Jump to: navigation, search

Difference between revisions of "Neutron/VPNaaS/HowToInstall"

(Horizon Support)
(CLI Walkthough)
Line 63: Line 63:
 
     sudo python setup.py develop
 
     sudo python setup.py develop
  
== CLI Walkthough ==
 
  
=== Test Setup ===
+
=== Using Two DevStack Nodes for Testing ===
 
+
You can use two DevStack nodes connected by a common "public" network to test VPNaaS. The second node can be set up with the same public network as the first node, except it will use a different gateway IP (and hence router IP). In this example, we'll assume we have two DevStack nodes (East and West), each running on hardware (you can do the same thing with multiple VM guests, if desired).
      (10.1.0.0/24)
 
              |
 
              |  10.1.0.1
 
      [Quantum Router]
 
              |  172.24.4.226
 
              |
 
              |  172.24.4.225
 
      [ Internet GW ]
 
              |  172.0.0.1
 
              |
 
      (Internet)
 
              |
 
              |  172.0.0.2
 
      [ Remote GW]
 
              |  20.1.0.1
 
              |
 
      (20.1.0.0/24)
 
 
 
=== Setup VPN Connection ===
 
    #Use subnet_id
 
    SUBNET_ID=`neutron net-show private | awk '/subnets/{print $4}'`
 
    # Create VPN Service
 
    neutron vpn-service-create --name vpn1 --router_id router1 --subnet_id $SUBNET_ID
 
    # List VPN Service
 
    neutron vpn-service-list
 
    # Show VPN Service
 
    neutron vpn-service-show vpn1
 
    # Create IKE policy
 
    neutron vpn-ikepolicy-create --name ikepolicy1
 
    # List IKE policy
 
    neutron vpn-ikepolicy-list
 
    # Show IKE policy
 
    neutron vpn-ikepolicy-show ikepolicy1
 
      # Create IPSec policy
 
    neutron vpn-ipsecpolicy-create --name ipsecpolicy1
 
      # Show IPSec policy
 
      neutron vpn-ipsecpolicy-show ipsecpolicy1
 
      # Create VPN Connection
 
      neutron vpn-connection-create --name vpnconnection1 --vpnservice-id vpn1 --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer_address 172.0.0.2 --peer_id 172.0.0.2 --peer_cidrs list=true 20.1.0.0/24 --psk secret
 
      #List VPN Connection
 
    neutron vpn-connection-list
 
      # Show VPN Connection
 
    neutron vpn-connection-show vpnconnection1
 
 
 
=== Test Connection ===
 
 
 
create remote site using namespace
 
 
 
    sudo ip netns add remote_site
 
    sudo ip link add tap_remote type veth peer name tap_remote_peer
 
    sudo ip link set tap_remote_peer netns remote_site
 
    sudo ip addr add 172.0.0.1/24 dev tap_remote
 
    sudo ip link set tap_remote up
 
    sudo ip netns exec remote_site ip addr add 172.0.0.2/24 dev tap_remote_peer
 
    sudo ip netns exec remote_site ip addr add 20.1.0.1/24 dev tap_remote_peer
 
    sudo ip netns exec remote_site ip link set tap_remote_peer up
 
    sudo ip netns exec remote_site ip link set lo up
 
    sudo ip netns exec remote_site ip route add default via 172.0.0.1
 
    sudo ip netns exec remote_site iptables -t nat -A POSTROUTING -s 20.1.0.0/24 -j SNAT --to-source 172.0.0.2
 
    sudo ip netns exec remote_site iptables -t nat -I POSTROUTING 1 -m policy --dir out --pol ipsec -j ACCEPT
 
 
 
create remote_site dir and setup config
 
 
 
remote_site/etc/ipsec.conf
 
 
 
    config setup
 
    conn %default
 
        ikelifetime=60m
 
        keylife=20m
 
        rekeymargin=3m
 
        authby=secret
 
        keyexchange=ikev1
 
        mobike=no
 
    conn test_conn
 
        left=172.0.0.2
 
        leftid=172.0.0.2
 
        leftsubnet=20.1.0.0/24
 
        right=172.24.4.226
 
        rightid=172.24.4.226
 
        rightsubnet=10.1.0.0/24
 
        auto=add
 
        dpdaction=hold
 
        dpddelay=30s
 
        dpdtimeout=120s
 
        authby=psk
 
        keyexchange=ikev1
 
        ike=aes128-sha1-modp1536
 
        ikelifetime=3600
 
        auth=esp
 
        esp=aes128-sha1-modp1536!
 
        type=tunnel
 
        lifetime=3600s
 
 
 
remote_site/etc/ipsec.secrets
 
 
 
    172.0.0.2 172.24.4.226 : PSK "secret"
 
 
 
Start ipsec daemon
 
    sudo neutron-vpn-nswrap `pwd` ipsec start
 
    sudo neutron-vpn-nswrap `pwd` ipsec up test_conn
 
 
 
=== Cleanup VPN Connection ===
 
 
 
    # Delete VPN Connection
 
    neutron vpn-connection-delete vpnconnection1
 
     
 
    # Delete VPN Service
 
    neutron vpn-service-delete $VPN1
 
     
 
    # Delete IKE policy
 
    neutron vpn-ikepolicy-delete ikepolicy1
 
     
 
    # Delete IPSec policy
 
    neutron vpn-ipsecpolicy-delete ipsecpolicy1
 
 
 
=== (Alternative) Using Two DevStack Nodes ===
 
You can also use two DevStack nodes connected by a common "public" network to test VPNaaS. The second node can be set up with the same public network as the first node, except it will use a different gateway IP (and hence router IP). In this example, we'll assume we have two DevStack nodes (East and West), each running on hardware (you can do the same thing with multiple VM guests, if desired).
 
  
 
==== Example Topology ====
 
==== Example Topology ====
Line 220: Line 102:
 
  NETWORK_GATEWAY=10.2.0.1
 
  NETWORK_GATEWAY=10.2.0.1
 
  PUBLIC_NETWORK_GATEWAY=172.24.4.232
 
  PUBLIC_NETWORK_GATEWAY=172.24.4.232
 
 
'''Note''': These variables require changes from this review https://review.openstack.org/#/c/34251/
 
  
 
==== VPNaaS Configuration ====
 
==== VPNaaS Configuration ====

Revision as of 01:59, 10 July 2013

Installation

  • apt-get install strongswan
  • Replace binary neutron-l3-agent with neutron-vpn-agent

Note: you can use WIP devstack for VPNaaS Devstack review is here -> https://review.openstack.org/#/c/32174/ (WIP)

   git clone https://github.com/openstack-dev/devstack.git
   cd devstack
   git review -d 32174

Set localrc ( q-vpn is added)

   DEST=/opt/stack
   disable_service n-net
   enable_service q-svc
   enable_service q-agt
   enable_service q-dhcp
   enable_service q-l3
   enable_service q-meta
   enable_service neutron
   enable_service tempest
   enable_service q-vpn
   API_RATE_LIMIT=False
   VOLUME_BACKING_FILE_SIZE=4G
   FIXED_RANGE=10.1.0.0/24
   FIXED_NETWORK_SIZE=256
   VIRT_DRIVER=libvirt
   SWIFT_REPLICAS=1
   export OS_NO_CACHE=True
   SCREEN_LOGDIR=/opt/stack/screen-logs
   SYSLOG=True
   SKIP_EXERCISES=boot_from_volume,client-env
   ROOTSLEEP=0
   ACTIVE_TIMEOUT=60
   Q_USE_SECGROUP=True
   BOOT_TIMEOUT=90
   ASSOCIATE_TIMEOUT=60
   ADMIN_PASSWORD=openstack
   MYSQL_PASSWORD=openstack
   RABBIT_PASSWORD=openstack
   SERVICE_PASSWORD=openstack
   SERVICE_TOKEN=tokentoken
   Q_PLUGIN=openvswitch
   Q_USE_DEBUG_COMMAND=True
   NETWORK_GATEWAY=10.1.0.1
  • Checkout Test branches

Quantum : https://review.openstack.org/#/c/33148/

Quantum client : https://review.openstack.org/#/c/29811/

  • Run Devstack
    ./stack.sh
  • Install neutron client code (devstack installes package version of clients)
   cd /opt/stack/python-neutronclient
   sudo python setup.py develop


Using Two DevStack Nodes for Testing

You can use two DevStack nodes connected by a common "public" network to test VPNaaS. The second node can be set up with the same public network as the first node, except it will use a different gateway IP (and hence router IP). In this example, we'll assume we have two DevStack nodes (East and West), each running on hardware (you can do the same thing with multiple VM guests, if desired).

Example Topology

A dedicated physical port can be used for the "public" network connection (e.g. eth2) interconnected by a physical switch. You'll need to add the port to the OVS bridge on each DevStack node (e.g. sudo ovs-vsctl add-port br-ex eth2).

      (10.1.0.0/24 - DevStack East)
              |
              |  10.1.0.1
     [Quantum Router]
              |  172.24.4.226
              |
              |  172.24.4.225
     [Internet GW]
              |  
              |
     [Internet GW]
              | 172.24.4.232
              |
              | 172.24.4.233
     [Quantum Router]
              |  10.2.0.1
              |
     (10.2.0.0/24 DevStack West)

DevStack Configuration

For East you can use a stock localrc configuration, which will give you a private net of 10.1.0.0/24 and public network of 172.24.4.0/24. Just to make configuration easier, you can name the subnets with:

PUBLIC_SUBNET_NAME=yoursubnet
PRIVATE_SUBNET_NAME=mysubnet

For West you can add these lines to localrc to use a different local network, public GW (and implicitly router) IP:

PUBLIC_SUBNET_NAME=yoursubnet
PRIVATE_SUBNET_NAME=mysubnet
FIXED_RANGE=10.2.0.0/24
NETWORK_GATEWAY=10.2.0.1
PUBLIC_NETWORK_GATEWAY=172.24.4.232

VPNaaS Configuration

With DevStack running on East and West and connectivity confirmed (make sure you can ping one router/GW from the other), you can perform these VPNaaS CLI commands.

On East

neutron vpn-ikepolicy-create --name ikepolicy1
neutron vpn-ipsecpolicy-create --name ipsecpolicy1
neutron vpn-service-create --name myvpn --description "My vpn service" --subnet-id mysubnet --router_id router1
neutron vpn-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer_address 172.24.4.233 --peer_id 172.24.4.233 --peer_cidrs list=true 10.2.0.0/24 --psk secret

On West

neutron vpn-ikepolicy-create --name ikepolicy1
neutron vpn-ipsecpolicy-create --name ipsecpolicy1
neutron vpn-service-create --name myvpn --description "My vpn service" --subnet-id mysubnet --router_id router1
neutron vpn-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer_address 172.24.4.226 --peer_id 172.24.4.226 --peer_cidrs list=true 10.1.0.0/24 --psk secret

Verification

You can spin up VMs on each node, and then from the VM ping the far end router's public IP. With tcpdump running on one of the nodes, you can see that pings appear as encrypted packets (ESP). Note that BOOTP, IGMP, and the keepalive packets between the two nodes are not encrypted (nor are pings between the two external IP addresses).

Horizon Support

  • Checkout Test branch

Horizon: https://review.openstack.org/#/c/34882/

  • Enable VPN section in Horizon

NOTE: Currently this code is not working due to during renaming to neutron. Please use CLI for testing

Open
/opt/stack/horizon/openstack_dashboard/local/local_settings.py

and replace

OPENSTACK_QUANTUM_NETWORK = {
    'enable_vpn': False,
}

with

OPENSTACK_QUANTUM_NETWORK = {
    'enable_vpn': True,
}
  • Restart Apache to start using
  • Test user scenarios

https://wiki.openstack.org/wiki/Neutron/VPNaaS/UI