def update_ipsec_site_connection(self, context, old_ipsec_conn,
ipsec_site_connection):
LOG.debug('Updating ipsec site connection %(site)s.',
{"site": ipsec_site_connection})
vpnservice_id = old_ipsec_conn['vpnservice_id']
ipsec_id = old_ipsec_conn['id']
edge_id = self._get_router_edge_id(context, vpnservice_id)[1]
with locking.LockManager.get_lock(edge_id):
vse_sites = self._update_site_dict(context, edge_id,
old_ipsec_conn,
ipsec_site_connection)
if not vse_sites:
self._update_status(context, vpnservice_id, ipsec_id, "ERROR")
LOG.error(
"Failed to find ipsec_site_connection "
"%(ipsec_site_conn)s with %(edge_id)s.", {
'ipsec_site_conn': ipsec_site_connection,
'edge_id': edge_id
})
raise nsxv_exc.NsxIPsecVpnMappingNotFound(conn=ipsec_id)
try:
LOG.debug('Updating ipsec vpn configuration %(vse_sites)s.',
{'vse_sites': vse_sites})
self._update_ipsec_config(edge_id, vse_sites)
except vcns_exc.VcnsApiException:
self._update_status(context, vpnservice_id, ipsec_id, "ERROR")
msg = (_("Failed to create ipsec site connection "
"configuration with %(edge_id)s.") % {
'edge_id': edge_id
})
raise nsxv_exc.NsxPluginException(err_msg=msg)
if 'peer_cidrs' in ipsec_site_connection:
# Update firewall
old_ipsec_conn['peer_cidrs'] = (
ipsec_site_connection['peer_cidrs'])
try:
self._update_firewall_rules(context, vpnservice_id)
except vcns_exc.VcnsApiException:
self._update_status(context, vpnservice_id, ipsec_id,
"ERROR")
msg = (_("Failed to update firewall rule for ipsec "
"vpn with %(edge_id)s.") % {
'edge_id': edge_id
})
raise nsxv_exc.NsxPluginException(err_msg=msg)
def update_ipsec_site_connection(self, context, old_ipsec_conn,
ipsec_site_conn):
LOG.debug('Updating ipsec site connection new %(site)s.',
{"site": ipsec_site_conn})
LOG.debug('Updating ipsec site connection old %(site)s.',
{"site": old_ipsec_conn})
# Note(asarfaty) the plugin already calls the validator
# which also validated the policies and service
ipsec_id = old_ipsec_conn['id']
vpnservice_id = old_ipsec_conn['vpnservice_id']
vpnservice = self.service_plugin._get_vpnservice(
context, vpnservice_id)
mapping = db.get_nsx_vpn_connection_mapping(context.session,
ipsec_site_conn['id'])
if not mapping:
LOG.error("Couldn't find nsx ids for VPN connection %s",
ipsec_site_conn['id'])
self._update_status(context, vpnservice_id, ipsec_id, "ERROR")
raise nsx_exc.NsxIPsecVpnMappingNotFound(conn=ipsec_id)
# check if the dpd configuration changed
old_dpd = old_ipsec_conn['dpd']
new_dpd = ipsec_site_conn['dpd']
if (old_dpd['action'] != new_dpd['action']
or old_dpd['timeout'] != new_dpd['timeout']
or old_ipsec_conn['name'] != ipsec_site_conn['name']):
self._update_dpd_profile(ipsec_site_conn,
mapping['dpd_profile_id'])
# update peer endpoint with all the parameters that could be modified
# Note(asarfaty): local endpoints are reusable and will not be updated
self._update_peer_endpoint(mapping['peer_ep_id'], ipsec_site_conn)
rules = self._get_session_rules(context, ipsec_site_conn, vpnservice)
connection_enabled = (vpnservice['admin_state_up']
and ipsec_site_conn['admin_state_up'])
self._update_session(mapping['session_id'],
ipsec_site_conn,
rules,
enabled=connection_enabled)
if ipsec_site_conn['peer_cidrs'] != old_ipsec_conn['peer_cidrs']:
# Update firewall
self._update_firewall_rules(context, vpnservice)
def delete_ipsec_site_connection(self, context, ipsec_site_conn):
LOG.debug('Deleting ipsec site connection %(site)s.',
{"site": ipsec_site_conn})
ipsec_id = ipsec_site_conn['id']
edge_id = self._get_router_edge_id(context,
ipsec_site_conn['vpnservice_id'])[1]
with locking.LockManager.get_lock(edge_id):
del_site, vse_sites = self._find_vse_site(context, edge_id,
ipsec_site_conn)
if not del_site:
LOG.error(
"Failed to find ipsec_site_connection "
"%(ipsec_site_conn)s with %(edge_id)s.", {
'ipsec_site_conn': ipsec_site_conn,
'edge_id': edge_id
})
raise nsxv_exc.NsxIPsecVpnMappingNotFound(conn=ipsec_id)
vse_sites.remove(del_site)
enabled = True if vse_sites else False
try:
self._update_ipsec_config(edge_id, vse_sites, enabled)
except vcns_exc.VcnsApiException:
msg = (_("Failed to delete ipsec site connection "
"configuration with edge_id: %(edge_id)s.") % {
'egde_id': edge_id
})
raise nsxv_exc.NsxPluginException(err_msg=msg)
try:
self._update_firewall_rules(context,
ipsec_site_conn['vpnservice_id'])
except vcns_exc.VcnsApiException:
msg = _("Failed to update firewall rule for ipsec vpn with "
"%(edge_id)s.") % {
'edge_id': edge_id
}
raise nsxv_exc.NsxPluginException(err_msg=msg)