Home
# apt-get install openswan neutron-plugin-vpn-agent
-
Create file /etc/neutron/rootwrap.d/vpnaas.filters
# cat > /etc/neutron/rootwrap.d/vpnaas.filters << EOF [Filters] ip: IpFilter, ip, root ip_exec: IpNetnsExecFilter, ip, root openswan: CommandFilter, ipsec, root EOF -
Create file /etc/neutron/vpn_agent.ini:
# cat > /etc/neutron/vpn_agent.ini << EOF [DEFAULT] interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver [vpnagent] vpn_device_driver=neutron.services.vpn.device_drivers.ipsec.OpenSwanDriver [ipsec] ipsec_status_check_interval=60 EOF -
Aggiungere il plugin in neutron.conf:
service_plugins = neutron.services.vpn.plugin.VPNDriverPlugin,neutron.services.loadbalancer.plugin.LoadBalancerPlugin,neutron.services.firewall.fwaas_plugin.FirewallPlugin -
Aggiungere (a quelli già eventualmente presenti per altri servizi) il service provider vpn in /etc/neutron/neutron.conf:
[service_providers] service_provider = LOADBALANCER:Haproxy:neutron.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default service_provider = VPN:Vpn:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default service_provider = FIREWALL:Iptables:neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver:default -
Restart dei servizi di neutron.
# cd /etc/init.d # for s in `ls neutron-*`; do service $s restart; done -
Infine, per abilitare il pannello VPN in horizon, modificare il file /etc/openstack-dashboard/local_settings.py:
OPENSTACK_NEUTRON_NETWORK = { ... 'enable_vpn': True, ... }Restart apache2:
# service apache2 restart
In the example that will be shown in this document there will be one tenant at each site with one instance running within each tenant. A complete VPNaaS deployment requires an IKE Policy, IPSec Policy, VPN Service and an IPSec Site Connection. The steps for creating the VPNaaS policy are as follows:
-
Step 1: Create an IKE Policy From the "VPN" object under "Manage Network" in the Dashboard sidebar, select "Add IKE Policy" from the "IKE Policies" tab. In the example shown in the following figure, the IKE Policy has the following settings:
- Name = ike_pol_1
- Leave all other settings at their defaults
-
Step 2: Create an IPSec Policy From the "VPN" object under "Manage Network" in the Dashboard sidebar, select "Add IPSec Policy" from the "IPSec Policies" tab. In the example shown in the following figure, the IPSec Policy has the following settings:
- Name = ipsec_pol_1
- Leave all other settings at their defaults
-
Step 3: Create a VPN Service From the "VPN" object under "Manage Network" in the Dashboard sidebar, select "Add VPN Service" from the "VPN Services" tab. In the example shown in the next figure, the VPN Service has the following settings:
- Name = vpn_service_1
- Router = os-router-1
- Subnet = 10.10.10.0/24 # the private subnet range
-
Step 4: Gather Neutron Router Information From the "Routers" object under "Manage Network" in the Dashboard sidebar, select the router name you created. Once you select the router name you will see a list of "Interfaces" in the "Router Overview" screen. In the example shown here, the "Fixed IP Address" associated with the External Gateway is the address that you need to know for the "IPSec Site Connections" configuration. Also the subnet range for the private subnet needs to be known before entering the IPSec Site Connection configuration:
