Jump to: navigation, search

Difference between revisions of "Neutron/VPNaaS/HowToInstall"

Line 243: Line 243:
 
== Horizon Support ==
 
== Horizon Support ==
  
* Checkout Test branch:
+
* Checkout Test branch
  
 
Horizon: https://review.openstack.org/#/c/34882/
 
Horizon: https://review.openstack.org/#/c/34882/
  
* Enable VPN section in Horizon:
+
* Enable VPN section in Horizon
  
 
Open <pre>/opt/stack/horizon/openstack_dashboard/local/local_settings.py</pre>
 
Open <pre>/opt/stack/horizon/openstack_dashboard/local/local_settings.py</pre>
Line 265: Line 265:
 
</pre>
 
</pre>
  
* Restart Apache to start using.
+
* Restart Apache to start using
 +
 
 +
* Test user scenarios
 +
 
 +
https://wiki.openstack.org/wiki/Neutron/VPNaaS/UI

Revision as of 10:53, 2 July 2013

Installation

  • apt-get install strongswan
  • Replace binary quantum-l3-agent with quantum-vpn-agent

Note: you can use WIP devstack for VPNaaS Devstack review is here -> https://review.openstack.org/#/c/32174/ (WIP)

   git clone https://github.com/openstack-dev/devstack.git
   cd devstack
   git review -d 32174

Set localrc ( q-vpn is added)

   DEST=/opt/stack
   disable_service n-net
   enable_service q-svc
   enable_service q-agt
   enable_service q-dhcp
   enable_service q-l3
   enable_service q-meta
   enable_service quantum
   enable_service tempest
   enable_service q-vpn
   API_RATE_LIMIT=False
   VOLUME_BACKING_FILE_SIZE=4G
   FIXED_RANGE=10.1.0.0/24
   FIXED_NETWORK_SIZE=256
   VIRT_DRIVER=libvirt
   SWIFT_REPLICAS=1
   export OS_NO_CACHE=True
   SCREEN_LOGDIR=/opt/stack/screen-logs
   SYSLOG=True
   SKIP_EXERCISES=boot_from_volume,client-env
   ROOTSLEEP=0
   ACTIVE_TIMEOUT=60
   Q_USE_SECGROUP=True
   BOOT_TIMEOUT=90
   ASSOCIATE_TIMEOUT=60
   ADMIN_PASSWORD=openstack
   MYSQL_PASSWORD=openstack
   RABBIT_PASSWORD=openstack
   SERVICE_PASSWORD=openstack
   SERVICE_TOKEN=tokentoken
   Q_PLUGIN=openvswitch
   Q_USE_DEBUG_COMMAND=True
   NETWORK_GATEWAY=10.1.0.1
  • Checkout Test branches

Quantum : https://review.openstack.org/#/c/33148/

Quantum client : https://review.openstack.org/#/c/29811/

  • Run Devstack
    ./stack.sh
  • Install quantum client code (devstack installes package version of clients)
   cd /opt/stack/python-quantumclient
   sudo python setup.py develop

CLI Walkthough

Test Setup

      (10.1.0.0/24)
              |
              |  10.1.0.1
     [Quantum Router]
              |  172.24.4.226
              |
              |  172.24.4.225
     [ Internet GW ]
              |  172.0.0.1
              |
     (Internet) 
              |
              |  172.0.0.2
     [ Remote GW]
              |  20.1.0.1
              |
     (20.1.0.0/24) 

Setup VPN Connection

    #Use subnet_id
    SUBNET_ID=`quantum net-show private | awk '/subnets/{print $4}'`
    # Create VPN Service
    quantum vpn-service-create --name vpn1 --router_id router1 --subnet_id $SUBNET_ID
    # List VPN Service
    quantum vpn-service-list
    # Show VPN Service
    quantum vpn-service-show vpn1
    # Create IKE policy
    quantum vpn-ikepolicy-create --name ikepolicy1
    # List IKE policy
    quantum vpn-ikepolicy-list
    # Show IKE policy
    quantum vpn-ikepolicy-show ikepolicy1
     # Create IPSec policy
    quantum vpn-ipsecpolicy-create --name ipsecpolicy1
     # Show IPSec policy
     quantum vpn-ipsecpolicy-show ipsecpolicy1
     # Create VPN Connection
     quantum vpn-connection-create --name vpnconnection1 --vpnservice-id vpn1 --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer_address 172.0.0.2 --peer_id 172.0.0.2 --peer_cidrs list=true 20.1.0.0/24 --psk secret
     #List VPN Connection
    quantum vpn-connection-list
     # Show VPN Connection
    quantum vpn-connection-show vpnconnection1

Test Connection

create remote site using namespace

   sudo ip netns add remote_site
   sudo ip link add tap_remote type veth peer name tap_remote_peer
   sudo ip link set tap_remote_peer netns remote_site
   sudo ip addr add 172.0.0.1/24 dev tap_remote
   sudo ip link set tap_remote up
   sudo ip netns exec remote_site ip addr add 172.0.0.2/24 dev tap_remote_peer
   sudo ip netns exec remote_site ip addr add 20.1.0.1/24 dev tap_remote_peer
   sudo ip netns exec remote_site ip link set tap_remote_peer up
   sudo ip netns exec remote_site ip link set lo up
   sudo ip netns exec remote_site ip route add default via 172.0.0.1
   sudo ip netns exec remote_site iptables -t nat -A POSTROUTING -s 20.1.0.0/24 -j SNAT --to-source 172.0.0.2
   sudo ip netns exec remote_site iptables -t nat -I POSTROUTING 1 -m policy --dir out --pol ipsec -j ACCEPT

create remote_site dir and setup config

remote_site/etc/ipsec.conf

   config setup
   conn %default
       ikelifetime=60m
       keylife=20m
       rekeymargin=3m
       authby=secret
       keyexchange=ikev1
       mobike=no
   conn test_conn
       left=172.0.0.2
       leftid=172.0.0.2
       leftsubnet=20.1.0.0/24
       right=172.24.4.226
       rightid=172.24.4.226
       rightsubnet=10.1.0.0/24
       auto=add
       dpdaction=hold
       dpddelay=30s
       dpdtimeout=120s
       authby=psk
       keyexchange=ikev1
       ike=aes128-sha1-modp1536
       ikelifetime=3600
       auth=esp
       esp=aes128-sha1-modp1536!
       type=tunnel
       lifetime=3600s

remote_site/etc/ipsec.secrets

   172.0.0.2 172.24.4.226 : PSK "secret"

Start ipsec daemon

   sudo quantum-vpn-nswrap `pwd` ipsec start
   sudo quantum-vpn-nswrap `pwd` ipsec up test_conn

Cleanup VPN Connection

    # Delete VPN Connection
    quantum vpn-connection-delete vpnconnection1
     
    # Delete VPN Service
    quantum vpn-service-delete $VPN1
     
    # Delete IKE policy
    quantum vpn-ikepolicy-delete ikepolicy1
     
    # Delete IPSec policy
    quantum vpn-ipsecpolicy-delete ipsecpolicy1

(Alternative) Using Two DevStack Nodes

You can also use two DevStack nodes connected by a common "public" network to test VPNaaS. The second node can be set up with the same public network as the first node, except it will use a different gateway IP (and hence router IP). In this example, we'll assume we have two DevStack nodes (East and West), each running on hardware (you can do the same thing with multiple VM guests, if desired).

Example Topology

A dedicated physical port can be used for the "public" network connection (e.g. eth2) interconnected by a physical switch. You'll need to add the port to the OVS bridge on each DevStack node (e.g. sudo ovs-vsctl add-port br-ex eth2).

      (10.1.0.0/24 - DevStack East)
              |
              |  10.1.0.1
     [Quantum Router]
              |  172.24.4.226
              |
              |  172.24.4.225
     [Internet GW]
              |  
              |
     [Internet GW]
              | 172.24.4.232
              |
              | 172.24.4.233
     [Quantum Router]
              |  10.2.0.1
              |
     (10.2.0.0/24 DevStack West)

DevStack Configuration

For East you can use a stock localrc configuration, which will give you a private net of 10.1.0.0/24 and public network of 172.24.4.0/24. Just to make configuration easier, you can name the subnets with:

PUBLIC_SUBNET_NAME=yoursubnet
PRIVATE_SUBNET_NAME=mysubnet

For West you can add these lines to localrc to use a different local network, public GW (and implicitly router) IP:

PUBLIC_SUBNET_NAME=yoursubnet
PRIVATE_SUBNET_NAME=mysubnet
FIXED_RANGE=10.2.0.0/24
NETWORK_GATEWAY=10.2.0.1
PUBLIC_NETWORK_GATEWAY=172.24.4.232

VPNaaS Configuration

With DevStack running on East and West and connectivity confirmed (make sure you can ping one router/GW from the other), you can perform these VPNaaS CLI commands.

On East

quantum vpn-ikepolicy-create --name ikepolicy1
quantum vpn-ipsecpolicy-create --name ipsecpolicy1
quantum vpn-service-create --name myvpn --description "My vpn service" --subnet-id mysubnet --router_id router1
quantum vpn-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer_address 172.24.4.233 --peer_id 172.24.4.233 --peer_cidrs list=true 10.2.0.0/24 --psk secret

On West

quantum vpn-ikepolicy-create --name ikepolicy1
quantum vpn-ipsecpolicy-create --name ipsecpolicy1
quantum vpn-service-create --name myvpn --description "My vpn service" --subnet-id mysubnet --router_id router1
quantum vpn-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer_address 172.24.4.226 --peer_id 172.24.4.226 --peer_cidrs list=true 10.1.0.0/24 --psk secret

Verification

You can spin up VMs on each node, and then from the VM ping the far end router's public IP. With tcpdump running on one of the nodes, you can see that pings appear as encrypted packets (ESP). Note that BOOTP, IGMP, and the keepalive packets between the two nodes are not encrypted (nor are pings between the two external IP addresses).

Horizon Support

  • Checkout Test branch

Horizon: https://review.openstack.org/#/c/34882/

  • Enable VPN section in Horizon
Open
/opt/stack/horizon/openstack_dashboard/local/local_settings.py

and replace

OPENSTACK_QUANTUM_NETWORK = {
    'enable_vpn': False,
}

with

OPENSTACK_QUANTUM_NETWORK = {
    'enable_vpn': True,
}
  • Restart Apache to start using
  • Test user scenarios

https://wiki.openstack.org/wiki/Neutron/VPNaaS/UI