[Openstack-operators] Juno's VPNaaS does not work on Centos 7 with libreswan
Erik McCormick
emccormick at cirrusseven.com
Wed Feb 4 12:49:50 UTC 2015
Matias,
This is great stuff! Thanks for sharing. I came up with something similar
this past weekend, but I then ran into the issue where the PID file was
left behind whenever Pluto gets restarted (which happens constantly). Did
you run into that issue?
Thanks,
Erik
On Feb 3, 2015 11:37 PM, "Matias R. Cuenca del Rey" <maticue at gmail.com>
wrote:
> Packages:
> * openstack-neutron-vpn-agent-2014.2.1-1.el7.centos.noarch
> * libreswan-3.8-6.el7_0.x86_64
>
> Yesterday I modified some openstack-neutron-vpn-agent's script to make
> VPN work :). I don't know much about python. I'm sure it can be improved.
> These are all the steps I did to enable VPNaaS on Openstack Juno con Centos
> 7 with libreswan
>
> 1.- Install necessary packages:
> # yum install openstack-neutron-vpn-agent libreswan -y
>
> 2.- Enable vpnaas plugin in neutron
> # cat /etc/neutron/neutron.conf
> ...
> service_plugins = router,vpnaas
> ...
>
> service_provider=VPN:openswan:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default
> ...
>
> 3.- Configure vpn plugin
> # cat /etc/neutron/vpn_agent.ini
>
> [DEFAULT]
> # VPN-Agent configuration file
> # Note vpn-agent inherits l3-agent, so you can use configs on l3-agent also
> ##interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
>
> [vpnagent]
> # vpn device drivers which vpn agent will use
> # If we want to use multiple drivers, we need to define this option
> multiple times.
> vpn_device_driver=neutron.services.vpn.device_drivers.ipsec.OpenSwanDriver
> #
> vpn_device_driver=neutron.services.vpn.device_drivers.cisco_ipsec.CiscoCsrIPsecDriver
> # vpn_device_driver=another_driver
>
> [ipsec]
> # Status check interval
> ipsec_status_check_interval=30
>
>
> 4.- Here we start with the dirty part :)
> 4.1.- Add certutil command to vpnaas.filters, so it could be execute on
> neutron rootwarps
> # cat /usr/share/neutron/rootwrap/vpnaas.filters
> # neutron-rootwrap command filters for nodes on which neutron is
> # expected to control network
> #
> # This file should be owned by (and only-writeable by) the root user
>
> # format seems to be
> # cmd-name: filter-name, raw-command, user, args
>
> [Filters]
>
> ip: IpFilter, ip, root
> ip_exec: IpNetnsExecFilter, ip, root
> openswan: CommandFilter, ipsec, root
> libreswan: CommandFilter, certutil, root
>
> 4.2.- Edit ipsec.py, which execute 'ipsec and (now) certutils' commands
> 4.2.1.- If nss db does not exist, it is created on
> /var/lib/neutron/ipsec/<uuid>/etc/ipsec.d
> 4.2.2.- In 'ipsec pluto' execution:
> 4.2.2.1.- Remove '--config' option, keep ctlbase (Thanks Paul!)
> 4.2.2.2.- Change argument of '--ipsecdir' from
> /var/lib/neutron/ipsec/<uuid>/etc/ to
> /var/lib/neutron/ipsec/<uuid>/etc/ipsec.d
> 4.2.2.3.- Remove --use-netkey because it is the default option
> 4.2.3.- In 'ipsec addconn' execution:
> 4.2.3.1.- Remove '--defaultroutenexthop' because it is obsolete
> The diff between original and modified file is:
>
> # diff
> /usr/lib/python2.7/site-packages/neutron/services/vpn/device_drivers/ipsec.py
> /usr/lib/python2.7/site-packages/neutron/services/vpn/device_drivers/ipsec.py.original
> 97d96
> < bcertutil = "certutil"
> 114,119d112
> < NSS_FILES = [
> < 'cert8.db',
> < 'key3.db',
> < 'secmod.db'
> < ]
> <
> 189,197d181
> < def _ensure_nss(self, nss_files):
> < if not os.path.isfile(nss_files):
> < #start nss database
> < self._execute([self.bcertutil,
> < '-N',
> < '--empty-password',
> < '-d', self.ipsecd_dir,
> < ])
> <
> 199c183
> < """Create config directory and nss files if they does not
> exist."""
> ---
> > """Create config directory if it does not exist."""
> 204,206d187
> < for nss_file in self.NSS_FILES:
> < nss_path = os.path.join(self.ipsecd_dir, nss_file)
> < self._ensure_nss(nss_path)
> 327,328d307
> < self.ipsecd_dir = os.path.join(
> < self.etc_dir, 'ipsec.d')
> 401c380,381
> < '--ipsecdir', self.ipsecd_dir,
> ---
> > '--ipsecdir', self.etc_dir,
> > '--use-netkey',
> 412a393
> > '--defaultroutenexthop', nexthop,
>
> 4.3.- Edit ipsec.conf.template, which is used to generate
> /var/lib/neutron/ipsec/<uid>/ipsec.conf (necessary for ipsec addconn
> command)
> Just comment obsolete options. The diff between original and modified file
> is:
>
> # diff
> /usr/lib/python2.7/site-packages/neutron/services/vpn/device_drivers/template/openswan/ipsec.conf.template
> /usr/lib/python2.7/site-packages/neutron/services/vpn/device_drivers/template/openswan/ipsec.conf.template.original
> 3c3
> < # nat_traversal=yes
> ---
> > nat_traversal=yes
> 7,8c7
> < # keylife=60m
> < salifetime=60m
> ---
> > keylife=60m
> 20c19
> < # leftnexthop=%defaultroute
> ---
> > leftnexthop=%defaultroute
> 31c30
> < # rightnexthop=%defaultroute
> ---
> > rightnexthop=%defaultroute
> 63,64c62
> < # lifetime={{ipsec_site_connection.ipsecpolicy.lifetime_value}}s
> < salifetime={{ipsec_site_connection.ipsecpolicy.lifetime_value}}s
> ---
> > lifetime={{ipsec_site_connection.ipsecpolicy.lifetime_value}}s
>
> 5.- Enable and start von-agent
> # systemctl enable neutron-vpn-agent
> # systemctl start neutron-vpn-agent
>
>
> Hope it could be useful to someone.
>
> Matías R. Cuenca del Rey
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150204/04d5adb3/attachment.html>
More information about the OpenStack-operators
mailing list