Fix C2S VPN in parallel to S2S VPN#6907
Conversation
Codecov Report
@@ Coverage Diff @@
## 4.17 #6907 +/- ##
============================================
+ Coverage 10.34% 10.87% +0.53%
- Complexity 6609 7117 +508
============================================
Files 2451 2485 +34
Lines 242340 245507 +3167
Branches 37924 38334 +410
============================================
+ Hits 25061 26699 +1638
- Misses 214192 215538 +1346
- Partials 3087 3270 +183
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
| secret = CsFile(vpnsecretfilte) | ||
| secret.empty() | ||
| secret.addeq("%s : PSK \"%s\"" % (left, psk)) | ||
| secret.addeq(": PSK \"%s\"" % (psk)) |
There was a problem hiding this comment.
@GutoVeronezi LGTM, but should we revert to old ? I don't know what the syntax really means
secret.addeq("%s %%any : PSK \"%s\"" % (left, psk))
There was a problem hiding this comment.
Update, from #4281 (comment) it seems the user's fix correlates with the syntax used.
yadvr
left a comment
There was a problem hiding this comment.
LGTM based on test results shared; this would need syntactic review from a strongswan/ipsec/vpn expert
|
Packaging result: ✔️ el7 ✔️ el8 ✔️ debian ✔️ suse15. SL-JID 4624 |
|
(manually fired smoketest) |
|
@GutoVeronezi I have few questions
|
|
@weizhouapache, yes, I have tested reverting #5375, and it works as well. The problem was that, by removing Since only a single VPN C2S is configured for each network/VPC, I do not see how it could be a security issue. @rohityadavcloud, and @weizhouapache, since the user's problem (#4281 (comment)) was observed in |
@GutoVeronezi |
|
@blueorangutan test |
|
@rohityadavcloud a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests |
DaanHoogland
left a comment
There was a problem hiding this comment.
not tested but looks good. btween reverting and applying this, this seems to be the simpler configuration which has my preference.
|
@GutoVeronezi can you cherry-pick or rebase your PR to 4.17 branch and edit PR base branch to 4.17? |
|
Ping @weizhouapache @harikrishna-patnala can you help review this? |
4beb910 to
23b16c2
Compare
@rohityadavcloud, done. |
weizhouapache
left a comment
There was a problem hiding this comment.
code lgtm
not tested it yet
harikrishna-patnala
left a comment
There was a problem hiding this comment.
Code LGTM,
@GutoVeronezi can you update the structure in the description to reflect the latest change. Thanks
|
Sorry, @harikrishna-patnala, I did not catch what you meant. There were no changes in the code, the branch was only rebased to 4.17. |
|
@GutoVeronezi I'm just asking about the structure mentioned in the description. I think now it is only right! |
|
@harikrishna-patnala, that part of the description is an introduction to the problem, explaining why it was happening. The changes I am doing in this PR is in the third paragraph. I made a little change to make it more explicit, thanks. |
|
Thanks @GutoVeronezi I’ll kick tests |
|
@rohityadavcloud a Jenkins job has been kicked to build packages. It will be bundled with SystemVM template(s). I'll keep you posted as I make progress. |
|
Packaging result: ✔️ el7 ✖️ el8 ✔️ debian ✔️ suse15. SL-JID 4681 |
|
@blueorangutan test |
|
@rohityadavcloud a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests |
Thanks @GutoVeronezi for the change |
|
Trillian test result (tid-5295)
|

Description
PR #5375, introduced in version 4.15.2.0, removed parameter
%anyof VPNs client-to-site (C2S) IPSec secrets:<IP> %any : PSK "<PSK>"<IP> : PSK "<PSK>"Because of that, when a VPN site-so-site (S2S) is created in parallel to a VPN C2S in the same network, the C2S will not handle any IP (
%any) anymore and, as the network is being tunneled to the other VPN, the connection will be handled by the final peer. This way, when a VPN S2S is created in parallel to a VPN C2S in the same network, it is only possible to connect to the C2S with the S2S PSK.As ACS is only able to implement a single C2S per network (ACS allows setting more than one IP of the network as VPN, however, only the first will be implemented) and every S2S has its own secret file, the secrets structure of C2S was changed to contain only the PSK:
By doing that, StrongSwan will handle correctly C2S connections from any IP and still will use the correct PSK for S2S.
Types of changes
Feature/Enhancement Scale or Bug Severity
Bug Severity
How Has This Been Tested?
I created 3 networks (A, B, and C) and a VM in each network. In networks B and C I enabled the VPN. From VM in network A, I configured both VPNs and successfully connected to them with their respective PSK. Then, from B to C I established a S2S VPN. Without this change, when I was trying to connect again to C2S B with B PSK, the connection was refused; however, when tried to connect to C2S B with C PSK, the connection was successful. After the changes, I tried to connect again to C2S B with B PSK and the connection was successful.