You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by ro...@apache.org on 2022/11/30 12:59:14 UTC

[cloudstack] branch 4.17 updated: systemvm: Fix C2S VPN in parallel to S2S VPN (#6907)

This is an automated email from the ASF dual-hosted git repository.

rohit pushed a commit to branch 4.17
in repository https://gitbox.apache.org/repos/asf/cloudstack.git


The following commit(s) were added to refs/heads/4.17 by this push:
     new cf32f77e3de systemvm: Fix C2S VPN in parallel to S2S VPN (#6907)
cf32f77e3de is described below

commit cf32f77e3dedfc75ea89278aacaaef89537f5d8e
Author: Daniel Augusto Veronezi Salvador <38...@users.noreply.github.com>
AuthorDate: Wed Nov 30 09:59:05 2022 -0300

    systemvm: Fix C2S VPN in parallel to S2S VPN (#6907)
    
    PR #5375, introduced in version 4.15.2.0, removed parameter %any of VPNs client-to-site (C2S) IPSec secrets:
    
    structure before PR vr: ipsec/l2tp vpn secret with no ID selectors #5375:
    <IP> %any : PSK "<PSK>"
    structure after PR vr: ipsec/l2tp vpn secret with no ID selectors #5375:
    <IP> : PSK "<PSK>"
    Because of that, when a VPN site-so-site (S2S) is created in parallel to a VPN C2S in the same network, the C2S will not handle any IP (%any) anymore and, as the network is being tunneled to the other VPN, the connection will be handled by the final peer. This way, when a VPN S2S is created in parallel to a VPN C2S in the same network, it is only possible to connect to the C2S with the S2S PSK.
    
    As ACS is only able to implement a single C2S per network (ACS allows setting more than one IP of the network as VPN, however, only the first will be implemented) and every S2S has its own secret file, the secrets structure of C2S was changed to contain only the PSK:
    
    : PSK "<PSK>"
    By doing that, StrongSwan will handle correctly C2S connections from any IP and still will use the correct PSK for S2S.
    
    Co-authored-by: GutoVeronezi <da...@scclouds.com.br>
---
 systemvm/debian/opt/cloud/bin/configure.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/systemvm/debian/opt/cloud/bin/configure.py b/systemvm/debian/opt/cloud/bin/configure.py
index 67e575bfb7a..ce5a4b20fb5 100755
--- a/systemvm/debian/opt/cloud/bin/configure.py
+++ b/systemvm/debian/opt/cloud/bin/configure.py
@@ -999,7 +999,7 @@ class CsRemoteAccessVpn(CsDataBag):
 
         secret = CsFile(vpnsecretfilte)
         secret.empty()
-        secret.addeq("%s : PSK \"%s\"" % (left, psk))
+        secret.addeq(": PSK \"%s\"" % (psk))
         secret.commit()
 
         xl2tpdconf = CsFile(xl2tpdconffile)