Neutron/VPNaaS/HowToInstall
Contents
Installation
- . apt-get install strongswan
- . replace binary quantum-l3-agent to quantum-vpn-agent
Note: you can use WIP devstack for VPNaaS Devstack review is here -> https://review.openstack.org/#/c/32174/ (WIP)
git clone https://github.com/openstack-dev/devstack.git cd devstack git review -d 32174
Set localrc ( q-vpn is added)
DEST=/opt/stack disable_service n-net enable_service q-svc enable_service q-agt enable_service q-dhcp enable_service q-l3 enable_service q-meta enable_service quantum enable_service tempest enable_service q-vpn API_RATE_LIMIT=False VOLUME_BACKING_FILE_SIZE=4G FIXED_RANGE=10.1.0.0/24 FIXED_NETWORK_SIZE=256 VIRT_DRIVER=libvirt SWIFT_REPLICAS=1 export OS_NO_CACHE=True SCREEN_LOGDIR=/opt/stack/screen-logs SYSLOG=True SKIP_EXERCISES=boot_from_volume,client-env ROOTSLEEP=0 ACTIVE_TIMEOUT=60 Q_USE_SECGROUP=True BOOT_TIMEOUT=90 ASSOCIATE_TIMEOUT=60 ADMIN_PASSWORD=openstack MYSQL_PASSWORD=openstack RABBIT_PASSWORD=openstack SERVICE_PASSWORD=openstack SERVICE_TOKEN=tokentoken Q_PLUGIN=openvswitch Q_USE_DEBUG_COMMAND=True NETWORK_GATEWAY=10.1.0.1
Checkout Test branches
Quantum : https://review.openstack.org/#/c/33148/
Quantum client : https://review.openstack.org/#/c/29811/
Run Devstack
./stack.sh
Install quantum client code (devstack installes package version of clients)
cd /opt/stack/python-quantumclient sudo python setup.py install
CLI Walkthough
Test Setup
(10.1.0.0/24) | | 10.1.0.1 [Quantum Router] | 172.24.4.226 | | 172.24.4.225 [ Internet GW ] | 172.0.0.1 | (Internet) | | 172.0.0.2 [ Remote GW] | 20.1.0.1 | (20.1.0.0/24)
Setup VPN Connection
#Use subnet_id SUBNET_ID=`quantum net-show private | awk '/subnets/{print $4}'` # Create VPN Service quantum vpn-service-create --name vpn1 --router_id router1 --subnet_id $SUBNET_ID # List VPN Service quantum vpn-service-list # Show VPN Service quantum vpn-service-show vpn1 # Create IKE policy quantum vpn-ikepolicy-create --name ikepolicy1 # List IKE policy quantum vpn-ikepolicy-list # Show IKE policy quantum vpn-ikepolicy-show ikepolicy1 # Create IPSec policy quantum vpn-ipsecpolicy-create --name ipsecpolicy1 # Show IPSec policy quantum vpn-ipsecpolicy-show ipsecpolicy1 # Create VPN Connection quantum vpn-connection-create --name vpnconnection1 vpn1 ikepolicy1 ipsecpolicy1 --peer_address 172.0.0.2 --peer_id 172.0.0.2 --peer_cidrs 20.1.0.0/24 --psk secret #List VPN Connection quantum vpn-connection-list # Show VPN Connection quantum vpn-connection-show vpnconnection1
Test Connection
create remote site using namespace
sudo ip netns add remote_site sudo ip link add tap_remote type veth peer name tap_remote_peer sudo ip link set tap_remote_peer netns remote_site sudo ip addr add 172.0.0.1/24 dev tap_remote sudo ip link set tap_remote up sudo ip netns exec remote_site ip addr add 172.0.0.2/24 dev tap_remote_peer sudo ip netns exec remote_site ip addr add 20.1.0.1/24 dev tap_remote_peer sudo ip netns exec remote_site ip link set tap_remote_peer up sudo ip netns exec remote_site ip link set lo up sudo ip netns exec remote_site ip route add default via 172.0.0.1 sudo ip netns exec remote_site iptables -t nat -A POSTROUTING -s 20.1.0.0/24 -j SNAT --to-source 172.0.0.2 sudo ip netns exec remote_site iptables -t nat -I POSTROUTING 1 -m policy --dir out --pol ipsec -j ACCEPT
create remote_site dir and setup config
remote_site/etc/ipsec.conf
config setup conn %default ikelifetime=60m keylife=20m rekeymargin=3m authby=secret keyexchange=ikev1 mobike=no conn test_conn left=172.0.0.2 leftid=172.0.0.2 leftsubnet=20.1.0.0/24 right=172.24.4.226 rightid=172.24.4.226 rightsubnet=10.1.0.0/24 auto=add
/etc/ipsec.secrets
172.0.0.2 172.24.4.226 : PSK "secret"
Start ipsec daemon
sudo quantum-vpn-nswrap `pwd` ipsec start sudo quantum-vpn-nswrap `pwd` ipsec up test_conn
Cleanup VPN Connection
# Delete VPN Connection quantum vpn-connection-delete vpnconnection1 # Delete VPN Service quantum vpn-service-delete $VPN1 # Delete IKE policy quantum vpn-ikepolicy-delete ikepolicy1 # Delete IPSec policy quantum vpn-ipsecpolicy-delete ipsecpolicy1