Neutron/VPNaaS/HowToInstall
Contents
Installation
use devstack using this localrc ( q-vpn is added)
DEST=/opt/stack disable_service n-net enable_service q-svc enable_service q-agt enable_service q-dhcp enable_service q-l3 enable_service q-meta enable_service neutron enable_service tempest enable_service q-vpn API_RATE_LIMIT=False VOLUME_BACKING_FILE_SIZE=4G FIXED_RANGE=10.1.0.0/24 FIXED_NETWORK_SIZE=256 VIRT_DRIVER=libvirt SWIFT_REPLICAS=1 export OS_NO_CACHE=True SCREEN_LOGDIR=/opt/stack/screen-logs SYSLOG=True SKIP_EXERCISES=boot_from_volume,client-env ROOTSLEEP=0 ACTIVE_TIMEOUT=60 Q_USE_SECGROUP=True BOOT_TIMEOUT=90 ASSOCIATE_TIMEOUT=60 ADMIN_PASSWORD=openstack MYSQL_PASSWORD=openstack RABBIT_PASSWORD=openstack SERVICE_PASSWORD=openstack SERVICE_TOKEN=tokentoken Q_PLUGIN=openvswitch Q_USE_DEBUG_COMMAND=True NETWORK_GATEWAY=10.1.0.1
- Checkout Test branches
Neutron : https://review.openstack.org/#/c/33148/
Neutron client : https://review.openstack.org/#/c/29811/
- Run Devstack
./stack.sh
- Install neutron client code (devstack installes package version of clients)
cd /opt/stack/python-neutronclient sudo python setup.py develop
Quick Test Script =
http://paste.openstack.org/raw/44700/ This quick test script create two site with a router,a network and a subnet connected with public network. Then, connect both site via VPN.
Using Two DevStack Nodes for Testing
You can use two DevStack nodes connected by a common "public" network to test VPNaaS. The second node can be set up with the same public network as the first node, except it will use a different gateway IP (and hence router IP). In this example, we'll assume we have two DevStack nodes (East and West), each running on hardware (you can do the same thing with multiple VM guests, if desired). (Note: you can also create similar topology using two virtual routers with one devstack)
Example Topology
A dedicated physical port can be used for the "public" network connection (e.g. eth2) interconnected by a physical switch. You'll need to add the port to the OVS bridge on each DevStack node (e.g. sudo ovs-vsctl add-port br-ex eth2
).
(10.1.0.0/24 - DevStack East) | | 10.1.0.1 [Quantum Router] | 172.24.4.226 | | 172.24.4.225 [Internet GW] | | [Internet GW] | 172.24.4.232 | | 172.24.4.233 [Quantum Router] | 10.2.0.1 | (10.2.0.0/24 DevStack West)
DevStack Configuration
For East you can use a stock localrc configuration, which will give you a private net of 10.1.0.0/24 and public network of 172.24.4.0/24. Just to make configuration easier, you can name the subnets as follows.
PUBLIC_SUBNET_NAME=yoursubnet PRIVATE_SUBNET_NAME=mysubnet Q_FLOATING_ALLOCATION_POOL=start=172.24.4.225,end=172.24.4.231
For West you can add these lines to localrc to use a different local network, public GW (and implicitly router) IP:
PUBLIC_SUBNET_NAME=yoursubnet PRIVATE_SUBNET_NAME=mysubnet FIXED_RANGE=10.2.0.0/24 NETWORK_GATEWAY=10.2.0.1 PUBLIC_NETWORK_GATEWAY=172.24.4.232 Q_FLOATING_ALLOCATION_POOL=start=172.24.4.233,end=172.24.4.238
VPNaaS Configuration
With DevStack running on East and West and connectivity confirmed (make sure you can ping one router/GW from the other), you can perform these VPNaaS CLI commands.
On East
neutron vpn-ikepolicy-create ikepolicy1 neutron vpn-ipsecpolicy-create ipsecpolicy1 neutron vpn-service-create --name myvpn --description "My vpn service" router1 mysubnet
neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address 172.24.4.233 --peer-id 172.24.4.233 --peer-cidr 10.2.0.0/24 --psk secret
On West
neutron vpn-ikepolicy-create ikepolicy1 neutron vpn-ipsecpolicy-create ipsecpolicy1 neutron vpn-service-create --name myvpn --description "My vpn service" router1 mysubnet
neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address 172.24.4.226 --peer-id 172.24.4.226 --peer-cidr 10.1.0.0/24 --psk secret
Note: Please make sure setup security group (open icmp for vpn subnet etc)
Verification
You can spin up VMs on each node, and then from the VM ping the far end router's public IP. With tcpdump running on one of the nodes, you can see that pings appear as encrypted packets (ESP). Note that BOOTP, IGMP, and the keepalive packets between the two nodes are not encrypted (nor are pings between the two external IP addresses).
Horizon Support
- Checkout Test branch
Horizon: https://review.openstack.org/#/c/34882/
- Enable VPN section in Horizon
/opt/stack/horizon/openstack_dashboard/local/local_settings.py
and replace
OPENSTACK_NEUTRON_NETWORK = { 'enable_vpn': False, }
with
OPENSTACK_NEUTRON_NETWORK = { 'enable_vpn': True, }
- Restart Apache to start using
- Test user scenarios
https://wiki.openstack.org/wiki/Neutron/VPNaaS/UI
OpenSwan Support
Neutron patch : https://review.openstack.org/#/c/42264/
Devstack patch: https://review.openstack.org/#/c/42264/
add this line to the openrc
IPSEC_PACKAGE=openswan
please make sure strongswan is not installed