[openstack-dev] [neutron] Need help getting DevStack setup working for VPN testing

Paul Michali (pcm) pcm at cisco.com
Wed Dec 31 15:33:42 UTC 2014

I’ve been playing a bit with trying to get VPNaaS working post-repo split, and haven’t been successful. I’m trying it a few ways with DevStack, and I’m not sure whether I have a config error, setup issue, or there is something due to the split.

In the past (and it’s been a few months since I verified VPN operation), I used two bare metal machines and an external switch connecting them. With a DevStack cloud running on each. That configuration is currently setup for a vendor VPN solution, so I wanted to try different methods to test the reference VPN implementation. I’ve got two ideas to do this:

A) Run DevStack and create two routers with a shared “public” network, and two private networks, setting up a VPN connection between the private nets.
B) Run two DevStack instances (on two VMs) and try to setup a provider network between them.

I’m starting with A (though I did try B quickly, but it didn’t work), and I spun up the stack, added a second router (all under the same tenant), created another private network, and booted a Cirros VM in each private net.

Before even trying VPN, I checked pings. From the first private net VM (, I could ping on the pubic net, including the public IP of the second private net’s public interface for its router. I cannot ping the VM from the host. That seems all expected to me.

What seems wrong is the other VM (this is on the post stack net I created). Like the other VM, I can ping public net IPs. However, I can also ping the private net address of the first network’s router (! Shouldn’t that have failed (at least that was what I was expecting)? I can’t ping the VM on that side though. Another curiosity is that the VM got the second IP on the subnet (, unlike the other private net, where DHCP and a compute probe got the 2nd and 3rd IPs. There is DHCP enabled on this private network.

When I tried VPN, both connections show as DOWN, and all I see are phase 1 ident packets. I cannot ping from VM to VM. I don’t see any logging for the OpenSwan processes, so not to sure how to debug. Maybe I can try some ipsec show command?

I’m not too sure what is wrong with this setup.

For a comparison, I decided to do the same thing, using stable/juno. So, I fired up a VM and cloned DevStack with stable/juno and stacked. This time, things are even worse! When I try to boot a VM, and then check the status, the VM is in PAUSED power state. I can’t seem to unpause (nor do I know why it is in this state). Verified this with both Cirros 3.3, 3.2, and Ubuntu cloud images:

| Property                             | Value                                                          |
| OS-DCF:diskConfig                    | MANUAL                                                         |
| OS-EXT-AZ:availability_zone          | nova                                                           |
| OS-EXT-SRV-ATTR:host                 | juno                                                           |
| OS-EXT-SRV-ATTR:hypervisor_hostname  | juno                                                           |
| OS-EXT-SRV-ATTR:instance_name        | instance-00000001                                              |
| OS-EXT-STS:power_state               | 3                                                              |
| OS-EXT-STS:task_state                | -                                                              |
| OS-EXT-STS:vm_state                  | active                                                         |
| OS-SRV-USG:launched_at               | 2014-12-31T15:15:33.000000                                     |
| OS-SRV-USG:terminated_at             | -                                                              |
| accessIPv4                           |                                                                |
| accessIPv6                           |                                                                |
| config_drive                         |                                                                |
| created                              | 2014-12-31T15:15:24Z                                           |
| flavor                               | m1.tiny (1)                                                    |
| hostId                               | 5b0c48250ccc0ac3fca8a821e29e4b154ec0b101f9cc0a0b27071a3f       |
| id                                   | ec5c8d70-ae80-4cc3-a5bb-b68019170dd6                           |
| image                                | cirros-0.3.3-x86_64-uec (797e4dee-8c03-497f-8dac-a44b9351dfa3) |
| key_name                             | -                                                              |
| metadata                             | {}                                                             |
| name                                 | peter                                                          |
| os-extended-volumes:volumes_attached | []                                                             |
| private network                      |                                                       |
| progress                             | 0                                                              |
| security_groups                      | default                                                        |
| status                               | ACTIVE                                                         |
| tenant_id                            | 7afb5bc1d88d462c8d57178437d3c277                               |
| updated                              | 2014-12-31T15:15:34Z                                           |
| user_id                              | 4ff18bdbeb4d436ea4ff1bcd29e269a9                               |

| ID                                   | Name  | Status | Task State | Power State | Networks         |
| ec5c8d70-ae80-4cc3-a5bb-b68019170dd6 | peter | ACTIVE | -          | Paused      | private= |

Any ideas why the VM won’t start up correctly? I didn’t see anything on a google search.

For reference, here is my local.conf currently:


disable_service n-net
enable_service q-svc
enable_service q-agt
enable_service q-dhcp
enable_service q-l3
enable_service q-meta
enable_service neutron
enable_service q-vpn


# Q_USE_SECGROUP=True # was False

# VIRT_DRIVER=libvirt





Originally, I had floating pool lines and net names, but even with all these commented out, I have the same issue with the VM (didn’t think they were related).

For this stable/juno, Devstack is using commit 817e9b6, and Neutron is using 57e8ea8.

I’ll try to play with option B some more as well, though I need to figure out how to setup the provider network correctly. If I can get time, I’ll reconfigure the bare metal setup I have in the lab to try stable/juno and then kilo reference VPN as well.

If anyone has done this with a VM (either one or two), using juno or kilo, please pass along your local.conf, so I can compare.

PCM (Paul Michali)

MAIL …..…. pcm at cisco.com
IRC ……..… pc_m (irc.freenode.com)
TW ………... @pmichali
GPG Key … 4525ECC253E31A83
Fingerprint .. 307A 96BB 1A4C D2C7 931D 8D2D 4525 ECC2 53E3 1A83

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20141231/5fb0a1fb/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20141231/5fb0a1fb/attachment.pgp>

More information about the OpenStack-dev mailing list