Neutron/VPNaaS/Brocade Vyatta VPNaaS Plugin

Overview:
The Brocade Vyatta VPN plugin provides VPNaaS solution using Brocade Vyatta vRouter VM running as a Neutron router. The plugin implements IPSec Site-to-Site tunnel to connect tenant private networks to remote networks using vRouter VM.

The plugin contains two parts. Vyatta VPN service-driver that interacts with neutron-server's vpn service-plugin and Vyatta VPN device-driver which is bundled with neutron-l3-agent. Both these components need to be configured correctly for the VPN functionality to work.

Neutron L3 agent's Vyatta VPN device-driver component is the one that will invoke the Vyatta vRouter REST APIs for the below CRUD APIs as and when determined by the VPNaaS plugin.

1. create / delete ike policy

2. create / delete ipsec policy

3. create / delete vpn-service policy

4. create / delete ipsec-site-connection

'

Block Diagram
+--+                 +--+    |    Neutron Server    |                  |   Neutron L3 Agent   | |                     |                  |                      |    |                      |                  |                      |    | +--+ |                  | +--+ |    | |       VPN        | |                  | |    VPN Agent     | | | | Service Plugin  | |                  | +--+ | | +--+ |                 | |   Vyatta VPN     | | | |  Vyatta VPN     | |        RPC       | |  Device Driver   | | | | Service Driver  | + <--> | |                  | | +-+--+-+                 +-++-+-+                                                         |                                                         |                                                         | REST API |                                               +v-+ |                 |                                                |                  |                                                |  Vyatta vRouter  | |                 |                                                |                  |                                                |                  |                                                |                  |                                                +--+

Configuration
1. Refer to link https://wiki.openstack.org/wiki/Brocade_Vyatta_L3_Plugin for Vyatta vRouter L3 plugin configuration.

2. Edit Neutron configuration file /etc/neutron/neutron.conf to specify Vyatta vRouter L3 plugin and Vyatta VPN plugin service-driver

service_plugins = neutron.services.l3_router.brocade.vyatta.vrouter_neutron_plugin.VyattaVRouterPlugin,neutron_vpnaas.services.vpn.plugin.VPNDriverPlugin

[service_providers] service_provider = VPN:vyatta:neutron_vpnaas.services.vpn.service_drivers.vyatta_ipsec.VyattaIPsecDriver:default

3. Edit the /etc/neutron/vpn_agent.ini file to specify Brocade Vyatta VPN agent device-driver

[vpnagent] vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.vyatta_ipsec.VyattaIPSecDriver

4. Create a launcher utility with Vyatta VPN agent entry point, preferably in a file in /usr/local/bin/vyatta-vpn-agent,

#!/usr/bin/python # PBR Generated from u'console_scripts' import sys from neutron_vpnaas.cmd.eventlet.vyatta_agent import main if __name__ == "__main__": sys.exit(main)

5. Restart Vyatta-VPN agent.

/usr/bin/python /usr/local/bin/vyatta-vpn-agent --config-file /etc/neutron/neutron.conf --config-file=/etc/neutron/l3_agent.ini --config-file=/etc/neutron/vpn_agent.ini --config-file /etc/neutron/fwaas_driver.ini --config-file /etc/neutron/plugins/brocade/vyatta/vrouter.ini

NOTE: make sure neutron-l3-agent is not started. vyatta-vpn-agent includes both traditional L3 agent and Vyatta VPN agent functionality