Neutron/VPNaaS/HowToInstall
Contents
Installation
- apt-get install strongswan
- Replace binary quantum-l3-agent with quantum-vpn-agent
Note: you can use WIP devstack for VPNaaS Devstack review is here -> https://review.openstack.org/#/c/32174/ (WIP)
git clone https://github.com/openstack-dev/devstack.git cd devstack git review -d 32174
Set localrc ( q-vpn is added)
DEST=/opt/stack disable_service n-net enable_service q-svc enable_service q-agt enable_service q-dhcp enable_service q-l3 enable_service q-meta enable_service quantum enable_service tempest enable_service q-vpn API_RATE_LIMIT=False VOLUME_BACKING_FILE_SIZE=4G FIXED_RANGE=10.1.0.0/24 FIXED_NETWORK_SIZE=256 VIRT_DRIVER=libvirt SWIFT_REPLICAS=1 export OS_NO_CACHE=True SCREEN_LOGDIR=/opt/stack/screen-logs SYSLOG=True SKIP_EXERCISES=boot_from_volume,client-env ROOTSLEEP=0 ACTIVE_TIMEOUT=60 Q_USE_SECGROUP=True BOOT_TIMEOUT=90 ASSOCIATE_TIMEOUT=60 ADMIN_PASSWORD=openstack MYSQL_PASSWORD=openstack RABBIT_PASSWORD=openstack SERVICE_PASSWORD=openstack SERVICE_TOKEN=tokentoken Q_PLUGIN=openvswitch Q_USE_DEBUG_COMMAND=True NETWORK_GATEWAY=10.1.0.1
- Checkout Test branches
Quantum : https://review.openstack.org/#/c/33148/
Quantum client : https://review.openstack.org/#/c/29811/
- Run Devstack
./stack.sh
- Install quantum client code (devstack installes package version of clients)
cd /opt/stack/python-quantumclient sudo python setup.py develop
CLI Walkthough
Test Setup
(10.1.0.0/24) | | 10.1.0.1 [Quantum Router] | 172.24.4.226 | | 172.24.4.225 [ Internet GW ] | 172.0.0.1 | (Internet) | | 172.0.0.2 [ Remote GW] | 20.1.0.1 | (20.1.0.0/24)
Setup VPN Connection
#Use subnet_id SUBNET_ID=`quantum net-show private | awk '/subnets/{print $4}'` # Create VPN Service quantum vpn-service-create --name vpn1 --router_id router1 --subnet_id $SUBNET_ID # List VPN Service quantum vpn-service-list # Show VPN Service quantum vpn-service-show vpn1 # Create IKE policy quantum vpn-ikepolicy-create --name ikepolicy1 # List IKE policy quantum vpn-ikepolicy-list # Show IKE policy quantum vpn-ikepolicy-show ikepolicy1 # Create IPSec policy quantum vpn-ipsecpolicy-create --name ipsecpolicy1 # Show IPSec policy quantum vpn-ipsecpolicy-show ipsecpolicy1 # Create VPN Connection quantum vpn-connection-create --name vpnconnection1 --vpnservice-id vpn1 --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer_address 172.0.0.2 --peer_id 172.0.0.2 --peer_cidrs list=true 20.1.0.0/24 --psk secret #List VPN Connection quantum vpn-connection-list # Show VPN Connection quantum vpn-connection-show vpnconnection1
Test Connection
create remote site using namespace
sudo ip netns add remote_site sudo ip link add tap_remote type veth peer name tap_remote_peer sudo ip link set tap_remote_peer netns remote_site sudo ip addr add 172.0.0.1/24 dev tap_remote sudo ip link set tap_remote up sudo ip netns exec remote_site ip addr add 172.0.0.2/24 dev tap_remote_peer sudo ip netns exec remote_site ip addr add 20.1.0.1/24 dev tap_remote_peer sudo ip netns exec remote_site ip link set tap_remote_peer up sudo ip netns exec remote_site ip link set lo up sudo ip netns exec remote_site ip route add default via 172.0.0.1 sudo ip netns exec remote_site iptables -t nat -A POSTROUTING -s 20.1.0.0/24 -j SNAT --to-source 172.0.0.2 sudo ip netns exec remote_site iptables -t nat -I POSTROUTING 1 -m policy --dir out --pol ipsec -j ACCEPT
create remote_site dir and setup config
remote_site/etc/ipsec.conf
config setup conn %default ikelifetime=60m keylife=20m rekeymargin=3m authby=secret keyexchange=ikev1 mobike=no conn test_conn left=172.0.0.2 leftid=172.0.0.2 leftsubnet=20.1.0.0/24 right=172.24.4.226 rightid=172.24.4.226 rightsubnet=10.1.0.0/24 auto=add dpdaction=hold dpddelay=30s dpdtimeout=120s authby=psk keyexchange=ikev1 ike=aes128-sha1-modp1536 ikelifetime=3600 auth=esp esp=aes128-sha1-modp1536! type=tunnel lifetime=3600s
remote_site/etc/ipsec.secrets
172.0.0.2 172.24.4.226 : PSK "secret"
Start ipsec daemon
sudo quantum-vpn-nswrap `pwd` ipsec start sudo quantum-vpn-nswrap `pwd` ipsec up test_conn
Cleanup VPN Connection
# Delete VPN Connection quantum vpn-connection-delete vpnconnection1 # Delete VPN Service quantum vpn-service-delete $VPN1 # Delete IKE policy quantum vpn-ikepolicy-delete ikepolicy1 # Delete IPSec policy quantum vpn-ipsecpolicy-delete ipsecpolicy1
(Alternative) Using Two DevStack Nodes
You can also use two DevStack nodes connected by a common "public" network to test VPNaaS. The second node can be set up with the same public network as the first node, except it will use a different gateway IP (and hence router IP). In this example, we'll assume we have two DevStack nodes (East and West), each running on hardware (you can do the same thing with multiple VM guests, if desired).
Example Topology
A dedicated physical port can be used for the "public" network connection (e.g. eth2) interconnected by a physical switch. You'll need to add the port to the OVS bridge on each DevStack node (e.g. sudo ovs-vsctl add-port br-ex eth2
).
(10.1.0.0/24 - DevStack East) | | 10.1.0.1 [Quantum Router] | 172.24.4.226 | | 172.24.4.225 [Internet GW] | | [Internet GW] | 172.24.4.232 | | 172.24.4.233 [Quantum Router] | 10.2.0.1 | (10.2.0.0/24 DevStack West)
DevStack Configuration
For East you can use a stock localrc configuration, which will give you a private net of 10.1.0.0/24 and public network of 172.24.4.0/24. Just to make configuration easier, you can name the subnets with:
PUBLIC_SUBNET_NAME=yoursubnet PRIVATE_SUBNET_NAME=mysubnet
For West you can add these lines to localrc to use a different local network, public GW (and implicitly router) IP:
PUBLIC_SUBNET_NAME=yoursubnet PRIVATE_SUBNET_NAME=mysubnet FIXED_RANGE=10.2.0.0/24 NETWORK_GATEWAY=10.2.0.1 PUBLIC_NETWORK_GATEWAY=172.24.4.232
VPNaaS Configuration
With DevStack running on East and West and connectivity confirmed (make sure you can ping one router/GW from the other), you can perform these VPNaaS CLI commands.
On East
quantum vpn-ikepolicy-create --name ikepolicy1
quantum vpn-ipsecpolicy-create --name ipsecpolicy1
quantum vpn-service-create --name myvpn --description "My vpn service" --subnet-id mysubnet --router_id router1
quantum vpn-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer_address 172.24.4.233 --peer_id 172.24.4.233 --peer_cidrs list=true 10.2.0.0/24 --psk secret
On West
quantum vpn-ikepolicy-create --name ikepolicy1
quantum vpn-ipsecpolicy-create --name ipsecpolicy1
quantum vpn-service-create --name myvpn --description "My vpn service" --subnet-id mysubnet --router_id router1
quantum vpn-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer_address 172.24.4.226 --peer_id 172.24.4.226 --peer_cidrs list=true 10.1.0.0/24 --psk secret
Verification
You can spin up VMs on each node, and then from the VM ping the far end router's public IP. With tcpdump running on one of the nodes, you can see that pings appear as encrypted packets (ESP). Note that BOOTP, IGMP, and the keepalive packets between the two nodes are not encrypted (nor are pings between the two external IP addresses).