CLOUDSTACK-8710: Fixed applying iptables rules for s2s vpn#690
Merged
Conversation
|
cloudstack-pull-rats #284 SUCCESS |
|
cloudstack-pull-requests #981 SUCCESS |
|
cloudstack-pull-analysis #217 ABORTED |
Contributor
|
Hi @jayapalu I also worked on this, and but even with the firewall rules applied, the functionality still doesn't work because some rules are missing. So, this might fix CLOUDSTACK-8710 as it applies the rules but I think the goal should be to make two VMs in two VPCs be able to reach each other through the VPN. Anyway, I'll make a separate issue for this and keep working on it. I already figured out what rules are missing. Some other issues are also impacting this, like the missing default gateway. Let's be clear on who works on what (by assigning the issue) or else we'll do duplicate work. That's why I assigned the issue to me yesterday. Will run test to verify your fix now. |
Contributor
Author
|
@remibergsma
|
Contributor
|
@jayapalu happy you're helping out! If you found out more stuff already, feel free to post. Thanks! :-) |
Contributor
|
Forgot to update this.. tested it and the rules are applied OK now. LGTM. I will add more firewall rules so the feature will work again. Let's also look at the tests (if any). |
remibergsma
added a commit
to remibergsma/cloudstack
that referenced
this pull request
Aug 13, 2015
CLOUDSTACK-8710: Fixed applying iptables rules for s2s * pr/690: CLOUDSTACK-8710: Fixed applying iptables rules for s2s vpn This closes apache#690 Signed-off-by: Remi Bergsma <github@remi.nl>
remibergsma
added a commit
to remibergsma/cloudstack
that referenced
this pull request
Aug 14, 2015
CLOUDSTACK-8710: Fixed applying iptables rules for s2s vpn@remibergsma @wilderrodrigues Moved applying iptables rules apply after vpn configuration so that vpn specific rules also get applied * pr/690: CLOUDSTACK-8710: Fixed applying iptables rules for s2s vpn Signed-off-by: Remi Bergsma <github@remi.nl>
remibergsma
added a commit
to remibergsma/cloudstack
that referenced
this pull request
Aug 14, 2015
CLOUDSTACK-8710: Fixed applying iptables rules for s2s vpn @remibergsma @wilderrodrigues Moved applying iptables rules apply after vpn configuration so that vpn specific rules also get applied * pr/690: CLOUDSTACK-8710: Fixed applying iptables rules for s2s vpn Signed-off-by: Remi Bergsma <github@remi.nl>
remibergsma
added a commit
to remibergsma/cloudstack
that referenced
this pull request
Aug 14, 2015
CLOUDSTACK-8710: Fixed applying iptables rules for s2s vpn@remibergsma @wilderrodrigues Moved applying iptables rules apply after vpn configuration so that vpn specific rules also get applied * pr/690: CLOUDSTACK-8710: Fixed applying iptables rules for s2s vpn Signed-off-by: Remi Bergsma <github@remi.nl>
remibergsma
added a commit
to remibergsma/cloudstack
that referenced
this pull request
Aug 14, 2015
CLOUDSTACK-8710: Fixed applying iptables rules for s2s vpn @remibergsma @wilderrodrigues Moved applying iptables rules apply after vpn configuration so that vpn specific rules also get applied * pr/690: CLOUDSTACK-8710: Fixed applying iptables rules for s2s vpn This closes apache#690 Signed-off-by: Remi Bergsma <github@remi.nl>
Contributor
asfgit
pushed a commit
that referenced
this pull request
Aug 14, 2015
Fix site-to-site VPN featureThis is work done together with @jayapalu on fixing the site2site VPN. The first part was done in PR #690 by @jayapalu. On top of that, some other fixes were needed and those are added in this PR. It made sense to make a new PR which includes all fixes so we can actually test it. The original PR #690 is already merged into this one, so can be closed. Since the commit ids are kept the same, merging this will close both. I closely compared the 4.4/4.5 implementation with the new 4.6 one. I did not only make it work, but also added some security improvements (some of which were also in 4.4/4.5). I noticed the pre shared key was being logged, so removed that as well. This is how I tested and verified it: https://github.com/schubergphilis/MCT-shared/tree/master/helper_scripts/cloudstack/vpn_tests When I have some time available, I'll write a Marvin test for it that we can include in the repo. It now works(tm) with one manual step due to CLOUDSTACK-8685: We need a default gateway before site-to-site VPN will actually work. It will connect, but not forward packets. The reason for this, is due to the iptables setup. VM1 has router1 as gateway, but router1 does not know the route to VM2 so it will give up. With a default gateway, the packets are about to be forwarded to the default gateway but when they reach eth1 the public nic, iptables kicks in, does some magic and forwards it through the ipsec tunnel. So, you need a default gw set to upstream. Workaround for now is setting the route manually: ``route add default gw 1.2.3.4`` or ``ip route add default via 1.2.3.4`` In other words, we need to fix CLOUDSTACK-8685 soon, too. Thanks to @snuf @jayapalu! @jayapalu @snuf could you please review this? * pr/693: do not log sensitive site-to-site VPN PSK tighten security of site-to-site VPN CLOUDSTACK-8730: fix s2s iptables rules and ipsec config CLOUDSTACK-8710: Fixed applying iptables rules for s2s vpn Signed-off-by: Remi Bergsma <github@remi.nl>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
@remibergsma @wilderrodrigues
Moved applying iptables rules apply after vpn configuration so that vpn specific rules also get applied