#openstack-meeting-3 log

16:01:28 <pcm_> #startmeeting vpnaas
16:01:29 <openstack> Meeting started Tue May  5 16:01:28 2015 UTC and is due to finish in 60 minutes.  The chair is pcm_. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:01:30 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:01:33 <openstack> The meeting name has been set to 'vpnaas'
16:01:53 <pcm_> Been a while since we met last. Wanted to touch base with people before summit.
16:02:05 <pcm_> #topic Announcements
16:02:30 <pcm_> Fedora support is being added for StrongSwan
16:02:43 <pcm_> IPv6 testing and support being added
16:03:00 <pcm_> There is a simple scenario (functional) test out for review
16:03:32 <pcm_> The functional jobs are being modified to configure devstack, but not stack (out for review).
16:03:53 <pcm_> Please sign up for and review all these commits we have, so they can upstream
16:04:11 <pcm_> Thanks to everyone for their hard work!
16:04:24 <pcm_> Anyone have any other announcements?
16:05:03 <anilvenkata> libreswan driver added for fedora
16:05:26 <pcm_> Ah yes, forgot that one, and it is upstreamed, right?
16:05:32 <anilvenkata> yes
16:05:41 <pcm_> anilvenkata: nice work
16:05:48 <anilvenkata> thanks pcm_
16:06:01 <pcm_> #topic Functional Testing
16:06:44 <pcm_> Just to reiterate, as it's been trudging along for weeks... I've been modifying the functional jobs to be like Neutron and only configure DevStack, but not spin up devstack.
16:07:06 <pcm_> I finally got it working and it is out for review. Looking for cores.
16:07:50 <pcm_> We can use more functional test coverage, especially OpenSwan/LibreSwan. If anyone has some time/desire, please join in.
16:08:10 <pcm_> #topic Bugs
16:08:46 <anilvenkata> I https://bugs.launchpad.net/neutron/+bug/1450479
16:08:46 <openstack> Launchpad bug 1450479 in neutron "left=<ipv6_addr> not allowed when gw has both v4 & v6 address" [Medium,In progress] - Assigned to venkata anil (anil-venkata)
16:08:46 <pcm_> Here is the latest list of bugs with VPNaaS tag: https://goo.gl/XNtnLX
16:09:12 <anilvenkata> I have a doubt here
16:09:15 * pcm_ interesting expansion of the URL.
16:09:21 <pcm_> anilvenkata: Sure
16:09:34 <anilvenkata> If I have the following setup http://paste.openstack.org/show/215006/
16:09:45 <anilvenkata> what will be the my ipsec.conf file?
16:10:11 <pcm_> You;re talking about that specific bug?
16:10:22 <anilvenkata> assume for strongswan, as it supports ipv4 and ipv6 at same time in ipsec.conf
16:10:24 <anilvenkata> yes
16:10:40 * pcm_ I posted a shortened url that should have been a list of all the VPN bugs (not sure why it showed that).
16:12:21 <anilvenkata> left parameter in ipsec.conf in vpnaas can only support one address per ipsec.conf, but if i have a situation like in http://paste.openstack.org/show/215006/ I will need left with different ips per ipsec.conf
16:13:18 <anilvenkata> pcm_:  I thought it is the right platform to ask this question, if it is not the right time, I will talk it later
16:13:25 <pcm_> anilvenkata: yeah, right now, IPsec connections are 1:N, with only one local subnet and multiple remote subnets.
16:14:49 <pcm_> anilvenkata: So is the issue that it is trying to use the GW IP and there are two
16:14:50 <pcm_> ?
16:14:53 <anilvenkata> my scenario is also same i.e 1:N, but remote subnet1 is have ipv4 gateway address and remote subnet2 supports only ipv6 address
16:15:46 <anilvenkata> local gateway has both ipv4 and ipv6 address, it has to use ipv4 address for remote1 and ipv6 address for remote2
16:17:34 <pcm_> anilvenkata: Can you clarify? In the drawing what routers are in what clouds? Are you doing two connections involving three clouds?
16:18:51 <pcm_> anilvenkata: IOW, is router1 the left side, and router2 and router3 are right sides for other clouds?
16:19:07 <anilvenkata> yes
16:20:13 <anilvenkata> assume I have 3 clouds and each router is on different cloud
16:20:53 <pcm_> anilvenkata: gotcha. So, is it always taking the IPv4 address for the left side?
16:20:55 <anilvenkata> cloud 1 is having router1 which supports(has) both ipv4 and ipv6 address for its gateway port
16:21:20 <anilvenkata> yes, it is always talking ipv4 address for the left
16:21:32 <pcm_> anilvenkata: Sounds like a limitation of the API. Wonder if it should allow user to specify the local subnet.
16:21:55 <pcm_> anilvenkata: Maybe it could also be extended to support multiple local subnets (assuming *Swan supports)
16:22:14 <pcm_> anilvenkata: Can you have multiple subnets on left side for *Swan?
16:23:08 <anilvenkata> https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp
16:23:24 <anilvenkata> leftsourceip=%config4,%config6
16:23:35 <anilvenkata> I am not sure
16:23:58 <anilvenkata> need to look more into it
16:24:11 <pcm_> Looks like it can, according to Initiator Config sections.
16:24:39 <anilvenkata> but stong swan support both ipv4 and ipv6 in same ipsec.conf for single connection http://www.strongswan.org/uml/testresults43/ipv6/net2net-ip6-in-ip4-ikev2/moon.ipsec.conf
16:24:48 <pcm_> anilvenkata: I'd suggest checking it out and maybe that could be a proposed change to the API to allow local subnet specification.
16:24:53 <anilvenkata> conn net-net  	left=192.168.0.1 	leftsubnet=fec1::0/16
16:25:05 <pcm_> "Since 5.0.1 a client may request multiple IP addresses by listing a comma-separated combination of %config4, %config6 or fixed IP addresses in leftsourceip."
16:25:45 <anilvenkata> but all these are not supported in openswan :)
16:26:02 <anilvenkata> mean it supports either ipv6 or ipv4 in a single connection
16:26:46 <pcm_> I read it as any combination of multiple addresses, so maybe it supports multiple of same type.
16:27:06 <pcm_> anilvenkata: Just not to side track too much here... I'd say look into seeing if StrongSwan/OpenSwan/LibreSwan can support multiple local CIDRs and if so, a change can be proposed to the API.
16:27:33 <anilvenkata> sure, thanks
16:28:16 <pcm_> Regarding the other bugs I linked above, look them over and comment on, assign yourself, to any of interest. I spend several hours going through the list recently and commenting on a bunch of them, but it was pretty overwhelming.
16:28:56 <pcm_> #action anilvenkata to look to see if *Swan can support multiple local CIDRs.
16:29:24 <pcm_> Were there any other bugs reported that anyone wants to highlight?
16:29:38 * pcm_ we'll talk about reviews in a minute.
16:30:38 <pcm_> #topic Reviews
16:30:45 <pcm_> Here is the current list:  https://review.openstack.org/#/q/status:open+project:openstack/neutron-vpnaas,n,z
16:31:33 <pcm_> Please help out in reviewing... if we can all provide "domain specific" reviews, it'll help the drivers team do core reviews.
16:32:07 <pcm_> Are there any reviews that need discussion? (I still have to go through some today)
16:34:11 <pcm_> #topic Open Discussion
16:34:36 <svinota> I have a question, if I may ask within this open discussion
16:34:48 <pcm_> There is no VPN specific session at the Summit, but there will be opportunity Friday for people to get together and discuss.
16:34:53 <pcm_> svinota: sure go ahead
16:35:11 <svinota> is there someone working on BGPVPN?
16:36:20 <pcm_> yes, although it is being handled as a project in StackForge.
16:37:36 <svinota> and about the summit — I'm pretty sure there will be some people who's interested in a possible discussion, so may be we could just make a talk
16:39:10 <pcm_> svinota: On Friday, we can meet to discuss VPN, as there will be time reserved for that free form meeting, like they did last summit (I forget the catchy name)
16:39:24 <xgerman> The Friday meetings
16:39:33 <pcm_> xgerman: :)
16:39:52 <svinota> pcm_, 10x, I'll try to catch :)
16:40:48 <pcm_> svinota: Yesh, I think there are a bunch of people who want to talk about various VPN topics. Should be a good free for all :)
16:41:36 <pcm_> BTW: I'm going to start a ML thread to talk about how we integrate in things like BGP VPN w.r.t. the APIs.
16:41:52 <pcm_> since I was asking about it this morning.
16:42:41 <ajmiller> pcm_ I am going to try to ramp up involvement with vpnaas.  Have other compenting priorities though.  Will be trying to do more reviews and pick up some small tasks.  I will be in Vancouver, and am looking forward to getting connected...
16:42:50 <xgerman> pcm_ we were also thinking to opening up the LBaaS mid cycle to all advanced services: https://etherpad.openstack.org/p/LBaaS-FWaaS-VPNaaS_Summer_Midcycle_meetup
16:43:07 <pcm_> ajmiller: Great! Looking forward to seeing you.
16:44:02 <pcm_> xgerman: That's a great idea (I forgot Doug mentioned it once). Anyone interested/able to attend the LBaaS mid-cycle, there info on the link. Thanks xgerman
16:44:30 <xgerman> we were hoping you could come — so vote wisely on the location :-)
16:45:02 <pcm_> xgerman: Not sure I can. Have commitments for Neutron mid-cycle already. Will have to see.
16:45:14 <xgerman> ok
16:46:08 <pcm_> Anything else folks?
16:46:56 <pcm_> Thanks for all the contributions on VPN during Kilo! Looking forward to seeing folks at the summit!
16:47:21 <anilvenkata> thanks pcm_
16:47:28 <anilvenkata> thanks all
16:47:28 <xgerman> thanks cpm_
16:47:33 <xgerman> pcm_
16:47:34 <pcm_> #endmeeting