<div dir="ltr"><div><div><div><div><div>Hi Erik,<br></div>I had the same issue. I think is because there aren't nss db files. You could try executing the following commands:<br><br></div></div>1.- On network node add certutil command to rootwarp<br></div><div>2.1.- Root user<br></div># echo "libreswan: CommandFilter, certutil, root" >> /usr/share/neutron/rootwrap/vpnaas.filters<br></div># systemctl restart neutron-vpn-agent<br><br>2.- On controller node create connection<br># neutron ipsec-site-connection-create 
--vpnservice-id demo-vpn-vpnservice --ikepolicy-id demo-vpn-ikepolicy 
--ipsecpolicy-id demo-vpn-ipsecpolicy --peer-address YYY.YYY.YYY.YYY 
--peer-id YYY.YYY.YYY.YYY --peer-cidr <a href="http://192.168.88.0/24">192.168.88.0/24</a> --psk motorolag 
--name demo-vpn-ipsecsiteconnection<br><div><div><br></div><div>3.- On network node like neutron user execute the following commands<br># su - -s /bin/bash neutron<br></div><div>##Comment: Start new nss db<br></div><div>$ sudo /bin/neutron-rootwrap /etc/neutron/rootwrap.conf ip netns exec qrouter-<uid> certutil -N -d /var/lib/neutron/ipsec/<uid>/etc/ipsec.d/ --empty-password<br></div><div>##Comment: Start ipsec process<br></div><div>$ sudo /bin/neutron-rootwrap /etc/neutron/rootwrap.conf ip netns exec qrouter-<uid> ipsec pluto --ctlbase /var/lib/neutron/ipsec/<uid>/var/run/pluto --ipsecdir /var/lib/neutron/ipsec/<uid>/etc/ipsec.d --config /var/lib/neutron/ipsec/<uid>/etc/ipsec.conf --uniqueids --nat_traversal --secretsfile /var/lib/neutron/ipsec/<uid>/etc/ipsec.secrets --virtual_private %v4:<a href="http://192.168.1.0/24,%v4:192.168.88.0/24">192.168.1.0/24,%v4:192.168.88.0/24</a><br></div><div>##Comment: Now, PID file should exist and you should see pluto state<br></div><div>$ ls /var/lib/neutron/ipsec/<uid>/var/run/<br>pluto  pluto.ctl  pluto.pid<br>$ sudo /bin/neutron-rootwrap /etc/neutron/rootwrap.conf ip netns exec qrouter-<uid> ipsec whack --ctlbase /var/lib/neutron/ipsec/<uid>/var/run/pluto --status<br><br></div></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature">Matías R. Cuenca del Rey</div></div>
<br><div class="gmail_quote">On Wed, Feb 4, 2015 at 9:49 AM, Erik McCormick <span dir="ltr"><<a href="mailto:emccormick@cirrusseven.com" target="_blank">emccormick@cirrusseven.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p dir="ltr">Matias,</p>
<p dir="ltr">This is great stuff! Thanks for sharing. I came up with something similar this past weekend, but I then ran into the issue where the PID file was left behind whenever Pluto gets restarted (which happens constantly). Did you run into that issue?</p>
<p dir="ltr">Thanks,<br>
Erik</p>
<div class="gmail_quote"><div><div class="h5">On Feb 3, 2015 11:37 PM, "Matias R. Cuenca del Rey" <<a href="mailto:maticue@gmail.com" target="_blank">maticue@gmail.com</a>> wrote:<br type="attribution"></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div dir="ltr"><div><span style="font-size:13px">Packages:</span></div><div><span style="font-size:13px">* </span><span style="font-size:13px">openstack-neutron-vpn-agent-</span><span style="font-size:13px">2014.2.1-1.el7.centos.noarch</span></div><div>* <span style="font-size:13px">libreswan-3.8-6.el7_0.x86_64</span></div><span style="font-size:13px"><div><span style="font-size:13px"><br></span></div>Yesterday I modified some openstack-neutron-vpn-agent</span><span style="font-size:13px">'s script to make VPN work :). I don't know much about python. I'm sure it can be improved. These are all the steps I did to enable VPNaaS on Openstack Juno con Centos 7 with libreswan</span><br style="font-size:13px"><br style="font-size:13px"><span style="font-size:13px">1.- Install necessary packages:</span><br style="font-size:13px"><div style="font-size:13px"># <span style="color:rgb(72,72,72);font-size:12px;background-color:rgb(250,250,250)">yum install openstack-neutron-vpn-agent libreswan -y</span></div><div style="font-size:13px"><span style="color:rgb(72,72,72);font-size:12px;background-color:rgb(250,250,250)"><br></span></div><div style="font-size:13px"><span style="color:rgb(72,72,72);font-size:12px;background-color:rgb(250,250,250)">2.- Enable vpnaas plugin in neutron</span></div><div style="font-size:13px"><span style="color:rgb(72,72,72);font-size:12px;background-color:rgb(250,250,250)"># ca</span>t /etc/neutron/neutron.conf<br>...<br>service_plugins = router,vpnaas<br>...<br>service_provider=VPN:openswan:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default<br>...<br><br>3.- Configure vpn plugin<br># cat /etc/neutron/vpn_agent.ini<br><br>[DEFAULT]<br># VPN-Agent configuration file<br># Note vpn-agent inherits l3-agent, so you can use configs on l3-agent also<br>##interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver<br><br>[vpnagent]<br># vpn device drivers which vpn agent will use<br># If we want to use multiple drivers,  we need to define this option multiple times.<br>vpn_device_driver=neutron.services.vpn.device_drivers.ipsec.OpenSwanDriver<br># vpn_device_driver=neutron.services.vpn.device_drivers.cisco_ipsec.CiscoCsrIPsecDriver<br># vpn_device_driver=another_driver<br><br>[ipsec]<br># Status check interval<br>ipsec_status_check_interval=30</div><div style="font-size:13px"><br></div><div style="font-size:13px"><br></div><div style="font-size:13px">4.- Here we start with the dirty part :)</div><div style="font-size:13px">4.1.- Add certutil command to vpnaas.filters, so it could be execute on neutron rootwarps </div><span style="font-size:13px"># cat /usr/share/neutron/rootwrap/</span><span style="font-size:13px">vpnaas.filters</span><br style="font-size:13px"><span style="font-size:13px"># neutron-rootwrap command filters for nodes on which neutron is</span><br style="font-size:13px"><span style="font-size:13px"># expected to control network</span><br style="font-size:13px"><span style="font-size:13px">#</span><br style="font-size:13px"><span style="font-size:13px"># This file should be owned by (and only-writeable by) the root user</span><br style="font-size:13px"><br style="font-size:13px"><span style="font-size:13px"># format seems to be</span><br style="font-size:13px"><span style="font-size:13px"># cmd-name: filter-name, raw-command, user, args</span><br style="font-size:13px"><br style="font-size:13px"><span style="font-size:13px">[Filters]</span><br style="font-size:13px"><br style="font-size:13px"><span style="font-size:13px">ip: IpFilter, ip, root</span><br style="font-size:13px"><span style="font-size:13px">ip_exec: IpNetnsExecFilter, ip, root</span><br style="font-size:13px"><span style="font-size:13px">openswan: CommandFilter, ipsec, root</span><br style="font-size:13px"><span style="font-size:13px">libreswan: CommandFilter, certutil, root</span><div style="font-size:13px"><br></div><div style="font-size:13px">4.2.- Edit ipsec.py, which execute 'ipsec and (now) certutils' commands</div><div style="font-size:13px">4.2.1.- If nss db does not exist, it is created on /var/lib/neutron/ipsec/<uuid>/etc/ipsec.d</div><div style="font-size:13px">4.2.2.- In 'ipsec pluto' execution:</div><div style="font-size:13px">4.2.2.1.- Remove '--config' option, keep ctlbase (Thanks Paul!)</div><div style="font-size:13px">4.2.2.2.- Change argument of '--ipsecdir' from /var/lib/neutron/ipsec/<uuid>/etc/ to /var/lib/neutron/ipsec/<uuid>/etc/ipsec.d<br></div><div style="font-size:13px">4.2.2.3.- Remove --use-netkey because it is the default option</div><div style="font-size:13px">4.2.3.- In 'ipsec addconn' execution:<br>4.2.3.1.- Remove  '--defaultroutenexthop' because it is obsolete<br>The diff between original and modified file is:<br><br># diff  /usr/lib/python2.7/site-packages/neutron/services/vpn/device_drivers/ipsec.py /usr/lib/python2.7/site-packages/neutron/services/vpn/device_drivers/ipsec.py.original <br>97d96<br><     bcertutil = "certutil" <br>114,119d112<br><     NSS_FILES = [<br><         'cert8.db',<br><         'key3.db',<br><         'secmod.db'<br><     ]<br>< <br>189,197d181<br><     def _ensure_nss(self, nss_files):<br><         if not os.path.isfile(nss_files):<br><             #start nss database<br><             self._execute([self.bcertutil,<br><                        '-N',<br><                        '--empty-password',<br><                        '-d', self.ipsecd_dir,<br><                        ])<br>< <br>199c183<br><         """Create config directory and nss files if they does not exist.""" <br>---<br>>         """Create config directory if it does not exist.""" <br>204,206d187<br><         for nss_file in self.NSS_FILES:<br><             nss_path = os.path.join(self.ipsecd_dir, nss_file)<br><             self._ensure_nss(nss_path)<br>327,328d307<br><         self.ipsecd_dir = os.path.join(<br><             self.etc_dir, 'ipsec.d')<br>401c380,381<br><                        '--ipsecdir', self.ipsecd_dir,<br>---<br>>                        '--ipsecdir', self.etc_dir,<br>>                        '--use-netkey',<br>412a393<br>>                            '--defaultroutenexthop', nexthop,<br><br></div><div style="font-size:13px"><span style="color:rgb(72,72,72);font-size:12px;background-color:rgb(250,250,250)">4.3.- </span>Edit <span style="color:rgb(72,72,72);font-size:12px;background-color:rgb(250,250,250)">ipsec.conf.template</span>, which is used to generate /var/lib/neutron/ipsec/<uid>/ipsec.conf (necessary for ipsec addconn command)</div><div style="font-size:13px">Just comment obsolete options. The diff between original and modified file is:</div><div style="font-size:13px"><br></div><div style="font-size:13px"># diff /usr/lib/python2.7/site-packages/neutron/services/vpn/device_drivers/template/openswan/ipsec.conf.template /usr/lib/python2.7/site-packages/neutron/services/vpn/device_drivers/template/openswan/ipsec.conf.template.original <br>3c3<br><     # nat_traversal=yes<br>---<br>>     nat_traversal=yes<br>7,8c7<br><     # keylife=60m<br><     salifetime=60m<br>---<br>>     keylife=60m<br>20c19<br><     # leftnexthop=%defaultroute<br>---<br>>     leftnexthop=%defaultroute<br>31c30<br><     # rightnexthop=%defaultroute<br>---<br>>     rightnexthop=%defaultroute<br>63,64c62<br><     # lifetime={{ipsec_site_connection.ipsecpolicy.lifetime_value}}s<br><     salifetime={{ipsec_site_connection.ipsecpolicy.lifetime_value}}s<br>---<br>>     lifetime={{ipsec_site_connection.ipsecpolicy.lifetime_value}}s</div><div style="font-size:13px"><br></div><div style="font-size:13px">5.- Enable and start von-agent</div><div style="font-size:13px"># systemctl enable neutron-vpn-agent<br># systemctl start neutron-vpn-agent</div><div style="font-size:13px"><br></div><div style="font-size:13px"><br></div><div style="font-size:13px">Hope it could be useful to someone.</div><div style="font-size:13px"><br></div><div><div>Matías R. Cuenca del Rey</div></div>
</div>
<br></div></div>_______________________________________________<br>
OpenStack-operators mailing list<br>
<a href="mailto:OpenStack-operators@lists.openstack.org" target="_blank">OpenStack-operators@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a><br>
<br></blockquote></div>
</blockquote></div><br></div>