Closed harikrishna-patnala closed 1 year ago
@harikrishna-patnala
PR #5375, introduced in version 4.15.2.0, removed parameter %any
of VPNs client-to-site (C2S) IPSec secrets:
<IP> %any : PSK "<PSK>"
<IP> : PSK "<PSK>"
Because of that, when a VPN site-so-site (S2S) is created in parallel to a VPN C2S in the same network, the C2S will not handle any IP (%any
) anymore and, as the network is being tunneled to the other VPN, the connection will be handled by the final peer. This way, when a VPN S2S is created in parallel to a VPN C2S in the same network, it is only possible to connect to the C2S with the S2S PSK.
I created PR #6907 to handle this situation, could you take a look at it?
ISSUE TYPE
COMPONENT NAME
CLOUDSTACK VERSION
SUMMARY
When is site to site VPN already exists then remote VPN does not work.
There was an old issue https://github.com/apache/cloudstack/issues/3654 already but even with newer strongswan libraries this was not working as expected.
This was discussed here https://wiki.strongswan.org/issues/2497 and a possible workaround or fix could be as follows,
Modify /opt/cloud/bin/configure.py: secret.addeq("%s : PSK \"%s\"" % (left, psk)) to secret.addeq("%s %%any : PSK \"%s\"" % (left, psk))
This needs testing and check for regressions.
STEPS TO REPRODUCE
EXPECTED RESULTS
ACTUAL RESULTS