[Openstack] VPNaaS

Paul Michali pc at michali.net
Mon Apr 11 11:54:24 UTC 2016


VPNaaS in OpenStack is a site-to-site VPN using IPSec. It is designed for
the case when you have two *clouds* and want to interconnect them. So, one
openstack cloud on each end, and an interconnecting network. It's not
defined for a *road warrier* case, where you have a computer wanting to
connect to a cloud, for example.

Note: the underlying VPN mechanism (Strongswan/Openswan) support many
different configurations, but the one targeted for Openstack, is that of
cloud to cloud VPN connection in a point to point manner, using basic
pre-shared keys. In addition, it is point to point (versus a hub/spoke or
other connection).

Here's an example from Strongswan doc:
https://www.strongswan.org/uml/testresults/ikev1/net2net-psk/

So, it's sort of apples to oranges comparison.

Regards,

Paul Michali (pcm)

On Mon, Apr 11, 2016 at 7:20 AM Oleg Lodygensky <
oleg.lodygensky at lal.in2p3.fr> wrote:

> dear all,
> I am trying to compare OpenVPN and VPNaaS usage in OpenStack.
>
>
> I want to be able to create a VPN between VMs deployed in a single
> Openstack cloud to ensure communication privacy and security.
> I also want to be able to connect with my PC to the VPN.
>
>
> To use OpenVPN, post install scripts  work well :
> -A- I can see 2 interaces on each VM: the public one and the one
> associated to the VPN
> -B- my own PC can easily join
>
>
>
> I want to do the same using VPNaaS (the script is below)
> But:
> -1- VPN is created but its status is « DOWN »
> -2- I don’t see any VPN interface inside VMs
> -3- I don’t undersand how my PC could join the VPN
>
>
>
> Any help welcome,
> Oleg Lodygensky
>
>
>
>
>
>
>
> usage() {
> echo "Usage: $0 [start | stop | status] <configName>"
> exit 1
> }
>
> writeVariable() {
> echo $* >> ${CONFIG_FILE}
> }
>
> start() {
> CONFIG_NAME=$2
> CONFIG_FILE=$2
> if [ -f ${CONFIG_FILE} ] ; then
> echo "VPNAAS error : config already exist. Cowardingly refusing to
> overwrite it"
> exit 1
> fi
>
> touch ${CONFIG_FILE}
>
> KEY="NET1"
> NET1="${CONFIG_NAME}_net1"
> VALUE="${NET1}"
> neutron net-create ${NET1} && writeVariable "${KEY}=${VALUE}"
> KEY="SUBNET1"
> SUBNET1="${CONFIG_NAME}_subnet1"
> VALUE="${SUBNET1}"
> neutron subnet-create --name ${SUBNET1} ${NET1} 10.100.0.0/24 --gateway
> 10.100.0.1 && writeVariable "${KEY}=${VALUE}"
> KEY="ROUTER1"
> ROUTER1="${CONFIG_NAME}_router1"
> VALUE="${ROUTER1}"
> neutron router-create ${ROUTER1} && writeVariable "${KEY}=${VALUE}"
> neutron router-interface-add ${ROUTER1} ${SUBNET1}
> neutron router-gateway-set ${ROUTER1} public
>
> KEY="NET2"
> NET2="${CONFIG_NAME}_net2"
> VALUE="${NET2}"
> neutron net-create ${NET2} && writeVariable "${KEY}=${VALUE}"
> KEY="SUBNET2"
> SUBNET2="${CONFIG_NAME}_subnet2"
> VALUE="${SUBNET2}"
> neutron subnet-create --name ${SUBNET2} ${NET2} 20.200.0.0/24 --gateway
> 20.200.0.2 && writeVariable "${KEY}=${VALUE}"
> KEY="ROUTER2"
> ROUTER2="${CONFIG_NAME}_router2"
> VALUE="${ROUTER2}"
> neutron router-create ${ROUTER2} && writeVariable "${KEY}=${VALUE}"
> neutron router-interface-add ${ROUTER2} ${SUBNET2}
> neutron router-gateway-set ${ROUTER2} public
>
> PRIVATE_NET1=`neutron net-list | grep "${NET1}" | cut -f 2 -d' '`
> KEY="VM1"
> VM1="${CONFIG_NAME}_vm1"
> VALUE="${VM1}"
> nova boot --key-name os-77345-demo --flavor 2 --image ubuntu14 --nic
> net-id=${PRIVATE_NET1} ${VM1}  && writeVariable "${KEY}=${VALUE}"
> FLOATINGIP1=`nova floating-ip-create | grep -vE 'Pool|--'| cut -d ' ' -f 4`
> KEY="FLOATINGIP1"
> VALUE="${FLOATINGIP1}"
> nova add-floating-ip ${VM1} $FLOATINGIP1 && writeVariable "${KEY}=${VALUE}"
>
> PRIVATE_NET2=`neutron net-list | grep "${NET2}" | cut -f 2 -d' '`
> KEY="VM2"
> VM2="${CONFIG_NAME}_vm2"
> VALUE="${VM2}"
> nova boot --key-name os-77345-demo --flavor 2 --image ubuntu14 --nic
> net-id=${PRIVATE_NET2} ${VM2} && writeVariable "${KEY}=${VALUE}"
> FLOATINGIP2=`nova floating-ip-create | grep -vE 'Pool|--'| cut -d ' ' -f 4`
> KEY="FLOATINGIP2"
> VALUE="${FLOATINGIP2}"
> nova add-floating-ip ${VM2} $FLOATINGIP2 && writeVariable "${KEY}=${VALUE}"
>
> #Create VPN connections
> KEY="IKEPOLICY"
> IKEPOLICY="${CONFIG_NAME}_ikepolicy"
> VALUE="${IKEPOLICY}"
> neutron vpn-ikepolicy-create ${IKEPOLICY} && writeVariable
> "${KEY}=${VALUE}"
> KEY="IPSECPOLICY"
> IPSECPOLICY="${CONFIG_NAME}_ipsecpolicy"
> VALUE="${IPSECPOLICY}"
> neutron vpn-ipsecpolicy-create ${IPSECPOLICY} && writeVariable
> "${KEY}=${VALUE}"
> KEY="VPNSERVICE"
> VPNSERVICE="${CONFIG_NAME}_vpnservice"
> VALUE="${VPNSERVICE}"
> neutron vpn-service-create --name ${VPNSERVICE} --description "Mon service
> VPN1" ${ROUTER1} ${SUBNET1} && writeVariable "${KEY}=${VALUE}"
>
> KEY="CONNECTION"
> CONNECTION="${CONFIG_NAME}_connection"
> VALUE="${CONNECTION}"
> # neutron ipsec-site-connection-create --name ${CONNECTION}
> --vpnservice-id ${VPNSERVICE} \
> #   --ikepolicy-id ${IKEPOLICY} --ipsecpolicy-id ${IPSECPOLICY}
> --peer-address 172.24.4.227 \
> #   --peer-id 172.24.4.227 --peer-cidr 10.100.0.0/24 --psk secret &&
> writeVariable "${KEY}=${VALUE}"
>
> [ ! -s ${CONFIG_FILE} ] && rm -f ${CONFIG_FILE}
> }
>
> stop() {
> CONFIG_FILE=$2
> if [ ! -f ${CONFIG_FILE} ] ; then
> echo "VPNAAS \"${CONFIG_FILE}\" error : config not found"
> exit 1
> fi
>
> . ${CONFIG_FILE}
>
> nova delete ${VM1}
> nova delete ${VM2}
>
> nova floating-ip-delete ${FLOATINGIP1}
> nova floating-ip-delete ${FLOATINGIP2}
>
> neutron ipsec-site-connection-delete ${CONNECTION}
> neutron vpn-service-delete ${VPNSERVICE}
>
> neutron vpn-ipsecpolicy-delete ${IPSECPOLICY}
> neutron vpn-ikepolicy-delete ${IKEPOLICY}
>
> for i in `neutron port-list | grep -vE 'fixed_ips|--' | cut -f 2 -d' '` ;
> do neutron port-delete $i  ; done
>
> neutron router-interface-delete ${ROUTER2} ${SUBNET2}
> neutron router-delete ${ROUTER2}
> neutron net-delete ${NET2}
>
> neutron router-interface-delete ${ROUTER1} ${SUBNET1}
> neutron router-delete ${ROUTER1}
> neutron net-delete ${NET1}
>
> rm -f ${CONFIG_FILE}
> }
>
> status() {
> CONFIG_FILE=$2
> if [ ! -f ${CONFIG_FILE} ] ; then
> echo "VPNAAS \"${CONFIG_FILE}\" error : config not found"
> exit 1
> fi
>
> echo "VNPAAS \"${CONFIG_FILE}\": started"
> cat ${CONFIG_FILE}
> }
>
> [ $# -ne 2 ] && usage
>
> case $1 in
> "start" )
> start $*
> ;;
> "stop" )
> stop $*
> ;;
> "status" )
> status $*
> ;;
> esac
>
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160411/3333b59b/attachment.html>


More information about the Openstack mailing list