[openstack-dev] [neutron] Need help getting DevStack setup working for VPN testing

Paul Michali (pcm) pcm at cisco.com
Fri Jan 2 13:43:32 UTC 2015


To summarize what I’m trying to do with option (A)…

I want to test VPN in DevStack by setting up two private networks, two routers, and a shared public network. The VMs created in the private networks should be able to access the public network, but not the other private network (e.g. VM on private-A subnet can ping public interface of router2 on private-B subnet)

  |
VM-a


Do I need to create the second router and private network using a different tenant?
Do I need to setup security group rules to allow the access desired?
What local.conf settings do I need for this setup (beyond what I have below)?

I’ve been trying so many different combinations (using both single and two devstack setups, trying provider net, using single/multiple tenants) and have been getting a variety of different results, from unexpected ping results, to VMs stuck in power state PAUSED, that I’m lost as to how to set this up. I think I’m hung up on the security group rules and how to setup the bridges.

What I’d like to do, is just focus on this option (A) - using a single devstack with multiple routers, and see if that works. If not, I can focus on option (B), using two devstacks/hosts.

Since I’m pretty much out of ideas on how to fix this for now, I’m going to try to see if I can get on a bare metal setup, which has worked in the past.

Any ideas? I’d like to verify VPNaaS reference implementation with the new repo changes. Been spending some time over the holiday vacation playing with this, with no joy. :(


PCM (Paul Michali)

MAIL …..…. pcm at cisco.com<mailto:pcm at cisco.com>
IRC ……..… pc_m (irc.freenode.com<http://irc.freenode.com>)
TW ………... @pmichali
GPG Key … 4525ECC253E31A83
Fingerprint .. 307A 96BB 1A4C D2C7 931D 8D2D 4525 ECC2 53E3 1A83




On Dec 31, 2014, at 2:35 PM, Paul Michali (pcm) <pcm at cisco.com<mailto:pcm at cisco.com>> wrote:

Just more data…

I keep consistently seeing that on private subnet, the VM can only access router (as expected), but on privateB subnet, the VM can access the private I/F of router1 on private subnet. From the router’s namespace, I cannot ping the local VM (why not?). Oddly, I can ping router1’s private IP from router2 namespace!

I tried these commands to create security group rules (are they wrong?):

# There are two default groups created by DevStack
group=`neutron security-group-list | grep default | cut -f 2 -d' ' | head -1`
neutron security-group-rule-create --protocol ICMP $group
neutron security-group-rule-create --protocol tcp --port-range-min 22 --port-range-max 22 $group
group=`neutron security-group-list | grep default | cut -f 2 -d' ' | tail -1`
neutron security-group-rule-create --protocol ICMP $group
neutron security-group-rule-create --protocol tcp --port-range-min 22 --port-range-max 22 $group

The only change that happens, when I do these commands, is that the VM in privateB subnet can now ping the VM from private subnet, but not vice versa. From router1 namespace, it can then access local VMs. From router2 namespace it can access local VMs and VMs in private subnet (all access).

It seems like I have some issue with security groups, and I need to square that away, before I can test VPN out.

Am I creating the security group rules correctly?
My goal is that the private nets can access the public net, but not each other (until VPN connection is established).

Lastly, in this latest try, I set OVS_PHYSICAL_BRIDGE=br-ex. In earlier runs w/o that, there were QVO interfaces, but no QVB or QBR interfaces at all. It didn’t seem to change connectivity, however.

Ideas?

PCM (Paul Michali)

MAIL …..…. pcm at cisco.com<mailto:pcm at cisco.com>
IRC ……..… pc_m (irc.freenode.com<http://irc.freenode.com/>)
TW ………... @pmichali
GPG Key … 4525ECC253E31A83
Fingerprint .. 307A 96BB 1A4C D2C7 931D 8D2D 4525 ECC2 53E3 1A83




On Dec 31, 2014, at 10:33 AM, Paul Michali (pcm) <pcm at cisco.com<mailto:pcm at cisco.com>> wrote:

I’ve been playing a bit with trying to get VPNaaS working post-repo split, and haven’t been successful. I’m trying it a few ways with DevStack, and I’m not sure whether I have a config error, setup issue, or there is something due to the split.

In the past (and it’s been a few months since I verified VPN operation), I used two bare metal machines and an external switch connecting them. With a DevStack cloud running on each. That configuration is currently setup for a vendor VPN solution, so I wanted to try different methods to test the reference VPN implementation. I’ve got two ideas to do this:

A) Run DevStack and create two routers with a shared “public” network, and two private networks, setting up a VPN connection between the private nets.
B) Run two DevStack instances (on two VMs) and try to setup a provider network between them.

I’m starting with A (though I did try B quickly, but it didn’t work), and I spun up the stack, added a second router (all under the same tenant), created another private network, and booted a Cirros VM in each private net.

Before even trying VPN, I checked pings. From the first private net VM (10.1.0.4), I could ping on the pubic net, including the public IP of the second private net’s public interface for its router. I cannot ping the VM from the host. That seems all expected to me.

What seems wrong is the other VM (this is on the post stack net I created). Like the other VM, I can ping public net IPs. However, I can also ping the private net address of the first network’s router (10.1.0.1)! Shouldn’t that have failed (at least that was what I was expecting)? I can’t ping the VM on that side though. Another curiosity is that the VM got the second IP on the subnet (10.2.0.2), unlike the other private net, where DHCP and a compute probe got the 2nd and 3rd IPs. There is DHCP enabled on this private network.

When I tried VPN, both connections show as DOWN, and all I see are phase 1 ident packets. I cannot ping from VM to VM. I don’t see any logging for the OpenSwan processes, so not to sure how to debug. Maybe I can try some ipsec show command?

I’m not too sure what is wrong with this setup.

For a comparison, I decided to do the same thing, using stable/juno. So, I fired up a VM and cloned DevStack with stable/juno and stacked. This time, things are even worse! When I try to boot a VM, and then check the status, the VM is in PAUSED power state. I can’t seem to unpause (nor do I know why it is in this state). Verified this with both Cirros 3.3, 3.2, and Ubuntu cloud images:

+--------------------------------------+----------------------------------------------------------------+
| Property                             | Value                                                          |
+--------------------------------------+----------------------------------------------------------------+
| OS-DCF:diskConfig                    | MANUAL                                                         |
| OS-EXT-AZ:availability_zone          | nova                                                           |
| OS-EXT-SRV-ATTR:host                 | juno                                                           |
| OS-EXT-SRV-ATTR:hypervisor_hostname  | juno                                                           |
| OS-EXT-SRV-ATTR:instance_name        | instance-00000001                                              |
| OS-EXT-STS:power_state               | 3                                                              |
| OS-EXT-STS:task_state                | -                                                              |
| OS-EXT-STS:vm_state                  | active                                                         |
| OS-SRV-USG:launched_at               | 2014-12-31T15:15:33.000000                                     |
| OS-SRV-USG:terminated_at             | -                                                              |
| accessIPv4                           |                                                                |
| accessIPv6                           |                                                                |
| config_drive                         |                                                                |
| created                              | 2014-12-31T15:15:24Z                                           |
| flavor                               | m1.tiny (1)                                                    |
| hostId                               | 5b0c48250ccc0ac3fca8a821e29e4b154ec0b101f9cc0a0b27071a3f       |
| id                                   | ec5c8d70-ae80-4cc3-a5bb-b68019170dd6                           |
| image                                | cirros-0.3.3-x86_64-uec (797e4dee-8c03-497f-8dac-a44b9351dfa3) |
| key_name                             | -                                                              |
| metadata                             | {}                                                             |
| name                                 | peter                                                          |
| os-extended-volumes:volumes_attached | []                                                             |
| private network                      | 10.0.0.4                                                       |
| progress                             | 0                                                              |
| security_groups                      | default                                                        |
| status                               | ACTIVE                                                         |
| tenant_id                            | 7afb5bc1d88d462c8d57178437d3c277                               |
| updated                              | 2014-12-31T15:15:34Z                                           |
| user_id                              | 4ff18bdbeb4d436ea4ff1bcd29e269a9                               |
+--------------------------------------+————————————————————————————————+

+--------------------------------------+-------+--------+------------+-------------+------------------+
| ID                                   | Name  | Status | Task State | Power State | Networks         |
+--------------------------------------+-------+--------+------------+-------------+------------------+
| ec5c8d70-ae80-4cc3-a5bb-b68019170dd6 | peter | ACTIVE | -          | Paused      | private=10.0.0.4 |
+--------------------------------------+-------+--------+------------+-------------+—————————+

Any ideas why the VM won’t start up correctly? I didn’t see anything on a google search.

For reference, here is my local.conf currently:

[[local|localrc]]
GIT_BASE=https://github.com<https://github.com/>
DEST=/opt/stack

disable_service n-net
enable_service q-svc
enable_service q-agt
enable_service q-dhcp
enable_service q-l3
enable_service q-meta
enable_service neutron
enable_service q-vpn

# FIXED_RANGE=10.1.0.0/24
# FIXED_NETWORK_SIZE=256
# NETWORK_GATEWAY=10.1.0.1
# PRIVATE_SUBNET_NAME=privateA

PUBLIC_SUBNET_NAME=public-subnet
# FLOATING_RANGE=172.24.4.0/24
# PUBLIC_NETWORK_GATEWAY=172.24.4.10
# Q_FLOATING_ALLOCATION_POOL="start=172.24.4.11,end=172.24.4.29"
# Q_USE_SECGROUP=True # was False

# VIRT_DRIVER=libvirt
IMAGE_URLS="http://cloud-images.ubuntu.com/releases/14.04.1/release/ubuntu-14.04-server-cloudimg-amd64.tar.gz,http://download.cirros-cloud.net/0.3.3/cirros-0.3.3-x86_64-uec.tar.gz"

SCREEN_LOGDIR=/opt/stack/screen-logs
SYSLOG=True
LOGFILE=~/devstack/stack.sh.log

ADMIN_PASSWORD=password
MYSQL_PASSWORD=password
RABBIT_PASSWORD=password
SERVICE_PASSWORD=password
SERVICE_TOKEN=tokentoken

Q_USE_DEBUG_COMMAND=True

RECLONE=No
# RECLONE=yes
OFFLINE=False

Originally, I had floating pool lines and net names, but even with all these commented out, I have the same issue with the VM (didn’t think they were related).

For this stable/juno, Devstack is using commit 817e9b6, and Neutron is using 57e8ea8.


I’ll try to play with option B some more as well, though I need to figure out how to setup the provider network correctly. If I can get time, I’ll reconfigure the bare metal setup I have in the lab to try stable/juno and then kilo reference VPN as well.

If anyone has done this with a VM (either one or two), using juno or kilo, please pass along your local.conf, so I can compare.

PCM (Paul Michali)

MAIL …..…. pcm at cisco.com<mailto:pcm at cisco.com>
IRC ……..… pc_m (irc.freenode.com<http://irc.freenode.com/>)
TW ………... @pmichali
GPG Key … 4525ECC253E31A83
Fingerprint .. 307A 96BB 1A4C D2C7 931D 8D2D 4525 ECC2 53E3 1A83




_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org<mailto:OpenStack-dev at lists.openstack.org>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org<mailto:OpenStack-dev at lists.openstack.org>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150102/292e05ea/attachment.html>


More information about the OpenStack-dev mailing list