Skip to content

Fix C2S VPN in parallel to S2S VPN#6907

Merged
yadvr merged 1 commit into
apache:4.17from
scclouds:fix-c2s-vpn-in-parallel-to-s2s-vpn
Nov 30, 2022
Merged

Fix C2S VPN in parallel to S2S VPN#6907
yadvr merged 1 commit into
apache:4.17from
scclouds:fix-c2s-vpn-in-parallel-to-s2s-vpn

Conversation

@GutoVeronezi

@GutoVeronezi GutoVeronezi commented Nov 17, 2022

Copy link
Copy Markdown
Contributor

Description

PR #5375, introduced in version 4.15.2.0, removed parameter %any of VPNs client-to-site (C2S) IPSec secrets:

Because of that, when a VPN site-so-site (S2S) is created in parallel to a VPN C2S in the same network, the C2S will not handle any IP (%any) anymore and, as the network is being tunneled to the other VPN, the connection will be handled by the final peer. This way, when a VPN S2S is created in parallel to a VPN C2S in the same network, it is only possible to connect to the C2S with the S2S PSK.

As ACS is only able to implement a single C2S per network (ACS allows setting more than one IP of the network as VPN, however, only the first will be implemented) and every S2S has its own secret file, the secrets structure of C2S was changed to contain only the PSK:

: PSK "<PSK>"

By doing that, StrongSwan will handle correctly C2S connections from any IP and still will use the correct PSK for S2S.

Types of changes

  • Breaking change (fix or feature that would cause existing functionality to change)
  • New feature (non-breaking change which adds functionality)
  • Bug fix (non-breaking change which fixes an issue)
  • Enhancement (improves an existing feature and functionality)
  • Cleanup (Code refactoring and cleanup, that may add test cases)

Feature/Enhancement Scale or Bug Severity

Bug Severity

  • BLOCKER
  • Critical
  • Major
  • Minor
  • Trivial

How Has This Been Tested?

I created 3 networks (A, B, and C) and a VM in each network. In networks B and C I enabled the VPN. From VM in network A, I configured both VPNs and successfully connected to them with their respective PSK. Then, from B to C I established a S2S VPN. Without this change, when I was trying to connect again to C2S B with B PSK, the connection was refused; however, when tried to connect to C2S B with C PSK, the connection was successful. After the changes, I tried to connect again to C2S B with B PSK and the connection was successful.

@codecov

codecov Bot commented Nov 17, 2022

Copy link
Copy Markdown

Codecov Report

Merging #6907 (4beb910) into 4.17 (6c436ec) will increase coverage by 0.53%.
The diff coverage is 38.17%.

❗ Current head 4beb910 differs from pull request most recent head 23b16c2. Consider uploading reports for the commit 23b16c2 to get more accurate results

@@             Coverage Diff              @@
##               4.17    #6907      +/-   ##
============================================
+ Coverage     10.34%   10.87%   +0.53%     
- Complexity     6609     7117     +508     
============================================
  Files          2451     2485      +34     
  Lines        242340   245507    +3167     
  Branches      37924    38334     +410     
============================================
+ Hits          25061    26699    +1638     
- Misses       214192   215538    +1346     
- Partials       3087     3270     +183     
Impacted Files Coverage Δ
...estration/service/NetworkOrchestrationService.java 100.00% <ø> (ø)
...pi/src/main/java/com/cloud/alert/AlertManager.java 100.00% <ø> (ø)
...n/java/com/cloud/vm/VirtualMachineProfileImpl.java 36.44% <0.00%> (-0.70%) ⬇️
...n/java/com/cloud/vm/VirtualMachineManagerImpl.java 0.00% <0.00%> (ø)
...tack/engine/orchestration/NetworkOrchestrator.java 0.00% <0.00%> (ø)
...stack/engine/orchestration/VolumeOrchestrator.java 0.00% <0.00%> (ø)
...n/java/com/cloud/capacity/dao/CapacityDaoImpl.java 3.24% <0.00%> (-0.13%) ⬇️
...ema/src/main/java/com/cloud/network/vpc/VpcVO.java 14.86% <0.00%> (-1.81%) ⬇️
.../network/vpc/dao/VpcOfferingServiceMapDaoImpl.java 0.00% <0.00%> (ø)
...ma/src/main/java/com/cloud/projects/ProjectVO.java 8.33% <0.00%> (+0.43%) ⬆️
... and 245 more

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@yadvr yadvr added this to the 4.18.0.0 milestone Nov 21, 2022
secret = CsFile(vpnsecretfilte)
secret.empty()
secret.addeq("%s : PSK \"%s\"" % (left, psk))
secret.addeq(": PSK \"%s\"" % (psk))

@yadvr yadvr Nov 21, 2022

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@GutoVeronezi LGTM, but should we revert to old ? I don't know what the syntax really means

secret.addeq("%s %%any : PSK \"%s\"" % (left, psk))

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update, from #4281 (comment) it seems the user's fix correlates with the syntax used.

@yadvr yadvr left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM based on test results shared; this would need syntactic review from a strongswan/ipsec/vpn expert

@yadvr

yadvr commented Nov 21, 2022

Copy link
Copy Markdown
Member

Packaging result: ✔️ el7 ✔️ el8 ✔️ debian ✔️ suse15. SL-JID 4624

@yadvr

yadvr commented Nov 21, 2022

Copy link
Copy Markdown
Member

(manually fired smoketest)

@shwstppr shwstppr linked an issue Nov 21, 2022 that may be closed by this pull request
@weizhouapache

Copy link
Copy Markdown
Member

@GutoVeronezi
as you said, PR #5375 changed the structure from
<IP> %any : PSK "<PSK>"
to
<IP> : PSK "<PSK>"
With this PR, the structure is changed to
: PSK "<PSK>"

I have few questions

@GutoVeronezi

Copy link
Copy Markdown
Contributor Author

@weizhouapache, yes, I have tested reverting #5375, and it works as well. The problem was that, by removing %any and enabling S2S, the request would be redirected to the final peer because the source (right) was not being handled by the VPN C2S. Removing the destination (left) makes the C2S handle the connection with the PSK, independent of the source.

Since only a single VPN C2S is configured for each network/VPC, I do not see how it could be a security issue.


@rohityadavcloud, and @weizhouapache, since the user's problem (#4281 (comment)) was observed in 4.14.0, with another version of StrongSwan, and I could not reproduce it, the change was made in order to honor their comment. However, if we can confirm that it was only a problem with the StrongSwan version and #5375 change was not necessary, I think we could revert #5375.

@weizhouapache

weizhouapache commented Nov 22, 2022

Copy link
Copy Markdown
Member

@weizhouapache, yes, I have tested reverting #5375, and it works as well. The problem was that, by removing %any and enabling S2S, the request would be redirected to the final peer because the source (right) was not being handled by the VPN C2S. Removing the destination (left) makes the C2S handle the connection with the PSK, independent of the source.

Since only a single VPN C2S is configured for each network/VPC, I do not see how it could be a security issue.

@rohityadavcloud, and @weizhouapache, since the user's problem (#4281 (comment)) was observed in 4.14.0, with another version of StrongSwan, and I could not reproduce it, the change was made in order to honor their comment. However, if we can confirm that it was only a problem with the StrongSwan version and #5375 change was not necessary, I think we could revert #5375.

@GutoVeronezi
Thanks for your explanation.
I am ok with this pr or reverting #5375. We need to make sure both #6903 and #4281 are fixed.

@yadvr

yadvr commented Nov 23, 2022

Copy link
Copy Markdown
Member

@blueorangutan test

@blueorangutan

Copy link
Copy Markdown

@rohityadavcloud a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests

@DaanHoogland DaanHoogland left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not tested but looks good. btween reverting and applying this, this seems to be the simpler configuration which has my preference.

@yadvr
yadvr changed the base branch from main to 4.17 November 29, 2022 11:13
@yadvr
yadvr changed the base branch from 4.17 to main November 29, 2022 11:13
@yadvr

yadvr commented Nov 29, 2022

Copy link
Copy Markdown
Member

@GutoVeronezi can you cherry-pick or rebase your PR to 4.17 branch and edit PR base branch to 4.17?

@yadvr yadvr modified the milestones: 4.18.0.0, 4.17.2.0 Nov 29, 2022
@yadvr

yadvr commented Nov 29, 2022

Copy link
Copy Markdown
Member

Ping @weizhouapache @harikrishna-patnala can you help review this?

@GutoVeronezi

Copy link
Copy Markdown
Contributor Author

@GutoVeronezi can you cherry-pick or rebase your PR to 4.17 branch and edit PR base branch to 4.17?

@rohityadavcloud, done.

@weizhouapache weizhouapache left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

code lgtm

not tested it yet

@harikrishna-patnala harikrishna-patnala left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code LGTM,

@GutoVeronezi can you update the structure in the description to reflect the latest change. Thanks

@GutoVeronezi

Copy link
Copy Markdown
Contributor Author

Sorry, @harikrishna-patnala, I did not catch what you meant. There were no changes in the code, the branch was only rebased to 4.17.

@harikrishna-patnala

harikrishna-patnala commented Nov 29, 2022

Copy link
Copy Markdown
Member

@GutoVeronezi I'm just asking about the structure mentioned in the description.
image

I think now it is only
" : PSK """

right!

@GutoVeronezi

Copy link
Copy Markdown
Contributor Author

@harikrishna-patnala, that part of the description is an introduction to the problem, explaining why it was happening. The changes I am doing in this PR is in the third paragraph. I made a little change to make it more explicit, thanks.

@yadvr

yadvr commented Nov 29, 2022

Copy link
Copy Markdown
Member

Thanks @GutoVeronezi I’ll kick tests
@blueorangutan package

@blueorangutan

Copy link
Copy Markdown

@rohityadavcloud a Jenkins job has been kicked to build packages. It will be bundled with SystemVM template(s). I'll keep you posted as I make progress.

@blueorangutan

Copy link
Copy Markdown

Packaging result: ✔️ el7 ✖️ el8 ✔️ debian ✔️ suse15. SL-JID 4681

@yadvr

yadvr commented Nov 29, 2022

Copy link
Copy Markdown
Member

@blueorangutan test

@blueorangutan

Copy link
Copy Markdown

@rohityadavcloud a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests

@harikrishna-patnala

Copy link
Copy Markdown
Member

@harikrishna-patnala, that part of the description is an introduction to the problem, explaining why it was happening. The changes I am doing in this PR is in the third paragraph. I made a little change to make it more explicit, thanks.

Thanks @GutoVeronezi for the change

@blueorangutan

Copy link
Copy Markdown

Trillian test result (tid-5295)
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 40046 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr6907-t5295-kvm-centos7.zip
Smoke tests completed. 100 look OK, 1 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test Result Time (s) Test File
test_01_create_redundant_VPC_2tiers_4VMs_4IPs_4PF_ACL Failure 467.85 test_vpc_redundant.py

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Remote VPN is not working if site-to-site VPN exists

6 participants