diff --git a/vmware_nsx/services/vpnaas/nsxv3/ipsec_driver.py b/vmware_nsx/services/vpnaas/nsxv3/ipsec_driver.py index 2c46d71bbf..a21a8a3eeb 100644 --- a/vmware_nsx/services/vpnaas/nsxv3/ipsec_driver.py +++ b/vmware_nsx/services/vpnaas/nsxv3/ipsec_driver.py @@ -186,7 +186,6 @@ class NSXv3IPsecVpnDriver(service_drivers.VpnDriver): ike_version=ipsec_utils.IKE_VERSION_MAP[ ikepolicy['ike_version']], dh_group=ipsec_utils.PFS_MAP[ikepolicy['pfs']], - pfs=True, sa_life_time=ikepolicy['lifetime']['value'], tags=self._nsx_tags(context, connection)) except nsx_lib_exc.ManagerError as e: @@ -593,7 +592,7 @@ class NSXv3IPsecVpnDriver(service_drivers.VpnDriver): # Note(asarfaty) we expect only a small number of services services = self._nsx_vpn.service.list()['results'] for srv in services: - if srv['logical_router_id']['target_id'] == tier0_uuid: + if srv['logical_router_id'] == tier0_uuid: # if it exists but disabled: issue an error if not srv.get('enabled', True): msg = _("NSX vpn service %s must be enabled") % srv['id'] diff --git a/vmware_nsx/services/vpnaas/nsxv3/ipsec_utils.py b/vmware_nsx/services/vpnaas/nsxv3/ipsec_utils.py index 7d89c994b8..4ed12b42ee 100644 --- a/vmware_nsx/services/vpnaas/nsxv3/ipsec_utils.py +++ b/vmware_nsx/services/vpnaas/nsxv3/ipsec_utils.py @@ -26,8 +26,6 @@ AUTH_ALGORITHM_MAP = { } PFS_MAP = { - 'group2': vpn_ipsec.DHGroupTypes.DH_GROUP_2, - 'group5': vpn_ipsec.DHGroupTypes.DH_GROUP_5, 'group14': vpn_ipsec.DHGroupTypes.DH_GROUP_14 } diff --git a/vmware_nsx/services/vpnaas/nsxv3/ipsec_validator.py b/vmware_nsx/services/vpnaas/nsxv3/ipsec_validator.py index d9fe3ad038..7d0640d308 100644 --- a/vmware_nsx/services/vpnaas/nsxv3/ipsec_validator.py +++ b/vmware_nsx/services/vpnaas/nsxv3/ipsec_validator.py @@ -71,14 +71,18 @@ class IPsecV3Validator(vpn_validator.VpnReferenceValidator): 'val': lifetime, 'pol': policy_type} raise nsx_exc.NsxVpnValidationError(details=msg) value = lifetime.get('value') - if (value and (value < vpn_ipsec.SALifetimeLimits.SA_LIFETIME_MIN or - value > vpn_ipsec.SALifetimeLimits.SA_LIFETIME_MAX)): + if policy_type == 'IKE': + limits = vpn_ipsec.IkeSALifetimeLimits + else: + limits = vpn_ipsec.IPsecSALifetimeLimits + if (value and (value < limits.SA_LIFETIME_MIN or + value > limits.SA_LIFETIME_MAX)): msg = _("Unsupported policy lifetime %(value)s in %(pol)s policy. " "Value range is [%(min)s-%(max)s].") % { 'value': value, 'pol': policy_type, - 'min': vpn_ipsec.SALifetimeLimits.SA_LIFETIME_MIN, - 'max': vpn_ipsec.SALifetimeLimits.SA_LIFETIME_MAX} + 'min': limits.SA_LIFETIME_MIN, + 'max': limits.SA_LIFETIME_MAX} raise nsx_exc.NsxVpnValidationError(details=msg) def _validate_policy_auth_algorithm(self, policy_info, policy_type): diff --git a/vmware_nsx/tests/unit/services/vpnaas/test_nsxv3_vpnaas.py b/vmware_nsx/tests/unit/services/vpnaas/test_nsxv3_vpnaas.py index 6bb9aa55bf..bc3ab7a6be 100644 --- a/vmware_nsx/tests/unit/services/vpnaas/test_nsxv3_vpnaas.py +++ b/vmware_nsx/tests/unit/services/vpnaas/test_nsxv3_vpnaas.py @@ -54,7 +54,7 @@ class TestDriverValidation(base.BaseTestCase): self.validator.validate_ipsec_policy) def _test_lifetime_seconds_values_at_limits(self, validation_func): - policy_info = {'lifetime': {'units': 'seconds', 'value': 90}} + policy_info = {'lifetime': {'units': 'seconds', 'value': 21600}} validation_func(self.context, policy_info) policy_info = {'lifetime': {'units': 'seconds', 'value': 86400}} validation_func(self.context, policy_info) @@ -128,7 +128,7 @@ class TestDriverValidation(base.BaseTestCase): validation_func, self.context, policy_info) - policy_info = {'pfs': 'group5'} + policy_info = {'pfs': 'group14'} validation_func(self.context, policy_info) def test_ipsec_pfs(self): @@ -243,7 +243,7 @@ class TestDriverValidation(base.BaseTestCase): self._test_conn_validation(conn_params=params, success=False) params = {'dpd': {'action': 'hold', - 'timeout': 5}} + 'timeout': 2}} self._test_conn_validation(conn_params=params, success=False) def test_check_unique_addresses(self):