neutron

vpnaas ike policy is not allowed to be updated

Bug #1868515 reported by Jie Li on 2020-03-23

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Confirmed	Low	Unassigned

Bug Description

if ike policy is used by ipsecsiteconnection, we can't update any field of the ikey policy,

command:
openstack vpn ike policy set cd0e7658-a941-4125-b285-22da2e06bf72 --description='new-des'

response:
Failed to set IKE policy 'cd0e7658-a941-4125-b285-22da2e06bf72': IKEPolicy cd0e7658-a941-4125-b285-22da2e06bf72 is in use by existing IPsecSiteConnection and can't be updated or deleted

is this restriction necessary?

Tags:

Revision history for this message

Dongcan Ye (hellochosen) wrote on 2020-03-23:

IMO, update ike_policy or ipsec_policy would affect the established IPsecSiteConnection more or less, though update description has no hurt.

Hongbin Lu (hongbin.lu) on 2020-03-24

Changed in neutron:
importance:	Undecided → Low
status:	New → Confirmed

Revision history for this message

Jie Li (neoareslinux) wrote on 2020-03-24:

Hi @Dongcan Ye
except description, if other fields updated, will the IPsecSiteConnection be recreated? the network traffic will be blocked ?

Revision history for this message

Dongcan Ye (hellochosen) wrote on 2020-03-24:

@Jie Li, I think it's not if you have no more operations. But the updated field will synced by l3-agent if you restart the l3-agent service or other reasons. This will makes two ipsec site-connection failed(For example, site A use a updated 3DES encryption, site B use AES-128.)
So it would suggest not update ike or ipsec policy for an established IPsecSiteConnection.

But I'm keep open attitude, could you land a patch for this? Let's see other reviewers opinion,
Thanks.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.