16:01:28 #startmeeting vpnaas 16:01:29 Meeting started Tue May 5 16:01:28 2015 UTC and is due to finish in 60 minutes. The chair is pcm_. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:01:30 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 16:01:33 The meeting name has been set to 'vpnaas' 16:01:53 Been a while since we met last. Wanted to touch base with people before summit. 16:02:05 #topic Announcements 16:02:30 Fedora support is being added for StrongSwan 16:02:43 IPv6 testing and support being added 16:03:00 There is a simple scenario (functional) test out for review 16:03:32 The functional jobs are being modified to configure devstack, but not stack (out for review). 16:03:53 Please sign up for and review all these commits we have, so they can upstream 16:04:11 Thanks to everyone for their hard work! 16:04:24 Anyone have any other announcements? 16:05:03 libreswan driver added for fedora 16:05:26 Ah yes, forgot that one, and it is upstreamed, right? 16:05:32 yes 16:05:41 anilvenkata: nice work 16:05:48 thanks pcm_ 16:06:01 #topic Functional Testing 16:06:44 Just to reiterate, as it's been trudging along for weeks... I've been modifying the functional jobs to be like Neutron and only configure DevStack, but not spin up devstack. 16:07:06 I finally got it working and it is out for review. Looking for cores. 16:07:50 We can use more functional test coverage, especially OpenSwan/LibreSwan. If anyone has some time/desire, please join in. 16:08:10 #topic Bugs 16:08:46 I https://bugs.launchpad.net/neutron/+bug/1450479 16:08:46 Launchpad bug 1450479 in neutron "left= not allowed when gw has both v4 & v6 address" [Medium,In progress] - Assigned to venkata anil (anil-venkata) 16:08:46 Here is the latest list of bugs with VPNaaS tag: https://goo.gl/XNtnLX 16:09:12 I have a doubt here 16:09:15 * pcm_ interesting expansion of the URL. 16:09:21 anilvenkata: Sure 16:09:34 If I have the following setup http://paste.openstack.org/show/215006/ 16:09:45 what will be the my ipsec.conf file? 16:10:11 You;re talking about that specific bug? 16:10:22 assume for strongswan, as it supports ipv4 and ipv6 at same time in ipsec.conf 16:10:24 yes 16:10:40 * pcm_ I posted a shortened url that should have been a list of all the VPN bugs (not sure why it showed that). 16:12:21 left parameter in ipsec.conf in vpnaas can only support one address per ipsec.conf, but if i have a situation like in http://paste.openstack.org/show/215006/ I will need left with different ips per ipsec.conf 16:13:18 pcm_: I thought it is the right platform to ask this question, if it is not the right time, I will talk it later 16:13:25 anilvenkata: yeah, right now, IPsec connections are 1:N, with only one local subnet and multiple remote subnets. 16:14:49 anilvenkata: So is the issue that it is trying to use the GW IP and there are two 16:14:50 ? 16:14:53 my scenario is also same i.e 1:N, but remote subnet1 is have ipv4 gateway address and remote subnet2 supports only ipv6 address 16:15:46 local gateway has both ipv4 and ipv6 address, it has to use ipv4 address for remote1 and ipv6 address for remote2 16:17:34 anilvenkata: Can you clarify? In the drawing what routers are in what clouds? Are you doing two connections involving three clouds? 16:18:51 anilvenkata: IOW, is router1 the left side, and router2 and router3 are right sides for other clouds? 16:19:07 yes 16:20:13 assume I have 3 clouds and each router is on different cloud 16:20:53 anilvenkata: gotcha. So, is it always taking the IPv4 address for the left side? 16:20:55 cloud 1 is having router1 which supports(has) both ipv4 and ipv6 address for its gateway port 16:21:20 yes, it is always talking ipv4 address for the left 16:21:32 anilvenkata: Sounds like a limitation of the API. Wonder if it should allow user to specify the local subnet. 16:21:55 anilvenkata: Maybe it could also be extended to support multiple local subnets (assuming *Swan supports) 16:22:14 anilvenkata: Can you have multiple subnets on left side for *Swan? 16:23:08 https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp 16:23:24 leftsourceip=%config4,%config6 16:23:35 I am not sure 16:23:58 need to look more into it 16:24:11 Looks like it can, according to Initiator Config sections. 16:24:39 but stong swan support both ipv4 and ipv6 in same ipsec.conf for single connection http://www.strongswan.org/uml/testresults43/ipv6/net2net-ip6-in-ip4-ikev2/moon.ipsec.conf 16:24:48 anilvenkata: I'd suggest checking it out and maybe that could be a proposed change to the API to allow local subnet specification. 16:24:53 conn net-net left=192.168.0.1 leftsubnet=fec1::0/16 16:25:05 "Since 5.0.1 a client may request multiple IP addresses by listing a comma-separated combination of %config4, %config6 or fixed IP addresses in leftsourceip." 16:25:45 but all these are not supported in openswan :) 16:26:02 mean it supports either ipv6 or ipv4 in a single connection 16:26:46 I read it as any combination of multiple addresses, so maybe it supports multiple of same type. 16:27:06 anilvenkata: Just not to side track too much here... I'd say look into seeing if StrongSwan/OpenSwan/LibreSwan can support multiple local CIDRs and if so, a change can be proposed to the API. 16:27:33 sure, thanks 16:28:16 Regarding the other bugs I linked above, look them over and comment on, assign yourself, to any of interest. I spend several hours going through the list recently and commenting on a bunch of them, but it was pretty overwhelming. 16:28:56 #action anilvenkata to look to see if *Swan can support multiple local CIDRs. 16:29:24 Were there any other bugs reported that anyone wants to highlight? 16:29:38 * pcm_ we'll talk about reviews in a minute. 16:30:38 #topic Reviews 16:30:45 Here is the current list: https://review.openstack.org/#/q/status:open+project:openstack/neutron-vpnaas,n,z 16:31:33 Please help out in reviewing... if we can all provide "domain specific" reviews, it'll help the drivers team do core reviews. 16:32:07 Are there any reviews that need discussion? (I still have to go through some today) 16:34:11 #topic Open Discussion 16:34:36 I have a question, if I may ask within this open discussion 16:34:48 There is no VPN specific session at the Summit, but there will be opportunity Friday for people to get together and discuss. 16:34:53 svinota: sure go ahead 16:35:11 is there someone working on BGPVPN? 16:36:20 yes, although it is being handled as a project in StackForge. 16:37:36 and about the summit — I'm pretty sure there will be some people who's interested in a possible discussion, so may be we could just make a talk 16:39:10 svinota: On Friday, we can meet to discuss VPN, as there will be time reserved for that free form meeting, like they did last summit (I forget the catchy name) 16:39:24 The Friday meetings 16:39:33 xgerman: :) 16:39:52 pcm_, 10x, I'll try to catch :) 16:40:48 svinota: Yesh, I think there are a bunch of people who want to talk about various VPN topics. Should be a good free for all :) 16:41:36 BTW: I'm going to start a ML thread to talk about how we integrate in things like BGP VPN w.r.t. the APIs. 16:41:52 since I was asking about it this morning. 16:42:41 pcm_ I am going to try to ramp up involvement with vpnaas. Have other compenting priorities though. Will be trying to do more reviews and pick up some small tasks. I will be in Vancouver, and am looking forward to getting connected... 16:42:50 pcm_ we were also thinking to opening up the LBaaS mid cycle to all advanced services: https://etherpad.openstack.org/p/LBaaS-FWaaS-VPNaaS_Summer_Midcycle_meetup 16:43:07 ajmiller: Great! Looking forward to seeing you. 16:44:02 xgerman: That's a great idea (I forgot Doug mentioned it once). Anyone interested/able to attend the LBaaS mid-cycle, there info on the link. Thanks xgerman 16:44:30 we were hoping you could come — so vote wisely on the location :-) 16:45:02 xgerman: Not sure I can. Have commitments for Neutron mid-cycle already. Will have to see. 16:45:14 ok 16:46:08 Anything else folks? 16:46:56 Thanks for all the contributions on VPN during Kilo! Looking forward to seeing folks at the summit! 16:47:21 thanks pcm_ 16:47:28 thanks all 16:47:28 thanks cpm_ 16:47:33 pcm_ 16:47:34 #endmeeting