#openstack-meeting-4 log

15:02:12 <pc_m> #startmeeting vpnaas
15:02:12 <openstack> Meeting started Tue Jan 13 15:02:12 2015 UTC and is due to finish in 60 minutes.  The chair is pc_m. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:02:13 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:02:13 <dhruvdhody> hi
15:02:15 <openstack> The meeting name has been set to 'vpnaas'
15:02:45 <pc_m> dhruvdhody: hi
15:03:09 <pc_m> Don't have too much on the agenda today...
15:03:09 <numan> hi
15:03:22 <pc_m> numan: hi
15:03:30 <pc_m> #topic Announcements
15:04:00 <pc_m> Please take a look at the open bugs/BPs for VPN and review.
15:04:23 <pc_m> Does anyone have any other announcements?
15:05:17 <pc_m> #topic Bugs
15:05:36 <pc_m> Here's the current set: #link https://review.openstack.org/#/q/status:open+project:openstack/neutron-vpnaas,n,z
15:06:26 <matrohon> I'm really interested in https://review.openstack.org/#/c/144391/
15:06:31 <pc_m> Are there any that people have questions on, or would like to discuss?
15:06:47 <matrohon> using strongswan instead of openswan
15:07:00 <pc_m> matrohon: Yes will be a nice addition.
15:07:22 <pc_m> I need to go over the latest version.
15:07:27 <matrohon> I don't know if it will become the default implementation
15:07:50 <pc_m> matrohon: It probably should. Seems much more capable.
15:08:09 <pc_m> One concern I have (not specifically with this bug) is that there is no scenario test coverage for VPNaaS.
15:08:22 <matrohon> AFAIK redhat was blocking the adption of strongswan since it is not packaged with RHOS
15:08:41 <matrohon> I don't know the current status of strongswan in RHOS
15:09:26 <matrohon> concerning scenarion test I think that jschwarz is developing a very interesting framework for such tests
15:09:34 <pc_m> I *think* someone mentioned that there is support for it now.
15:09:47 <matrohon> https://review.openstack.org/#/c/123000/
15:10:13 <matrohon> this allow us to run multiple agent for a functionnal test
15:10:51 <pc_m> Looks interesting.
15:10:54 <matrohon> so I think we could run two l3agent and create a VPN connnection between them
15:11:17 <matrohon> with the scenario A) that you mentionned in previous meeting
15:11:32 <pc_m> I have been able to get VPN IPSec connection working between two routers on a single Devstack setup.
15:11:45 <matrohon> congrats!!
15:12:22 <numan> pc_m, thats great. can you share the steps in mailing list or in a blog :)
15:12:53 <matrohon> It would be intersting to update the wiki with the config you used
15:12:58 <pc_m> I have a few other variants (like two VMs running DevStack and a network between for VPN) using Virtualbox.
15:13:19 <pc_m> numan: matrohon: Yes, I'll update the how-to page on the wiki.
15:13:32 <numan> pc_m, thanks
15:13:32 <matrohon> I think one VM is much more intesting for functionnal test
15:13:52 <pc_m> #action pc_m to update the How To Wiki page with info on how to run VPN with single devstack/two routers, and two devstacks.
15:14:13 <matrohon> pc_m : great thanks
15:14:34 <pc_m> Only place I've been hung up on, is trying to do VPN with OoO.
15:15:01 <pc_m> I have a private cloud at work, and have been trying to spin up two VMs with Devstack on each and a network conencting the VMs.
15:15:24 <pc_m> Having issues getting pings between the two VMs over the network to work. Not sure what is wrong.
15:15:48 <matrohon> Security group allos ESP packets?
15:17:03 <pc_m> matrohon: Even just basic connectivity. I spin up devstack in each VM, with OVS_PHYSICAL_BRIDGE=br-ex and PUBLIC_INTERFACE=eth1, just like I do with VirtualBox.
15:17:20 <pc_m> I cannot ping the IP of the other end's br-ex or router1 public interface.
15:17:42 <pc_m> So haven't even gotten to try the VPN connection.
15:19:41 <pc_m> IOW, on the private cloud, I created a second network (no DHCP), created two VMs and used two NICs, one for this network that is used as the "public" net between the two VMs, and then spun up DevStack on each.
15:20:12 <pc_m> Used the same setup I use with two VMs running under VirtualBox.  Can't seem to get the VMs to ping across that network.
15:20:37 <pc_m> Seems to be something with OoO or I'm missing something.
15:20:59 <pc_m> If anyone has ideas, let me know.
15:21:16 <matrohon> the underlying cloud might block packets because of MAC/IP anti spoofing rules created by nova/libvirt
15:21:31 <pc_m> In any case, I do have a single VM and two VM setup working with VirtualBox.
15:22:19 <pc_m> matrohon: How can I check if that is the case?
15:23:12 <matrohon> packets that goes out from the VM have to match the MAC/ip allocated by neutron
15:24:32 <matrohon> I'm not sure it's the root cause of the issue... just an idea...
15:25:47 <pc_m> matrohon: Hmmm. It's possible. One thing I did notice, was that even though this network has DHCP off, in Horizon I see an IP assigned to the NIC on each VM.
15:26:34 <pc_m> Not sure how to avoid that (as I didn't specify it).
15:26:50 <matrohon> This is the IP allocated by Neutron i think. you can try to manually configure eth1 on each VM and try the ping
15:27:25 <matrohon> I meean configure eth1 with the allocated IP
15:27:37 <pc_m> matrohon: yeah I could try that.
15:28:39 <pc_m> Should it be possible not to have an IP assigned to the I/Fs?
15:28:49 <matrohon> I think you can disable the IP allocation by not configuring any subnet on the network
15:29:34 <matrohon> then you should be able to create a port on this net, and specify that port when booting the VM
15:30:01 <matrohon> I didn't test that recently sorry if it doesn't work :)
15:30:03 <pc_m> matrohon: cool. I'll try the two things (use the allocated IP, and try w/o subnet)
15:30:55 <pc_m> matrohon: May have to ping you about how to create a port on the network and use it in the VM boot.
15:31:19 <matrohon> pc_m : please do
15:31:30 <pc_m> Any other bugs to discuss here?
15:32:49 <pc_m> #topic Open Discussion
15:33:03 <pc_m> Anyone have anything they'd like to bring up?
15:34:00 <matrohon> mhanif is about to have its own stackforge project : https://review.openstack.org/#/c/145160/
15:34:32 <pc_m> Cool!
15:34:51 * pc_m I've really got to spend some time looking into the Stackforge stuff
15:36:30 <pc_m> Anyone have any thing else (otherwise we'll give you 20 mins back :)
15:37:35 <pc_m> Thanks for joining in folks!
15:37:38 <pc_m> #endmeeting