Jump to: navigation, search

Difference between revisions of "Neutron/VPNaaS/HowToInstall"

(DevStack Configuration)
(DevStack Configuration)
Line 82: Line 82:
 
==== DevStack Configuration ====
 
==== DevStack Configuration ====
  
For '''East''' you can use a stock localrc configuration, which will give you a private net of 10.1.0.0/24 and public network of 172.24.4.0/24. Just to make configuration easier, you can name the subnets with:
+
For '''East''' you can use a stock localrc configuration, which will give you a private net of 10.1.0.0/24 and public network of 172.24.4.0/24. Just to make configuration easier, you can name the subnets as follows. (Note that Q_FLOATING_ALLOCATION_POOL is to ensure there is no IP overlapping in the public network. If you use floating IP at the same time, please set it too.)
  
 
  PUBLIC_SUBNET_NAME=yoursubnet
 
  PUBLIC_SUBNET_NAME=yoursubnet

Revision as of 09:15, 18 July 2013

Installation

Please use https://review.openstack.org/37153

use devstack using this localrc ( q-vpn is added)

   DEST=/opt/stack
   disable_service n-net
   enable_service q-svc
   enable_service q-agt
   enable_service q-dhcp
   enable_service q-l3
   enable_service q-meta
   enable_service neutron
   enable_service tempest
   enable_service q-vpn
   API_RATE_LIMIT=False
   VOLUME_BACKING_FILE_SIZE=4G
   FIXED_RANGE=10.1.0.0/24
   FIXED_NETWORK_SIZE=256
   VIRT_DRIVER=libvirt
   SWIFT_REPLICAS=1
   export OS_NO_CACHE=True
   SCREEN_LOGDIR=/opt/stack/screen-logs
   SYSLOG=True
   SKIP_EXERCISES=boot_from_volume,client-env
   ROOTSLEEP=0
   ACTIVE_TIMEOUT=60
   Q_USE_SECGROUP=True
   BOOT_TIMEOUT=90
   ASSOCIATE_TIMEOUT=60
   ADMIN_PASSWORD=openstack
   MYSQL_PASSWORD=openstack
   RABBIT_PASSWORD=openstack
   SERVICE_PASSWORD=openstack
   SERVICE_TOKEN=tokentoken
   Q_PLUGIN=openvswitch
   Q_USE_DEBUG_COMMAND=True
   NETWORK_GATEWAY=10.1.0.1
  • Checkout Test branches

Neutron : https://review.openstack.org/#/c/33148/

Neutron client : https://review.openstack.org/#/c/29811/

  • Run Devstack
    ./stack.sh
  • Install neutron client code (devstack installes package version of clients)
   cd /opt/stack/python-neutronclient
   sudo python setup.py develop

Using Two DevStack Nodes for Testing

You can use two DevStack nodes connected by a common "public" network to test VPNaaS. The second node can be set up with the same public network as the first node, except it will use a different gateway IP (and hence router IP). In this example, we'll assume we have two DevStack nodes (East and West), each running on hardware (you can do the same thing with multiple VM guests, if desired).

Example Topology

A dedicated physical port can be used for the "public" network connection (e.g. eth2) interconnected by a physical switch. You'll need to add the port to the OVS bridge on each DevStack node (e.g. sudo ovs-vsctl add-port br-ex eth2).

      (10.1.0.0/24 - DevStack East)
              |
              |  10.1.0.1
     [Quantum Router]
              |  172.24.4.226
              |
              |  172.24.4.225
     [Internet GW]
              |  
              |
     [Internet GW]
              | 172.24.4.232
              |
              | 172.24.4.233
     [Quantum Router]
              |  10.2.0.1
              |
     (10.2.0.0/24 DevStack West)

DevStack Configuration

For East you can use a stock localrc configuration, which will give you a private net of 10.1.0.0/24 and public network of 172.24.4.0/24. Just to make configuration easier, you can name the subnets as follows. (Note that Q_FLOATING_ALLOCATION_POOL is to ensure there is no IP overlapping in the public network. If you use floating IP at the same time, please set it too.)

PUBLIC_SUBNET_NAME=yoursubnet
PRIVATE_SUBNET_NAME=mysubnet
Q_FLOATING_ALLOCATION_POOL=start=172.24.4.225,end=172.24.4.231

For West you can add these lines to localrc to use a different local network, public GW (and implicitly router) IP:

PUBLIC_SUBNET_NAME=yoursubnet
PRIVATE_SUBNET_NAME=mysubnet
FIXED_RANGE=10.2.0.0/24
NETWORK_GATEWAY=10.2.0.1
PUBLIC_NETWORK_GATEWAY=172.24.4.232
Q_FLOATING_ALLOCATION_POOL=start=172.24.4.233,end=172.24.4.238

VPNaaS Configuration

With DevStack running on East and West and connectivity confirmed (make sure you can ping one router/GW from the other), you can perform these VPNaaS CLI commands.

On East

neutron vpn-ikepolicy-create --name ikepolicy1
neutron vpn-ipsecpolicy-create --name ipsecpolicy1
neutron vpn-service-create --name myvpn --description "My vpn service" --subnet-id mysubnet --router-id router1
neutron vpn-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address 172.24.4.233 --peer-id 172.24.4.233 --peer-cidrs 10.2.0.0/24 --psk secret

On West

neutron vpn-ikepolicy-create --name ikepolicy1
neutron vpn-ipsecpolicy-create --name ipsecpolicy1
neutron vpn-service-create --name myvpn --description "My vpn service" --subnet-id mysubnet --router-id router1
neutron vpn-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address 172.24.4.226 --peer-id 172.24.4.226 --peer-cidrs 10.1.0.0/24 --psk secret

Verification

You can spin up VMs on each node, and then from the VM ping the far end router's public IP. With tcpdump running on one of the nodes, you can see that pings appear as encrypted packets (ESP). Note that BOOTP, IGMP, and the keepalive packets between the two nodes are not encrypted (nor are pings between the two external IP addresses).

Horizon Support

  • Checkout Test branch

Horizon: https://review.openstack.org/#/c/34882/

  • Enable VPN section in Horizon

NOTE: Currently this code is not working due to during renaming to neutron. Please use CLI for testing

Open
/opt/stack/horizon/openstack_dashboard/local/local_settings.py

and replace

OPENSTACK_QUANTUM_NETWORK = {
    'enable_vpn': False,
}

with

OPENSTACK_QUANTUM_NETWORK = {
    'enable_vpn': True,
}
  • Restart Apache to start using
  • Test user scenarios

https://wiki.openstack.org/wiki/Neutron/VPNaaS/UI