[Openstack] VPNaaS limited to one subnet
James Denton
james.denton at rackspace.com
Fri Mar 18 17:41:15 UTC 2016
I believe this will be addressed in Mitaka:
https://bugs.launchpad.net/neutron/+bug/1459423
JD
On 3/18/16, 12:15 PM, "iain smith" <iain at 3birds.co.uk> wrote:
>Hi all -
>
>When using neutron's VPNaaS with the Strongswan back-end, has anyone
>come up against the seemingly needless limitation whereby the 'Add VPN
>Service' configuration pane in Horizon only allows you to add one
>subnet, even if you have several subnets attached to the router which
>will host the VPN endpoint at the openstack end?
>
>The IPSEC VPN works well, but only allows you to route to the one
>openstack subnet behind the router, through the VPN tunnel.
>
>However... on the openstack network node (where the neutron-vpn-agent
>and strongswan are running) I can manually edit the Strongswan
>configuration file generated from the horizon input
>(/var/lib/neutron/ipsec/<router-id>/etc/strongswan/ipsec.conf). I can
>add the other openstack subnet addresses to the 'leftsubnet' statement
>(comma-separated), save the file, and send a HUP to the
>/usr/libexec/strongswan/starter process to force charon to re-read the
>config.
>
>After adding the subnets to the 'rightsubnet' statement in my strongswan
>VPN client config and bringing up the VPN tunnel, all of the openstack
>subnets are then routable through the VPN tunnel.
>
>Shouldn't the horizon GUI config allow you to select multiple subnets,
>if more than one is available on the chosen router?
>
>cheers
>Iain
>--
>
>
>
>
>
>_______________________________________________
>Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>Post to : openstack at lists.openstack.org
>Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
More information about the Openstack
mailing list