Added destination and source definition. Flag -S can be used
to ignore this. It's the new default as it is more secure
and does not impact the way things work (backwords compatible).
(cherry picked from commit ef3b4bb4e3)
If connecting the VPN takes some time, for example because
the other end is not (yet) up, CloudStack will delete
the VPN because the ipsectunnel.sh does not return in time.
The VPN connection then enters the Error state.
This change makes sure ipsectunnel.sh returns in time,
and lets ipsec connect in the background. If it all fails,
the connection enters Disconnected.
(cherry picked from commit 7f33f7c396)
Changed default to no, as the other side may not be up yet.
If this check fails, the VPN enters Error state and will not
work. It's safe to just let it connect on its own so it will
connect when it can.
(cherry picked from commit f8d718e3e3)
Changed 'auto=add' to 'auto=start' to make sure the tunnel starts.
When both sides are there they will connect. This resolves the
issue that there is only a small time frame in which the VPN
would connect.
(cherry picked from commit b95addd3ef)
Biglock breaks creating VPN's when other scripts run at the
same time that also use the same biglock. These other scripts
do nothing that could harm our deployment and even multiple
vpn's can safely be created simultaniously.
(cherry picked from commit 8b412ce194)
The booting sequence result in change of IPv6 related sysctl options was
overrided by sysctl.conf which is loaded later.
So this patch would patch sysctl.conf in VR as well, ensure IPv6 would be
enabled during booting period otherwise the network setup may not work, result
in IPv6 VM deployment failure.
The old way would disconnect all the existing connections through haproxy when
reload the config.
This new way would ensure that all the existing connections would still alive
after reload the config.
Just prefer TLS over SSL in apache configuration in systemvm
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
(cherry picked from commit 88acc9bd53)
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
OSX always declaims it's behind NAT no matter it's true or not, thus result in
confusion of openswan.
Add parameter "forceencaps=yes" to openswan to make sure non NAT VPN connection
from OSX can pass through.
This fix is to correct the JP keyboard mapping for VMs with windows and centOS GUI
and CLI OS on VMware hypervisor. Also fixed some known issues on centOS CLI on XS
hypervisor. Fix is not causing any regression.
Sometime in VR ntpd would move time backward to keep sync with NTP server, which
can result in false alarm of keepalived monitering process.
This patch adds 3 strikes for keepalived process dead detection to avoid falsely
shutdown keepalived process due to time adjustment for only once.
Made changes so that uploading custom certificate works for ssvm.
1. Reboot ssvm only when private key is passed meaning the server cert is passed. This is because while uploading the server cert is the last to be uploaded. And we want to propagate the entire chain once uploading is done.
2. Change the SecStorageSetupCommand sent to ssvm so that it also carries the root cert apart from having the chain and the server cert and key.
3. Change ssvm agent code to be able to configure root cert to the java key store.
4. Change ssvm configure ssl script to insert the chain certs correctly.
5. Fix order of chain certificates for apache webserver in SSVM
6. Remove double encoding and decoding for uploadCustomCertificate API from UI and server code respectively, so that API call without UI works fine
7. Java 1.7 - disable using SNI since copyTemplate doesnt work for SSL.
Remi Bergsma
Sheng Yang
David Bierce
Joris van Lieshout
Rohit Yadav
Sanjay Tripathi
Saksham Srivastava
David Nalley
Frank Zhang
Daan Hoogland
Bharat Kumar
Jayapal
Fred Clift
Wido den Hollander
Hugo Trippaers
Saurav Lahiri
Nitin Mehta