Adding VPN options for IKE version and IKE split connections. #4904
Conversation
IKE version allows selecting ike (autoselect), ikev1, or ikev2. Split connections gives an option of separating the first right subnet from the rest, and kicking out individual statements for each right subnet for better cross-compatibility. update per PR suggestion
|
Packaging result: ✔️ centos7 ✔️ centos8 ✔️ debian. SL-JID 375 |
|
Trillian test result (tid-397)
|
|
@blueorangutan package |
|
@rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress. |
|
Packaging result: ✔️ centos7 ✔️ centos8 ✔️ debian. SL-JID 385 |
|
@blueorangutan test matrix |
|
@rhtyd a Trillian-Jenkins matrix job (centos7 mgmt + xs71, centos7 mgmt + vmware65, centos7 mgmt + kvmcentos7) has been kicked to run smoke tests |
|
Trillian test result (tid-407)
|
|
Trillian test result (tid-408)
|
|
@rhtyd a Jenkins job has been kicked to build UI QA env. I'll keep you posted as I make progress. |
|
UI build: ✔️ |
|
@blueorangutan test centos7 vmware-67u3 |
|
@rhtyd a Trillian-Jenkins test job (centos7 mgmt + vmware-67u3) has been kicked to run smoke tests |
|
@DaanHoogland can you please resolve the conflicts? |
|
Trillian test result (tid-447)
|
|
@blueorangutan package |
|
@rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress. |
|
Packaging result: ✔️ centos7 ✔️ centos8 ✔️ debian. SL-JID 426 |
|
Trillian test result (tid-480)
|
rohityadavcloud
left a comment
rohityadavcloud
left a comment
There was a problem hiding this comment.
LGTM - didn't test - this needs manual testing of ikev1+2 based s2s vpn cc @Pearl1594
|
|
||
| public Boolean getEncap() { return encap; } | ||
|
|
||
| public boolean getSplitConnections() { |
There was a problem hiding this comment.
Update of VPN gateway results in an NPE if splitconnection isn't passed, as the return type is boolean (primitive). We can either change this to Boolean or do the null check here.
2021-04-22 04:23:54,483 DEBUG [c.c.a.ApiServlet] (qtp1233705144-17:ctx-f384e62b ctx-1b68af67) (logid:5c3e9c53) ===END=== 172.16.250.2 -- GET id=10c9ef13-e7ab-4c40-8c8c-becd750f990a&name=vt2-right-gw1&gateway=10.0.52.84&cidrlist=10.2.0.0%2F24&ipsecpsk=password&ikepolicy=aes128-sha1%3Bmodp1536&ikelifetime=86400&ikeversion=ike&esppolicy=aes128-sha1&esplifetime=3600&command=updateVpnCustomerGateway&response=json
2021-04-22 04:23:54,492 ERROR [c.c.a.ApiAsyncJobDispatcher] (API-Job-Executor-20:ctx-39e2f033 job-78) (logid:f3cdea9e) Unexpected exception while executing org.apache.cloudstack.api.command.user.vpn.UpdateVpnCustomerGatewayCmd
java.lang.NullPointerException
at org.apache.cloudstack.api.command.user.vpn.UpdateVpnCustomerGatewayCmd.getSplitConnections(UpdateVpnCustomerGatewayCmd.java:150)
at com.cloud.network.vpn.Site2SiteVpnManagerImpl.updateCustomerGateway(Site2SiteVpnManagerImpl.java:482)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
There was a problem hiding this comment.
I am changing this, I noticed one other occasion, for which the field is a basic type , so it won't give the NPE, I'd rather keep the interface the original author decided on so I'll do the null check in the method.
|
Did testing and found following things. Problems: Add VPN Customer Gateway > IKE Version > set:ikev2 > press:ok Add VPN Customer Gateway > IKE Version > set:ikev1 > press:ok Add VPN Customer Gateway > Edit VPN Customer Gateway > CIDR list > Command failed due to Internal Server Error Suggestions: Edit help text for Split Connections: Only for IKEv2, whether to split multiple right subnet CIDRs into multiple connection statements. Add help text for IKE Version : Connections marked with ike will use IKEv2 when initiating, but accept any protocol version when responding. |
|
Thanks for sharing test results @kricud |
| esppolicy: esppolicy | ||
| esppolicy: esppolicy, | ||
| splitconnections: values.splitconnections, | ||
| ikeversion: values.ikeversion |
There was a problem hiding this comment.
| ikeversion: values.ikeversion | |
| ikeversion: values.ikeVersions |
This causes ikeversion to be null at the time of creation of the customer gateway - as it isn't passed, hence defaults to ike
| docHelp: 'adminguide/networking_and_traffic.html#updating-and-removing-a-vpn-customer-gateway', | ||
| dataView: true, | ||
| args: ['name', 'gateway', 'cidrlist', 'ipsecpsk', 'ikepolicy', 'ikelifetime', 'esppolicy', 'esplifetime', 'dpd', 'forceencap'] | ||
| args: ['name', 'gateway', 'cidrlist', 'ipsecpsk', 'ikepolicy', 'ikelifetime', 'ikeversion', 'esppolicy', 'esplifetime', 'dpd', 'splitconnections', 'forceencap'] |
There was a problem hiding this comment.
| args: ['name', 'gateway', 'cidrlist', 'ipsecpsk', 'ikepolicy', 'ikelifetime', 'ikeversion', 'esppolicy', 'esplifetime', 'dpd', 'splitconnections', 'forceencap'] | |
| args: ['name', 'gateway', 'cidrlist', 'ipsecpsk', 'ikepolicy', 'ikelifetime', 'ikeversion', 'esppolicy', 'esplifetime', 'dpd', 'splitconnections', 'forceencap'], | |
| mapping: { | |
| ikeversion: { | |
| options: ['ike', 'ikev1', 'ikev2'] | |
| } | |
| } |
To list the ike versions during the update operation
|
Closing, as the PR has moved to - #4953 (Pearl is not committer, unable to push changes on this PR). |
7 participants
IKE version allows selecting ike (autoselect), ikev1, or ikev2.
Split connections gives an option of separating the first right subnet from the rest, and kicking out individual statements for each right subnet for better cross-compatibility.
update per PR suggestion
Fixes #3138
Types of changes
Feature/Enhancement Scale or Bug Severity
Feature/Enhancement Scale
Bug Severity
Screenshots (if appropriate):
How Has This Been Tested?