Remote VPN is not working if site-to-site VPN exists

[harikrishna-patnala]

ISSUE TYPE

• Bug Report

COMPONENT NAME

Virtual Router

CLOUDSTACK VERSION

4.16, 4.17, main

SUMMARY

When is site to site VPN already exists then remote VPN does not work.

There was an old issue https://github.com/apache/cloudstack/issues/3654 already but even with newer strongswan libraries this was not working as expected.

This was discussed here https://wiki.strongswan.org/issues/2497 and a possible workaround or fix could be as follows,

Modify /opt/cloud/bin/configure.py: secret.addeq("%s : PSK \"%s\"" % (left, psk)) to secret.addeq("%s %%any : PSK \"%s\"" % (left, psk))

This needs testing and check for regressions.

STEPS TO REPRODUCE

1. Step up site-to-site VPN between two networks
2. Also enable remote VPN

EXPECTED RESULTS

As per this issue https://github.com/apache/cloudstack/issues/3654, both site to site VPN and remote VPN should work

ACTUAL RESULTS

Only either of site to site VPN or remote VPN is working

[GutoVeronezi]

@harikrishna-patnala

PR #5375, introduced in version 4.15.2.0, removed parameter %any of VPNs client-to-site (C2S) IPSec secrets:

• previous structure: <IP> %any : PSK "<PSK>"
• structure after the change: <IP> : PSK "<PSK>"

Because of that, when a VPN site-so-site (S2S) is created in parallel to a VPN C2S in the same network, the C2S will not handle any IP (%any) anymore and, as the network is being tunneled to the other VPN, the connection will be handled by the final peer. This way, when a VPN S2S is created in parallel to a VPN C2S in the same network, it is only possible to connect to the C2S with the S2S PSK.

I created PR #6907 to handle this situation, could you take a look at it?

[rohityadavcloud]

Fixed in https://github.com/apache/cloudstack/pull/6907