[openstack-dev] [neutron] Need help getting DevStack setup working for VPN testing
Paul Michali (pcm)
pcm at cisco.com
Wed Dec 31 15:33:42 UTC 2014
I’ve been playing a bit with trying to get VPNaaS working post-repo split, and haven’t been successful. I’m trying it a few ways with DevStack, and I’m not sure whether I have a config error, setup issue, or there is something due to the split.
In the past (and it’s been a few months since I verified VPN operation), I used two bare metal machines and an external switch connecting them. With a DevStack cloud running on each. That configuration is currently setup for a vendor VPN solution, so I wanted to try different methods to test the reference VPN implementation. I’ve got two ideas to do this:
A) Run DevStack and create two routers with a shared “public” network, and two private networks, setting up a VPN connection between the private nets.
B) Run two DevStack instances (on two VMs) and try to setup a provider network between them.
I’m starting with A (though I did try B quickly, but it didn’t work), and I spun up the stack, added a second router (all under the same tenant), created another private network, and booted a Cirros VM in each private net.
Before even trying VPN, I checked pings. From the first private net VM (10.1.0.4), I could ping on the pubic net, including the public IP of the second private net’s public interface for its router. I cannot ping the VM from the host. That seems all expected to me.
What seems wrong is the other VM (this is on the post stack net I created). Like the other VM, I can ping public net IPs. However, I can also ping the private net address of the first network’s router (10.1.0.1)! Shouldn’t that have failed (at least that was what I was expecting)? I can’t ping the VM on that side though. Another curiosity is that the VM got the second IP on the subnet (10.2.0.2), unlike the other private net, where DHCP and a compute probe got the 2nd and 3rd IPs. There is DHCP enabled on this private network.
When I tried VPN, both connections show as DOWN, and all I see are phase 1 ident packets. I cannot ping from VM to VM. I don’t see any logging for the OpenSwan processes, so not to sure how to debug. Maybe I can try some ipsec show command?
I’m not too sure what is wrong with this setup.
For a comparison, I decided to do the same thing, using stable/juno. So, I fired up a VM and cloned DevStack with stable/juno and stacked. This time, things are even worse! When I try to boot a VM, and then check the status, the VM is in PAUSED power state. I can’t seem to unpause (nor do I know why it is in this state). Verified this with both Cirros 3.3, 3.2, and Ubuntu cloud images:
+--------------------------------------+----------------------------------------------------------------+
| Property | Value |
+--------------------------------------+----------------------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | nova |
| OS-EXT-SRV-ATTR:host | juno |
| OS-EXT-SRV-ATTR:hypervisor_hostname | juno |
| OS-EXT-SRV-ATTR:instance_name | instance-00000001 |
| OS-EXT-STS:power_state | 3 |
| OS-EXT-STS:task_state | - |
| OS-EXT-STS:vm_state | active |
| OS-SRV-USG:launched_at | 2014-12-31T15:15:33.000000 |
| OS-SRV-USG:terminated_at | - |
| accessIPv4 | |
| accessIPv6 | |
| config_drive | |
| created | 2014-12-31T15:15:24Z |
| flavor | m1.tiny (1) |
| hostId | 5b0c48250ccc0ac3fca8a821e29e4b154ec0b101f9cc0a0b27071a3f |
| id | ec5c8d70-ae80-4cc3-a5bb-b68019170dd6 |
| image | cirros-0.3.3-x86_64-uec (797e4dee-8c03-497f-8dac-a44b9351dfa3) |
| key_name | - |
| metadata | {} |
| name | peter |
| os-extended-volumes:volumes_attached | [] |
| private network | 10.0.0.4 |
| progress | 0 |
| security_groups | default |
| status | ACTIVE |
| tenant_id | 7afb5bc1d88d462c8d57178437d3c277 |
| updated | 2014-12-31T15:15:34Z |
| user_id | 4ff18bdbeb4d436ea4ff1bcd29e269a9 |
+--------------------------------------+————————————————————————————————+
+--------------------------------------+-------+--------+------------+-------------+------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+-------+--------+------------+-------------+------------------+
| ec5c8d70-ae80-4cc3-a5bb-b68019170dd6 | peter | ACTIVE | - | Paused | private=10.0.0.4 |
+--------------------------------------+-------+--------+------------+-------------+—————————+
Any ideas why the VM won’t start up correctly? I didn’t see anything on a google search.
For reference, here is my local.conf currently:
[[local|localrc]]
GIT_BASE=https://github.com
DEST=/opt/stack
disable_service n-net
enable_service q-svc
enable_service q-agt
enable_service q-dhcp
enable_service q-l3
enable_service q-meta
enable_service neutron
enable_service q-vpn
# FIXED_RANGE=10.1.0.0/24
# FIXED_NETWORK_SIZE=256
# NETWORK_GATEWAY=10.1.0.1
# PRIVATE_SUBNET_NAME=privateA
PUBLIC_SUBNET_NAME=public-subnet
# FLOATING_RANGE=172.24.4.0/24
# PUBLIC_NETWORK_GATEWAY=172.24.4.10
# Q_FLOATING_ALLOCATION_POOL="start=172.24.4.11,end=172.24.4.29"
# Q_USE_SECGROUP=True # was False
# VIRT_DRIVER=libvirt
IMAGE_URLS="http://cloud-images.ubuntu.com/releases/14.04.1/release/ubuntu-14.04-server-cloudimg-amd64.tar.gz,http://download.cirros-cloud.net/0.3.3/cirros-0.3.3-x86_64-uec.tar.gz"
SCREEN_LOGDIR=/opt/stack/screen-logs
SYSLOG=True
LOGFILE=~/devstack/stack.sh.log
ADMIN_PASSWORD=password
MYSQL_PASSWORD=password
RABBIT_PASSWORD=password
SERVICE_PASSWORD=password
SERVICE_TOKEN=tokentoken
Q_USE_DEBUG_COMMAND=True
RECLONE=No
# RECLONE=yes
OFFLINE=False
Originally, I had floating pool lines and net names, but even with all these commented out, I have the same issue with the VM (didn’t think they were related).
For this stable/juno, Devstack is using commit 817e9b6, and Neutron is using 57e8ea8.
I’ll try to play with option B some more as well, though I need to figure out how to setup the provider network correctly. If I can get time, I’ll reconfigure the bare metal setup I have in the lab to try stable/juno and then kilo reference VPN as well.
If anyone has done this with a VM (either one or two), using juno or kilo, please pass along your local.conf, so I can compare.
PCM (Paul Michali)
MAIL …..…. pcm at cisco.com
IRC ……..… pc_m (irc.freenode.com)
TW ………... @pmichali
GPG Key … 4525ECC253E31A83
Fingerprint .. 307A 96BB 1A4C D2C7 931D 8D2D 4525 ECC2 53E3 1A83
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20141231/5fb0a1fb/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20141231/5fb0a1fb/attachment.pgp>
More information about the OpenStack-dev
mailing list