py#L646-L65307:40
huntxuhoangcx: I'll add that to libreswan too, and try to deal with the addconn failure.07:40
hoangcxhuntxu: Awesome. Thank you for working on it.07:41
*** openstackgerrit has joined #openstack-vpnaas07:49
openstackgerritHunt Xu proposed openstack/neutron-vpnaas master: Make libreswan driver work with recent versions  https://review.openstack.org/54734707:49
huntxuhoangcx: ^^ this should handle the weak secret scenario. I will continue to work on the addconn one07:51
hoangcxhuntxu: ++ Thanks07:51
huntxuhoangcx: The strange thing is that only one addconn error is observed whilst in fact it is called twice.07:51
hoangcxhuntxu: No, it is twice in my env07:52
hoangcxhuntxu: :p07:52
huntxuhmm, will see whether it is related to the commandline parameters, if so, we can simply drop those parameters as they are ignored anyway07:53
hoangcxhuntxu: let propose it and see what others think :07:55
hoangcxhuntxu: I'm ok with that. But if so, sometimes a weak psk is used without any notice and maybe not safe07:56
huntxuhoangcx: the warning message will still be logged by pluto and l3-agent07:59
hoangcxhuntxu: ++08:00
openstackgerritCao Xuan Hoang proposed openstack/neutron-vpnaas master: Remove unmaintained drivers  https://review.openstack.org/54339408:17
*** E9TGE4quite has joined #openstack-vpnaas09:47
*** E9TGE4quite has quit IRC09:47
openstackgerritHunt Xu proposed openstack/neutron-vpnaas master: Make libreswan driver work with recent versions  https://review.openstack.org/54734709:59
*** hoangcx has quit IRC10:08
huntxuhoangcx: ^^ I keep trying the whole afternoon, only the later added connection(conn_west) will hit the exit code 5 error. I don't know why :/10:08
*** yamamoto has quit IRC10:16
*** yamamoto has joined #openstack-vpnaas11:02
*** ydribe has joined #openstack-vpnaas11:55
*** huntxu has quit IRC13:03
*** yamamoto has quit IRC13:08
*** yamamoto has joined #openstack-vpnaas13:45
*** yamamoto_ has joined #openstack-vpnaas13:48
*** yamamoto has quit IRC13:52
*** yamamoto_ has quit IRC14:30
*** yamamoto has joined #openstack-vpnaas14:46
*** yamamoto has quit IRC14:51
*** yamamoto has joined #openstack-vpnaas15:04
*** yamamoto has quit IRC16:23
*** openstackgerrit has quit IRC18:48
*** quasisaneIDPYTT has joined #openstack-vpnaas19:30
*** yamamoto has joined #openstack-vpnaas23:27

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!