[Openstack] LBaaS & VPNaaS
Paul Michali
pc at michali.net
Thu Oct 8 11:32:58 UTC 2015
I've mostly run VPNaaS via devstack, and haven't worked with Juno in a long
time...
See @PCM in-line...
On Wed, Oct 7, 2015 at 1:37 PM James Denton <james.denton at rackspace.com>
wrote:
> Hi Yngvi,
>
> In my most recent experience with VPNaaS on Kilo, I did the following (all
> on the controller node):
>
> 1. Install VPN agent
>
> apt-get install neutron-vpnaas-agent
>
> 2. Edit /etc/neutron/vpn_agent.ini and add the following to configure the
> device driver:
>
> [vpnagent]
> vpn_device_driver
> = neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver
>
@PCM Two points to consider here, Yngvi. First, do you want to run OpenSwan
or StrongSwan based implementation? Second, I'm not sure how solid
StrongSwan was in Juno (it came out in Juno and then after there were some
fixes, like IPv6 support, etc).
>
> 3. Edit /etc/neutron/neutron.conf and add vpnaas to the list of service
> plugins:
>
> service_plugins = router,vpnaas
>
> 4. Edit /etc/neutron/neutron_vpnaas.conf and configure the service
> provider:
>
> [service_providers]
> service_provider =
> VPN:vpnaas:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default
>
@PCM James, back in Juno there was no neutron_vpnaas.conf file, IIRC. This
would go in neutron.conf
> 5. Restart Neutron service:
>
> service neutron-server restart
>
> 6. Update AppArmor profile:
>
> sudo ln -sf /etc/apparmor.d/usr.lib.ipsec.charon /etc/apparmor.d/disable/
> sudo ln -sf /etc/apparmor.d/usr.lib.ipsec.stroke /etc/apparmor.d/disable/
> service apparmor restart
>
@PCM Above is only needed for StrongSwan, and not OpenSwan
>
> 7. Work around https://bugs.launchpad.net/neutron/+bug/1456335
>
> cat >> /usr/bin/neutron-vpn-netns-wrapper << EOF
> #!/usr/bin/python2
>
> import sys
>
> from neutron_vpnaas.services.vpn.common.netns_wrapper import main
>
> if __name__ == "__main__":
> sys.exit(main())
> EOF
>
>
8. Set permissions:
>
> chmod 755 /usr/bin/neutron-vpn-netns-wrapper
>
@PCM Steps 7 & 8 only for Strongswan, right?
>
> 9. Restart VPN agent
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20151008/2702e0fd/attachment.html>
More information about the Openstack
mailing list