[Openstack-operators] Juno's VPNaaS does not work on Centos 7 with libreswan

Matias R. Cuenca del Rey maticue at gmail.com
Wed Feb 4 04:35:39 UTC 2015 

Packages:
* openstack-neutron-vpn-agent-2014.2.1-1.el7.centos.noarch
* libreswan-3.8-6.el7_0.x86_64

Yesterday I modified some openstack-neutron-vpn-agent's script to make VPN
work :). I don't know much about python. I'm sure it can be improved. These
are all the steps I did to enable VPNaaS on Openstack Juno con Centos 7
with libreswan

1.- Install necessary packages:
# yum install openstack-neutron-vpn-agent libreswan -y

2.- Enable vpnaas plugin in neutron
# cat /etc/neutron/neutron.conf
...
service_plugins = router,vpnaas
...
service_provider=VPN:openswan:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default
...

3.- Configure vpn plugin
# cat /etc/neutron/vpn_agent.ini

[DEFAULT]
# VPN-Agent configuration file
# Note vpn-agent inherits l3-agent, so you can use configs on l3-agent also
##interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver

[vpnagent]
# vpn device drivers which vpn agent will use
# If we want to use multiple drivers,  we need to define this option
multiple times.
vpn_device_driver=neutron.services.vpn.device_drivers.ipsec.OpenSwanDriver
#
vpn_device_driver=neutron.services.vpn.device_drivers.cisco_ipsec.CiscoCsrIPsecDriver
# vpn_device_driver=another_driver

[ipsec]
# Status check interval
ipsec_status_check_interval=30


4.- Here we start with the dirty part :)
4.1.- Add certutil command to vpnaas.filters, so it could be execute on
neutron rootwarps
# cat /usr/share/neutron/rootwrap/vpnaas.filters
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user

# format seems to be
# cmd-name: filter-name, raw-command, user, args

[Filters]

ip: IpFilter, ip, root
ip_exec: IpNetnsExecFilter, ip, root
openswan: CommandFilter, ipsec, root
libreswan: CommandFilter, certutil, root

4.2.- Edit ipsec.py, which execute 'ipsec and (now) certutils' commands
4.2.1.- If nss db does not exist, it is created on
/var/lib/neutron/ipsec/<uuid>/etc/ipsec.d
4.2.2.- In 'ipsec pluto' execution:
4.2.2.1.- Remove '--config' option, keep ctlbase (Thanks Paul!)
4.2.2.2.- Change argument of '--ipsecdir' from
/var/lib/neutron/ipsec/<uuid>/etc/ to
/var/lib/neutron/ipsec/<uuid>/etc/ipsec.d
4.2.2.3.- Remove --use-netkey because it is the default option
4.2.3.- In 'ipsec addconn' execution:
4.2.3.1.- Remove  '--defaultroutenexthop' because it is obsolete
The diff between original and modified file is:

# diff
 /usr/lib/python2.7/site-packages/neutron/services/vpn/device_drivers/ipsec.py
/usr/lib/python2.7/site-packages/neutron/services/vpn/device_drivers/ipsec.py.original
97d96
<     bcertutil = "certutil"
114,119d112
<     NSS_FILES = [
<         'cert8.db',
<         'key3.db',
<         'secmod.db'
<     ]
<
189,197d181
<     def _ensure_nss(self, nss_files):
<         if not os.path.isfile(nss_files):
<             #start nss database
<             self._execute([self.bcertutil,
<                        '-N',
<                        '--empty-password',
<                        '-d', self.ipsecd_dir,
<                        ])
<
199c183
<         """Create config directory and nss files if they does not
exist."""
---
>         """Create config directory if it does not exist."""
204,206d187
<         for nss_file in self.NSS_FILES:
<             nss_path = os.path.join(self.ipsecd_dir, nss_file)
<             self._ensure_nss(nss_path)
327,328d307
<         self.ipsecd_dir = os.path.join(
<             self.etc_dir, 'ipsec.d')
401c380,381
<                        '--ipsecdir', self.ipsecd_dir,
---
>                        '--ipsecdir', self.etc_dir,
>                        '--use-netkey',
412a393
>                            '--defaultroutenexthop', nexthop,

4.3.- Edit ipsec.conf.template, which is used to generate
/var/lib/neutron/ipsec/<uid>/ipsec.conf (necessary for ipsec addconn
command)
Just comment obsolete options. The diff between original and modified file
is:

# diff
/usr/lib/python2.7/site-packages/neutron/services/vpn/device_drivers/template/openswan/ipsec.conf.template
/usr/lib/python2.7/site-packages/neutron/services/vpn/device_drivers/template/openswan/ipsec.conf.template.original
3c3
<     # nat_traversal=yes
---
>     nat_traversal=yes
7,8c7
<     # keylife=60m
<     salifetime=60m
---
>     keylife=60m
20c19
<     # leftnexthop=%defaultroute
---
>     leftnexthop=%defaultroute
31c30
<     # rightnexthop=%defaultroute
---
>     rightnexthop=%defaultroute
63,64c62
<     # lifetime={{ipsec_site_connection.ipsecpolicy.lifetime_value}}s
<     salifetime={{ipsec_site_connection.ipsecpolicy.lifetime_value}}s
---
>     lifetime={{ipsec_site_connection.ipsecpolicy.lifetime_value}}s

5.- Enable and start von-agent
# systemctl enable neutron-vpn-agent
# systemctl start neutron-vpn-agent


Hope it could be useful to someone.

Matías R. Cuenca del Rey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150204/1f6d18cd/attachment.html>

More information about the OpenStack-operators mailing list