Installing VPNaaS in OpenStack Queens

OpenStack has build-in VPN tools can VPN as a Service (VPNaaS). With these tools, we can create site-to-site IPsec tunneling between private network OpenStack with another technology. This tutorial trying to create site-to-site IPsec tunnel between 2 private networks in OpenStack that separate with a different router.

Image result for site-to-site vpn

Installation

in the controller node, install this package (I am using centos 7, the package & configuration difference if you use Ubuntu, see this article).

yum install openswan openstack-neutron-vpnaas

Enable VPNaaS in neuton configuration.

nano /etc/neutron/neutron.conf
service_plugins = ...,vpnaas

Create VPNaaS configuration

nano /etc/neutron/neutron_vpnaas.conf
[service_providers]
service_provider = VPN:openswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default

Configure VPNaaS in L3 Agent

nano /etc/neutron/l3_agent.ini
[AGENT]
extensions = ...,vpnaas

[vpnagent]
vpn_device_driver = neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver

Populate database

neutron-db-manage --subproject neutron-vpnaas upgrade head

Restart neutron-server & l3-agent

systemctl restart neutron-server
systemctl restart neutron-l3-agent

Testing

  • Create 2 routers, add external network into the router.
  • Create 2 private networks & subnets, and assign each private network to each router
  • Note the router public IP (in my cases 10.101.101.164 (router1) 10.101.101.152 (router2)
  • Note that network1/subnet1 is 192.168.0.0/24
  • Note that network2/subnet2 is 192.168.1.0/24
  • Create ike & IPsec template
openstack vpn ike policy create ikepolicy --auth-algorithm sha1 --encryption-algorithm aes-256 --ike-version v1 --lifetime value=86400 --phase1-negotiation-mode main --pfs group2
openstack vpn ipsec policy create ipsecpolicy --auth-algorithm sha1 --encryption-algorithm aes-256 --lifetime value=3600 --transform-protocol esp  --pfs group2
  • create VPN in router1 (3b0b2f30-508a-449e-b314-ec0c52f73a7c) and subnet1 (c0f22403-98d6-40dd-be44-1c80487aac38). Point peer address to router2 and peer-cidr to subnet2
openstack vpn service create vpn-r1 \
  --router 3b0b2f30-508a-449e-b314-ec0c52f73a7c \
  --subnet c0f22403-98d6-40dd-be44-1c80487aac38

openstack vpn ipsec site connection create conn-r1 \
  --vpnservice vpn-r1 \
  --ikepolicy ikepolicy \
  --ipsecpolicy ipsecpolicy \
  --peer-address 10.101.101.152 \
  --peer-id 10.101.101.152 \
  --peer-cidr 192.168.1.0/24 \
  --psk your_secret
  • Create VPN in router2 (d962ca72-a76b-4873-8c5a-5af6831cfa24) and subnet2 (d3ad0178-b277-493c-89c2-2644741df909). Point peer address to router1 and peer-cidr to subnet1
openstack vpn service create vpn-r2 \
  --router d962ca72-a76b-4873-8c5a-5af6831cfa24 \
  --subnet d3ad0178-b277-493c-89c2-2644741df909

openstack vpn ipsec site connection create conn-r2 \
  --vpnservice vpn-r2 \
  --ikepolicy ikepolicy \
  --ipsecpolicy ipsecpolicy \
  --peer-address 10.101.101.164 \
  --peer-id 10.101.101.164 \
  --peer-cidr 192.168.0.0/24 \
  --psk your_secret
  • some troubleshooting
openstack vpn service show vpn-r1
openstack vpn service show vpn-r2
openstack vpn ipsec site connection show conn-r1
openstack vpn ipsec site connection show conn-r2

openstack vpn ike policy list
openstack vpn ipsec policy list
openstack vpn service list
openstack vpn ipsec site connection list
  • Create instance in the 2 networks, and test ping between Instance

Leave a Comment

Your email address will not be published.