[Openstack] VPNaaS limited to one subnet

iain smith iain at 3birds.co.uk
Fri Mar 18 17:15:30 UTC 2016


Hi all -

When using neutron's VPNaaS with the Strongswan back-end, has anyone
come up against the seemingly needless limitation whereby the 'Add VPN
Service' configuration pane in Horizon only allows you to add one
subnet, even if you have several subnets attached to the router which
will host the VPN endpoint at the openstack end?

The IPSEC VPN works well, but only allows you to route to the one
openstack subnet behind the router, through the VPN tunnel.

However... on the openstack network node (where the neutron-vpn-agent
and strongswan are running) I can manually edit the Strongswan
configuration file generated from the horizon input
(/var/lib/neutron/ipsec/<router-id>/etc/strongswan/ipsec.conf). I can
add the other openstack subnet addresses to the 'leftsubnet' statement
(comma-separated), save the file, and send a HUP to the
/usr/libexec/strongswan/starter process to force charon to re-read the
config.

After adding the subnets to the 'rightsubnet' statement in my strongswan
VPN client config and bringing up the VPN tunnel, all of the openstack
subnets are then routable through the VPN tunnel.

Shouldn't the horizon GUI config allow you to select multiple subnets,
if more than one is available on the chosen router?

cheers
Iain
--








More information about the Openstack mailing list