Skip to content

Home

Jump to bottom Edit New page
Marica Antonacci edited this page Jun 18, 2014 · 34 revisions

Installation

# apt-get install openswan neutron-plugin-vpn-agent

Configuration

  1. Create file /etc/neutron/rootwrap.d/vpnaas.filters

     # cat > /etc/neutron/rootwrap.d/vpnaas.filters << EOF
 [Filters]
 
 ip: IpFilter, ip, root
 ip_exec: IpNetnsExecFilter, ip, root
 openswan: CommandFilter, ipsec, root
 
 EOF

  2. Create file /etc/neutron/vpn_agent.ini:

     # cat > /etc/neutron/vpn_agent.ini << EOF
 [DEFAULT]
 interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
 
 [vpnagent]
 vpn_device_driver=neutron.services.vpn.device_drivers.ipsec.OpenSwanDriver
 
 [ipsec]
 ipsec_status_check_interval=60
 
 EOF

  3. Aggiungere il plugin in neutron.conf:

     service_plugins = neutron.services.vpn.plugin.VPNDriverPlugin,neutron.services.loadbalancer.plugin.LoadBalancerPlugin,neutron.services.firewall.fwaas_plugin.FirewallPlugin

  4. Aggiungere (a quelli già eventualmente presenti per altri servizi) il service provider vpn in /etc/neutron/neutron.conf:

     [service_providers]
 service_provider =   LOADBALANCER:Haproxy:neutron.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default
 service_provider = VPN:Vpn:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default
 service_provider = FIREWALL:Iptables:neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver:default

  5. Restart dei servizi di neutron.

     # cd /etc/init.d
 # for s in `ls neutron-*`; do service $s restart; done

  6. Infine, per abilitare il pannello VPN in horizon, modificare il file /etc/openstack-dashboard/local_settings.py:

     OPENSTACK_NEUTRON_NETWORK = {
  ...
 'enable_vpn': True,
 ...
 }

    Restart apache2:

     # service apache2 restart

Usage

In the example that will be shown in this document there will be one tenant at each site with one instance running within each tenant. A complete VPNaaS deployment requires an IKE Policy, IPSec Policy, VPN Service and an IPSec Site Connection. The steps for creating the VPNaaS policy are as follows:

  • Step 1: Create an IKE Policy From the "VPN" object under "Manage Network" in the Dashboard sidebar, select "Add IKE Policy" from the "IKE Policies" tab. In the example shown in Figure 1, the IKE Policy has the following settings:
    • Name = ike_pol_1
    • Leave all other settings at their defaults

ike_policy

Add a custom footer
Add a custom sidebar
Clone this wiki locally