<p dir="ltr">Matias,</p>
<p dir="ltr">This is great stuff! Thanks for sharing. I came up with something similar this past weekend, but I then ran into the issue where the PID file was left behind whenever Pluto gets restarted (which happens constantly). Did you run into that issue?</p>
<p dir="ltr">Thanks,<br>
Erik</p>
<div class="gmail_quote">On Feb 3, 2015 11:37 PM, "Matias R. Cuenca del Rey" <<a href="mailto:maticue@gmail.com">maticue@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><span style="font-size:13px">Packages:</span></div><div><span style="font-size:13px">* </span><span style="font-size:13px">openstack-neutron-vpn-agent-</span><span style="font-size:13px">2014.2.1-1.el7.centos.noarch</span></div><div>* <span style="font-size:13px">libreswan-3.8-6.el7_0.x86_64</span></div><span style="font-size:13px"><div><span style="font-size:13px"><br></span></div>Yesterday I modified some openstack-neutron-vpn-agent</span><span style="font-size:13px">'s script to make VPN work :). I don't know much about python. I'm sure it can be improved. These are all the steps I did to enable VPNaaS on Openstack Juno con Centos 7 with libreswan</span><br style="font-size:13px"><br style="font-size:13px"><span style="font-size:13px">1.- Install necessary packages:</span><br style="font-size:13px"><div style="font-size:13px"># <span style="color:rgb(72,72,72);font-size:12px;background-color:rgb(250,250,250)">yum install openstack-neutron-vpn-agent libreswan -y</span></div><div style="font-size:13px"><span style="color:rgb(72,72,72);font-size:12px;background-color:rgb(250,250,250)"><br></span></div><div style="font-size:13px"><span style="color:rgb(72,72,72);font-size:12px;background-color:rgb(250,250,250)">2.- Enable vpnaas plugin in neutron</span></div><div style="font-size:13px"><span style="color:rgb(72,72,72);font-size:12px;background-color:rgb(250,250,250)"># ca</span>t /etc/neutron/neutron.conf<br>...<br>service_plugins = router,vpnaas<br>...<br>service_provider=VPN:openswan:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default<br>...<br><br>3.- Configure vpn plugin<br># cat /etc/neutron/vpn_agent.ini<br><br>[DEFAULT]<br># VPN-Agent configuration file<br># Note vpn-agent inherits l3-agent, so you can use configs on l3-agent also<br>##interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver<br><br>[vpnagent]<br># vpn device drivers which vpn agent will use<br># If we want to use multiple drivers, we need to define this option multiple times.<br>vpn_device_driver=neutron.services.vpn.device_drivers.ipsec.OpenSwanDriver<br># vpn_device_driver=neutron.services.vpn.device_drivers.cisco_ipsec.CiscoCsrIPsecDriver<br># vpn_device_driver=another_driver<br><br>[ipsec]<br># Status check interval<br>ipsec_status_check_interval=30</div><div style="font-size:13px"><br></div><div style="font-size:13px"><br></div><div style="font-size:13px">4.- Here we start with the dirty part :)</div><div style="font-size:13px">4.1.- Add certutil command to vpnaas.filters, so it could be execute on neutron rootwarps </div><span style="font-size:13px"># cat /usr/share/neutron/rootwrap/</span><span style="font-size:13px">vpnaas.filters</span><br style="font-size:13px"><span style="font-size:13px"># neutron-rootwrap command filters for nodes on which neutron is</span><br style="font-size:13px"><span style="font-size:13px"># expected to control network</span><br style="font-size:13px"><span style="font-size:13px">#</span><br style="font-size:13px"><span style="font-size:13px"># This file should be owned by (and only-writeable by) the root user</span><br style="font-size:13px"><br style="font-size:13px"><span style="font-size:13px"># format seems to be</span><br style="font-size:13px"><span style="font-size:13px"># cmd-name: filter-name, raw-command, user, args</span><br style="font-size:13px"><br style="font-size:13px"><span style="font-size:13px">[Filters]</span><br style="font-size:13px"><br style="font-size:13px"><span style="font-size:13px">ip: IpFilter, ip, root</span><br style="font-size:13px"><span style="font-size:13px">ip_exec: IpNetnsExecFilter, ip, root</span><br style="font-size:13px"><span style="font-size:13px">openswan: CommandFilter, ipsec, root</span><br style="font-size:13px"><span style="font-size:13px">libreswan: CommandFilter, certutil, root</span><div style="font-size:13px"><br></div><div style="font-size:13px">4.2.- Edit ipsec.py, which execute 'ipsec and (now) certutils' commands</div><div style="font-size:13px">4.2.1.- If nss db does not exist, it is created on /var/lib/neutron/ipsec/<uuid>/etc/ipsec.d</div><div style="font-size:13px">4.2.2.- In 'ipsec pluto' execution:</div><div style="font-size:13px">4.2.2.1.- Remove '--config' option, keep ctlbase (Thanks Paul!)</div><div style="font-size:13px">4.2.2.2.- Change argument of '--ipsecdir' from /var/lib/neutron/ipsec/<uuid>/etc/ to /var/lib/neutron/ipsec/<uuid>/etc/ipsec.d<br></div><div style="font-size:13px">4.2.2.3.- Remove --use-netkey because it is the default option</div><div style="font-size:13px">4.2.3.- In 'ipsec addconn' execution:<br>4.2.3.1.- Remove '--defaultroutenexthop' because it is obsolete<br>The diff between original and modified file is:<br><br># diff /usr/lib/python2.7/site-packages/neutron/services/vpn/device_drivers/ipsec.py /usr/lib/python2.7/site-packages/neutron/services/vpn/device_drivers/ipsec.py.original <br>97d96<br>< bcertutil = "certutil" <br>114,119d112<br>< NSS_FILES = [<br>< 'cert8.db',<br>< 'key3.db',<br>< 'secmod.db'<br>< ]<br>< <br>189,197d181<br>< def _ensure_nss(self, nss_files):<br>< if not os.path.isfile(nss_files):<br>< #start nss database<br>< self._execute([self.bcertutil,<br>< '-N',<br>< '--empty-password',<br>< '-d', self.ipsecd_dir,<br>< ])<br>< <br>199c183<br>< """Create config directory and nss files if they does not exist.""" <br>---<br>> """Create config directory if it does not exist.""" <br>204,206d187<br>< for nss_file in self.NSS_FILES:<br>< nss_path = os.path.join(self.ipsecd_dir, nss_file)<br>< self._ensure_nss(nss_path)<br>327,328d307<br>< self.ipsecd_dir = os.path.join(<br>< self.etc_dir, 'ipsec.d')<br>401c380,381<br>< '--ipsecdir', self.ipsecd_dir,<br>---<br>> '--ipsecdir', self.etc_dir,<br>> '--use-netkey',<br>412a393<br>> '--defaultroutenexthop', nexthop,<br><br></div><div style="font-size:13px"><span style="color:rgb(72,72,72);font-size:12px;background-color:rgb(250,250,250)">4.3.- </span>Edit <span style="color:rgb(72,72,72);font-size:12px;background-color:rgb(250,250,250)">ipsec.conf.template</span>, which is used to generate /var/lib/neutron/ipsec/<uid>/ipsec.conf (necessary for ipsec addconn command)</div><div style="font-size:13px">Just comment obsolete options. The diff between original and modified file is:</div><div style="font-size:13px"><br></div><div style="font-size:13px"># diff /usr/lib/python2.7/site-packages/neutron/services/vpn/device_drivers/template/openswan/ipsec.conf.template /usr/lib/python2.7/site-packages/neutron/services/vpn/device_drivers/template/openswan/ipsec.conf.template.original <br>3c3<br>< # nat_traversal=yes<br>---<br>> nat_traversal=yes<br>7,8c7<br>< # keylife=60m<br>< salifetime=60m<br>---<br>> keylife=60m<br>20c19<br>< # leftnexthop=%defaultroute<br>---<br>> leftnexthop=%defaultroute<br>31c30<br>< # rightnexthop=%defaultroute<br>---<br>> rightnexthop=%defaultroute<br>63,64c62<br>< # lifetime={{ipsec_site_connection.ipsecpolicy.lifetime_value}}s<br>< salifetime={{ipsec_site_connection.ipsecpolicy.lifetime_value}}s<br>---<br>> lifetime={{ipsec_site_connection.ipsecpolicy.lifetime_value}}s</div><div style="font-size:13px"><br></div><div style="font-size:13px">5.- Enable and start von-agent</div><div style="font-size:13px"># systemctl enable neutron-vpn-agent<br># systemctl start neutron-vpn-agent</div><div style="font-size:13px"><br></div><div style="font-size:13px"><br></div><div style="font-size:13px">Hope it could be useful to someone.</div><div style="font-size:13px"><br></div><div><div>Matías R. Cuenca del Rey</div></div>
</div>
<br>_______________________________________________<br>
OpenStack-operators mailing list<br>
<a href="mailto:OpenStack-operators@lists.openstack.org">OpenStack-operators@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a><br>
<br></blockquote></div>