Jump to: navigation, search

Difference between revisions of "Neutron/VPNaaS/HowToInstall"

(Setup VPN Connection)
(No difference)

Revision as of 15:54, 21 June 2013

Installation

  1. . apt-get install strongswan
  2. . replace binary quantum-l3-agent to quantum-vpn-agent

Note: you can use WIP devstack for VPNaaS Devstack review is here -> https://review.openstack.org/#/c/32174/ (WIP)

   git clone https://github.com/openstack-dev/devstack.git
   cd devstack
   git review -d 32174

Set localrc ( q-vpn is added)

   DEST=/opt/stack
   disable_service n-net
   enable_service q-svc
   enable_service q-agt
   enable_service q-dhcp
   enable_service q-l3
   enable_service q-meta
   enable_service quantum
   enable_service tempest
   enable_service q-vpn
   API_RATE_LIMIT=False
   VOLUME_BACKING_FILE_SIZE=4G
   FIXED_RANGE=10.1.0.0/24
   FIXED_NETWORK_SIZE=256
   VIRT_DRIVER=libvirt
   SWIFT_REPLICAS=1
   export OS_NO_CACHE=True
   SCREEN_LOGDIR=/opt/stack/screen-logs
   SYSLOG=True
   SKIP_EXERCISES=boot_from_volume,client-env
   ROOTSLEEP=0
   ACTIVE_TIMEOUT=60
   Q_USE_SECGROUP=True
   BOOT_TIMEOUT=90
   ASSOCIATE_TIMEOUT=60
   ADMIN_PASSWORD=openstack
   MYSQL_PASSWORD=openstack
   RABBIT_PASSWORD=openstack
   SERVICE_PASSWORD=openstack
   SERVICE_TOKEN=tokentoken
   Q_PLUGIN=openvswitch
   Q_USE_DEBUG_COMMAND=True
   NETWORK_GATEWAY=10.1.0.1

Checkout Test branches

Quantum : https://review.openstack.org/#/c/33148/

Quantum client : https://review.openstack.org/#/c/29811/

Run Devstack

    ./stack.sh

Install quantum client code (devstack installes package version of clients)

   cd /opt/stack/python-quantumclient
   sudo python setup.py install

CLI Walkthough

Test Setup

      (10.1.0.0/24)
              |
              |  10.1.0.1
     [Quantum Router]
              |  172.24.4.226
              |
              |  172.24.4.225
     [ Internet GW ]
              |  172.0.0.1
              |
     (Internet) 
              |
              |  172.0.0.2
     [ Remote GW]
              |  20.1.0.1
              |
     (20.1.0.0/24) 

Setup VPN Connection

    #Use subnet_id
    SUBNET_ID=`quantum net-show private | awk '/subnets/{print $4}'`
    # Create VPN Service
    quantum vpn-service-create --name vpn1 --router_id router1 --subnet_id $SUBNET_ID
    # List VPN Service
    quantum vpn-service-list
    # Show VPN Service
    quantum vpn-service-show vpn1
    # Create IKE policy
    quantum vpn-ikepolicy-create --name ikepolicy1
    # List IKE policy
    quantum vpn-ikepolicy-list
    # Show IKE policy
    quantum vpn-ikepolicy-show ikepolicy1
     # Create IPSec policy
    quantum vpn-ipsecpolicy-create --name ipsecpolicy1
     # Show IPSec policy
     quantum vpn-ipsecpolicy-show ipsecpolicy1
     # Create VPN Connection
     quantum --verbose vpn-connection-create --name vpnconnection1 --vpnservice-id vpn1 --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer_address 172.0.0.2 --peer_id 172.0.0.2 --peer_cidrs list=true 20.1.0.0/24 --psk secret
     #List VPN Connection
    quantum vpn-connection-list
     # Show VPN Connection
    quantum vpn-connection-show vpnconnection1

Test Connection

create remote site using namespace

   sudo ip netns add remote_site
   sudo ip link add tap_remote type veth peer name tap_remote_peer
   sudo ip link set tap_remote_peer netns remote_site
   sudo ip addr add 172.0.0.1/24 dev tap_remote
   sudo ip link set tap_remote up
   sudo ip netns exec remote_site ip addr add 172.0.0.2/24 dev tap_remote_peer
   sudo ip netns exec remote_site ip addr add 20.1.0.1/24 dev tap_remote_peer
   sudo ip netns exec remote_site ip link set tap_remote_peer up
   sudo ip netns exec remote_site ip link set lo up
   sudo ip netns exec remote_site ip route add default via 172.0.0.1
   sudo ip netns exec remote_site iptables -t nat -A POSTROUTING -s 20.1.0.0/24 -j SNAT --to-source 172.0.0.2
   sudo ip netns exec remote_site iptables -t nat -I POSTROUTING 1 -m policy --dir out --pol ipsec -j ACCEPT

create remote_site dir and setup config

remote_site/etc/ipsec.conf

   config setup
   conn %default
       ikelifetime=60m
       keylife=20m
       rekeymargin=3m
       authby=secret
       keyexchange=ikev1
       mobike=no
   conn test_conn
       left=172.0.0.2
       leftid=172.0.0.2
       leftsubnet=20.1.0.0/24
       right=172.24.4.226
       rightid=172.24.4.226
       rightsubnet=10.1.0.0/24
       auto=add
       dpdaction=hold
       dpddelay=30s
       dpdtimeout=120s
       authby=psk
       keyexchange=ikev1
       ike=aes128-sha1-modp1536
       ikelifetime=3600
       auth=esp
       esp=aes128-sha1-modp1536!
       type=tunnel
       lifetime=3600s

remote_site/etc/ipsec.secrets

   172.0.0.2 172.24.4.226 : PSK "secret"

Start ipsec daemon

   sudo quantum-vpn-nswrap `pwd` ipsec start
   sudo quantum-vpn-nswrap `pwd` ipsec up test_conn

Cleanup VPN Connection

    # Delete VPN Connection
    quantum vpn-connection-delete vpnconnection1
     
    # Delete VPN Service
    quantum vpn-service-delete $VPN1
     
    # Delete IKE policy
    quantum vpn-ikepolicy-delete ikepolicy1
     
    # Delete IPSec policy
    quantum vpn-ipsecpolicy-delete ipsecpolicy1