浏览此站
联系我们相册切换到窄版 Language

 找回密码
 注册
易陆发现论坛»论坛 操作系统区 非桌面系统 neutron ipsecvpn create step
返回列表 发新帖
查看: 5217|回复: 1

neutron ipsecvpn create step

[复制链接]
admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
发表于 2019-4-26 10:09:31 | 显示全部楼层 |阅读模式
0 y& A9 i- H2 [5 e! `
1 Y3 X" B* W/ \( }& W
以下为手动编写这个文件:9 c8 T0 |/ K9 i) s
cd /usr/share/openstack-dashboard/openstack_dashboard/enabled/
0 a' Z- g3 s% q( V" Gtouch _7100_project_vpn_panel.py
3 ]9 @- A2 i- K7 i文件内容如下:
" t9 X0 W: x3 Z0 L: B- @  F[root@localhost enabled]# vim _7100_project_vpn_panel.py
2 p5 G' P  w6 N) b8 q# Licensed under the Apache License, Version 2.0 (the "License"); you may* |" T8 A' h% Z& |8 W2 G
# not use this file except in compliance with the License. You may obtain- m4 l& \( l# `+ g! w
# a copy of the License at
, u5 U: [$ O* ^8 E% K0 q: n#
# X* y( ^4 x# y0 e# http://www.apache.org/licenses/LICENSE-2.0) s/ R, L2 y. N$ T$ h6 x: f; B
#3 O; b4 x( _" ]5 ?6 i; i
# Unless required by applicable law or agreed to in writing, software/ ^, {) n. w5 ~( y0 w. g
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT, I- ]: j5 }! U8 A5 X4 K& ]5 P
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
9 c. L* r/ K' o1 g- P# License for the specific language governing permissions and limitations( ^. i$ s2 Z: c* j, _
# under the License.- e& Y3 [* Q1 ~

: h& T. Q& c5 f5 e! F' s5 Y# The slug of the panel to be added to HORIZON_CONFIG. Required.
1 ?& P/ S$ Z# `% P& g4 kPANEL = 'vpn'
7 k, z3 {6 L1 C0 u5 c1 C; Y- k( ~1 z4 n# The slug of the dashboard the PANEL associated with. Required.! ]* i8 d0 z- i0 T( d$ U. J
PANEL_DASHBOARD = 'project'* A+ a7 f0 e; R, g
# The slug of the panel group the PANEL is associated with.
0 D, s3 ~( \7 @+ ePANEL_GROUP = 'network'7 u2 h; t; S: a/ C5 Z" l

4 w2 F* d1 d8 y7 _# Python panel class of the PANEL to be added.
: X6 [5 j# `: W7 kADD_PANEL = 'neutron_vpnaas_dashboard.dashboards.project.vpn.panel.VPN'
* Y& N4 t- D  @( h- r; [+ s# o9 w8 p
ADD_INSTALLED_APPS = ["neutron_vpnaas_dashboard"]
8 L' F+ @' p, a0 R7 Q' ]
  C" I6 G! |5 t9 S& L9 I( W, s! P1 }# Z/ ]. E, [3 e$ e. {- F2 x
4.1 vim /etc/neutron/neutron.conf
+ `1 y7 O" D9 y, n[DEFAULT]4 {, K! f' T6 ~) n9 u
service_plugins = router,vpnaas! T/ s; _/ U# s3 k% f% V& D

) F1 _6 t  Z9 ?6 z/ K4 k6 @4.2 vim  /etc/neutron/neutron_vpnaas.conf' r) @, b6 a4 P5 p) H
[service_providers]6 D1 r/ D9 R, Y9 W
service_provider = VPN:strongswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default
; ^- _6 ~' Z" l6 J& C3 `
# |, [/ p$ W1 Z4.3 vim /etc/neutron/l3_agent.ini6 e6 `5 w1 V7 s
[agent]
. B6 |, s2 ]) K' ?8 eextensions = vpnaas  s( |- f( P3 ?- a# Z
[vpnagent]
2 J5 M( \& V7 [8 s  P. b& ~vpn_device_driver = neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver
7 C, n. `5 J. S: o, j% e  c( v  C
4.4 执行 neutron-db-manage --subproject neutron-vpnaas upgrade head( p" I( h! r4 E8 [4 e6 B- v; N

- `7 B; @- V) m9 x5. 重启服务8 D1 ^6 m* n9 {* L( w
systemctl restart neutron-server
4 R+ o: ~6 d& w. Qsystemctl restart neutron-l3-agent
4 E8 H" N+ [! e# Z0 P* [systemctl restart apache2
* s, U3 t% W; ~4 e---------------------
; T5 o; H- R) _& s7 i( |3 r
1 f! g. e3 z) L$ |  c7 W  o. L( M% c/ T8 M* y* q7 P9 g
! J: s8 N4 Y! o% z$ o4 J, D& z
Virtual Private Network-as-a-Service (VPNaaS) - F# \' w( T& r. b5 c
  # Q6 h$ S' E5 x* p5 }" _6 z
THIS PAGE LAST UPDATED: ) K: K0 @; U2 e7 i
Enabling VPNaaS¶# d' x* ~, C/ A
This section describes the setting for the reference implementation. Vendor plugins or drivers can have different setup procedure and perhaps they provide their version of manuals.
& }# M5 h! W7 T. m- VEnable the VPNaaS plug-in in the /etc/neutron/neutron.conf file by appending vpnaas to service_plugins in [DEFAULT]:( k" n2 a& P$ G
[DEFAULT]
4 m& [; s( D' |9 `& K* m# ...
8 i' e; F' g/ T& ?3 p6 zservice_plugins = vpnaas
4 [) f, B$ }. t Note/ z' X6 P% B2 K" i) B3 }  C
vpnaas is just example of reference implementation. It depends on a plugin that you are going to use. Consider to set suitable plugin for your own deployment.' _, t4 p; L5 M* e
Configure the VPNaaS service provider by creating the /etc/neutron/neutron_vpnaas.conf file as follows, strongswan used in Ubuntu distribution:
; Z* `' W2 @5 H  s! q[service_providers]+ n' i; h( R& e1 J5 Y+ p
service_provider = VPN:strongswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default, k) C; ^" l* X" P
Note
7 K# ^: R( s) x9 J) yThere are several kinds of service drivers. Depending upon the Linux distribution, you may need to override this value. Select libreswan for RHEL/CentOS, the config will like this: service_provider = VPN:openswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default. Consider to use the appropriate one for your deployment.
+ i$ r- C$ S- U1 VConfigure the VPNaaS plugin for the L3 agent by adding to /etc/neutron/l3_agent.ini the following section, StrongSwanDriver used in Ubuntu distribution:
1 [5 r4 r2 d  O( a' U& o: k[AGENT]" Q  H) C8 M$ l0 d
extensions = vpnaas
, L4 O& z2 R9 [' f1 h, {6 e[vpnagent]$ b1 u. T$ T% X" Q! s$ J; z
vpn_device_driver = neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver1 h( f* }( k/ D1 v
Note
$ N# _+ l" i0 b/ a' U8 ^There are several kinds of device drivers. Depending upon the Linux distribution, you may need to override this value. Select LibreSwanDriver for RHEL/CentOS, the config will like this: vpn_device_driver = neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver. Consider to use the appropriate drivers for your deployment.1 v/ b1 y, g( _0 c% d/ {
Create the required tables in the database:
: c- l0 {# U) {  U/ h- @# neutron-db-manage --subproject neutron-vpnaas upgrade head, P- ^# b" _! [8 V3 E
Note
" v0 U, L0 R7 ]' e1 v0 e4 SIn order to run the above command, you need to have neutron-vpnaas package installed on controller node.( v; K3 @$ n0 d
Restart the neutron-server in controller node to apply the settings.9 W' g& w, Q2 ~% ?* h
Restart the neutron-l3-agent in network node to apply the settings.
7 E( Z' b! h5 dUsing VPNaaS with endpoint group (recommended)¶& k* D$ G9 t2 b  v3 o" g
IPsec site-to-site connections will support multiple local subnets, in addition to the current multiple peer CIDRs. The multiple local subnet feature is triggered by not specifying a local subnet, when creating a VPN service. Backwards compatibility is maintained with single local subnets, by providing the subnet in the VPN service creation.
% ?* p1 @! P+ WTo support multiple local subnets, a new capability called “End Point Groups” has been added. Each endpoint group will define one or more endpoints of a specific type, and can be used to specify both local and peer endpoints for IPsec connections. The endpoint groups separate the “what gets connected” from the “how to connect” for a VPN service, and can be used for different flavors of VPN, in the future.
. ^) Q/ U+ U/ M" G' j' \Refer Multiple Local Subnets for more detail.
' k2 N9 P) D- ?* \; h6 hCreate the IKE policy, IPsec policy, VPN service, local endpoint group and peer endpoint group. Then, create an IPsec site connection that applies the above policies and service.
: c& z) h4 T4 CCreate an IKE policy:# F) S. ^; p4 x" J9 ]  U& ~! B
$ openstack vpn ike policy create ikepolicy: D8 q6 w( h: z
  +-------------------------------+----------------------------------------+
" \6 C' n- }& ?2 b- C% r; A  | Field                         | Value                                  |
" V$ f4 w7 |0 `- r  +-------------------------------+----------------------------------------+
/ H# m8 X; C- \- _) q, j/ J8 R+ F  | Authentication Algorithm      | sha1                                   |+ Q; }& C# E+ R8 o% F( _6 s5 Z
  | Description                   |                                        |
  z. f# k+ G& B  K  | Encryption Algorithm          | aes-128                                |
' L; d& A/ D, S' q0 ~' ^" a$ p% `  | ID                            | 735f4691-3670-43b2-b389-f4d81a60ed56   |" i+ ?8 V5 h5 @5 q0 j
  | IKE Version                   | v1                                     |  z9 {( j/ R. `
  | Lifetime                      | {u'units': u'seconds', u'value': 3600} |9 Y( l1 z0 V) q; ^1 X
  | Name                          | ikepolicy                              |) ?, j* S  |0 V& N
  | Perfect Forward Secrecy (PFS) | group5                                 |
* ~& Q) l, h8 N& I0 y: p7 [  | Phase1 Negotiation Mode       | main                                   |& X6 ]  p; _# f
  | Project                       | 095247cb2e22455b9850c6efff407584       |, r1 n! I8 z) V: L$ a+ `
  | project_id                    | 095247cb2e22455b9850c6efff407584       |
# A/ y$ l- O( D# ?  +-------------------------------+----------------------------------------+' R% `) e$ E+ T! H
Create an IPsec policy:
2 m* e5 e* N, M# k, {. ]5 [9 {; s$ openstack vpn ipsec policy create ipsecpolicy; V* f7 X9 {4 d/ G
  +-------------------------------+----------------------------------------+9 \4 p/ G. [+ G9 p. {% c
  | Field                         | Value                                  |9 y2 H$ m8 h+ [# L
  +-------------------------------+----------------------------------------+
+ X. D8 f6 S  o& P' |+ T  | Authentication Algorithm      | sha1                                   |( _9 R* x) b  t8 p  y9 p" z
  | Description                   |                                        |6 X# b; O- o: E
  | Encapsulation Mode            | tunnel                                 |3 P5 a9 x, O% X" e
  | Encryption Algorithm          | aes-128                                |# D4 @5 w" x" y) W# q0 u; Q1 t
  | ID                            | 4f3f46fc-f2dc-4811-a642-9601ebae310f   |3 x2 _* F) q$ \% G/ W8 ]
  | Lifetime                      | {u'units': u'seconds', u'value': 3600} |
, A7 k# s; H4 K* d" ~9 A. D  | Name                          | ipsecpolicy                            |
* B: ?- O  Z/ h3 F# z  | Perfect Forward Secrecy (PFS) | group5                                 |
3 o  `# ^2 P  v  | Project                       | 095247cb2e22455b9850c6efff407584       |. n! C6 [2 D1 D; j
  | Transform Protocol            | esp                                    |3 s( t2 \7 j: q
  | project_id                    | 095247cb2e22455b9850c6efff407584       |7 Z  A- f0 H/ G$ q3 W- p, M% h
  +-------------------------------+----------------------------------------+4 H, u( _, |9 V- J' j0 @. T- B2 F
Create a VPN service:* L2 n6 f- s$ G2 K/ p
$ openstack vpn service create vpn \4 v4 [: G6 L5 d2 Y5 W4 R: j- d  `
  --router 9ff3f20c-314f-4dac-9392-defdbbb36a66
2 W7 ?1 _) h2 |/ @0 {  +----------------+--------------------------------------+* ?. E9 k8 w% l& j  {) p/ d% ^
  | Field          | Value                                |
3 K( F, [, i1 B1 {+ U' ?  +----------------+--------------------------------------+' w+ Q' p9 D* x5 ~. S& M
  | Description    |                                      |
5 a! O6 z2 j* X" B  w7 B! K  | Flavor         | None                                 |( ]0 s/ S; k! e8 H) U
  | ID             | 9f499f9f-f672-4ceb-be3c-d5ff3858c680 |) l9 c, U* s$ W6 ]9 B8 ~, P6 f4 J% s- u  E! @
  | Name           | vpn                                  |
- E' b) G8 [1 `8 m. b/ ]  | Project        | 095247cb2e22455b9850c6efff407584     |5 }# G3 u- N! A, o7 n& e9 ~
  | Router         | 9ff3f20c-314f-4dac-9392-defdbbb36a66 |
  o4 W( t3 m/ M0 Y  | State          | True                                 |
( J/ K5 z1 U$ _. F+ _& C/ Q  | Status         | PENDING_CREATE                       |5 {6 B' Z# q3 q4 t
  | Subnet         | None                                 |
1 q: R4 }. a. S( j- x  | external_v4_ip | 192.168.20.7                         |
1 q, Z1 W9 \, r  | external_v6_ip | 2001:db8::7                          |
0 B6 n3 ~, Z+ e# l  | project_id     | 095247cb2e22455b9850c6efff407584     |: x' ^* d! E- s& }
  +----------------+--------------------------------------+
0 h* d4 K# t6 F5 ?8 L! @. V& k Note
* ]$ O" X( C' tPlease do not specify --subnet option in this case.; H0 B! E+ J# V# e6 k2 H3 R  Y" \  c* D
The Networking openstackclient requires a router (Name or ID) and name.& @/ W+ u4 p; `! g
Create local endpoint group:8 }6 y$ v  H0 ^
$ openstack vpn endpoint group create ep_subnet \/ Z  S/ {/ |9 d& v& d' x1 T# W, x
  --type subnet \
. i. R) u* g$ g  --value 1f888dd0-2066-42a1-83d7-56518895e47d
* c3 l& F" a% ?. ?( C5 g  +-------------+-------------------------------------------+) H# ~! F' v$ q  n+ a% q% e) p
  | Field       | Value                                     |- y* l4 h* d" J  G  L- l9 G
  +-------------+-------------------------------------------+- c5 A. r# @6 d* B; K9 B: P/ ^
  | Description |                                           |
+ H6 f# }0 V, i% V& K$ s7 x6 L( j; X  | Endpoints   | [u'1f888dd0-2066-42a1-83d7-56518895e47d'] |
3 s1 N  Y" y( H  L9 k+ Y5 v  | ID          | 667296d0-67ca-4d0f-b676-7650cf96e7b1      |
/ |  X% o, U7 c8 G! H1 b  | Name        | ep_subnet                                 |+ y" v( V& }/ l, ]0 ?
  | Project     | 095247cb2e22455b9850c6efff407584          |" k" F% G1 M. A
  | Type        | subnet                                    |$ `, s4 q$ Q% }8 X
  | project_id  | 095247cb2e22455b9850c6efff407584          |
2 L( c' C) L2 W+ g/ g2 _  +-------------+-------------------------------------------+$ w: p" U, W1 g. F2 f7 [( P; {
Note
9 t$ Q- F/ u, ?; x# \& TThe type of a local endpoint group must be subnet.
, m  X) P6 N: [+ C' uCreate peer endpoint group:
( S' O9 T# J! I! d$ openstack vpn endpoint group create ep_cidr \
: C! ?( p% L9 X% A; P$ c% ?  --type cidr \
+ c4 T6 g$ q* a2 z: L" m. m2 W  --value 192.168.1.0/24. x: s* [5 t. k/ ?9 o; v. b/ l6 ]
  +-------------+--------------------------------------+1 k& n% |( g' R7 Z! ]8 ?
  | Field       | Value                                |
" |1 j  N; J& L6 c$ Z" C  +-------------+--------------------------------------+0 t) S6 H5 ?6 S
  | Description |                                      |" @7 ^' W# a& J. O; ^) _$ p
  | Endpoints   | [u'192.168.1.0/24']                  |
( |7 k% K: ^9 ?( I( x- U# ?  | ID          | 5c3d7f2a-4a2a-446b-9fcf-9a2557cfc641 |' P2 f* @5 M+ m7 X- m3 x* F
  | Name        | ep_cidr                              |
0 o6 ^9 H+ d, l9 n  D3 W) {. `  | Project     | 095247cb2e22455b9850c6efff407584     |7 o) H; u, v4 _9 {
  | Type        | cidr                                 |
$ Y# W4 I4 r4 w5 u+ b  | project_id  | 095247cb2e22455b9850c6efff407584     |
+ h% y/ a9 a; D* G  e: \  +-------------+--------------------------------------+
" l) {) ~- z. Y2 ^' x: N' @+ O Note
0 n; i6 B: `- f8 x7 v0 OThe type of a peer endpoint group must be cidr.' g+ f  ]0 t: k) C" ~
Create an ipsec site connection:2 c# {, U" ~3 M7 i
$ openstack vpn ipsec site connection create conn \
( q/ ]. V2 K, t9 ]! H0 ]  --vpnservice vpn \
1 h& ~' e: \6 V5 A6 O# a2 U  --ikepolicy ikepolicy \  e" d2 J6 W& S' A
  --ipsecpolicy ipsecpolicy \( D7 y$ r: g  L
  --peer-address 192.168.20.9 \/ e3 W' T. j3 v9 v
  --peer-id 192.168.20.9 \
3 D# X0 _) b) p3 [$ q( p  --psk secret \
- J4 l7 J. {: i* h. l1 h, Y$ O  --local-endpoint-group ep_subnet \
: |9 ^9 A: K8 S( g% h% e6 A; x  --peer-endpoint-group ep_cidr
, h8 j% z; Q) g4 i+ L  +--------------------------+--------------------------------------------------------+
$ k; P1 J' ]4 [8 h: I$ p, t8 K  | Field                    | Value                                                  |
( Z, f' U$ R9 ?% e  +--------------------------+--------------------------------------------------------+1 `+ ~3 {3 D$ i$ t9 _
  | Authentication Algorithm | psk                                                    |% J1 w1 `# O* k/ x& {
  | Description              |                                                        |3 g) v. g* a- B7 o+ J8 x' F
  | ID                       | 07e400b7-9de3-4ea3-a9d0-90a185e5b00d                   |
% B7 L; x8 r: h% o  | IKE Policy               | 735f4691-3670-43b2-b389-f4d81a60ed56                   |
9 X! C4 h) k4 g7 r# w7 [2 u' M  | IPSec Policy             | 4f3f46fc-f2dc-4811-a642-9601ebae310f                   |% q* o; {7 r1 ]4 v  |1 X6 }  n
  | Initiator                | bi-directional                                         |
) c" h) \, ]# a; L  q1 O+ _4 N  | Local Endpoint Group ID  | 667296d0-67ca-4d0f-b676-7650cf96e7b1                   |4 \% a& b* o0 `# M( L3 P8 _
  | Local ID                 |                                                        |
3 F" I8 k# k' U0 c# `+ ?, g; T  | MTU                      | 1500                                                   |
2 R/ j  B& d7 V$ O  | Name                     | conn                                                   |
0 q1 ]4 R. j- [  | Peer Address             | 192.168.20.9                                           |' ]% T5 ]# v- x1 ~
  | Peer CIDRs               |                                                        |
$ W# N/ r3 S% J2 f. t& u  | Peer Endpoint Group ID   | 5c3d7f2a-4a2a-446b-9fcf-9a2557cfc641                   |
1 A! s: d) g/ D6 c/ y  | Peer ID                  | 192.168.20.9                                           |
% ]3 z( f! g: P  | Pre-shared Key           | secret                                                 |
* o7 E8 W/ v) \& S6 m. F7 f( u$ j  | Project                  | 095247cb2e22455b9850c6efff407584                       |" b- y1 ^6 N8 @4 s- V7 a1 H2 g
  | Route Mode               | static                                                 |% H2 F1 D8 q5 w" q6 _% Y
  | State                    | True                                                   |
7 j( Q1 X% I0 c: f/ O& G  | Status                   | PENDING_CREATE                                         |: n0 F$ I) o3 R7 q2 V6 O
  | VPN Service              | 9f499f9f-f672-4ceb-be3c-d5ff3858c680                   |* L: i, U7 s* P
  | dpd                      | {u'action': u'hold', u'interval': 30, u'timeout': 120} |% C+ Z8 j$ Y8 _) ?5 g
  | project_id               | 095247cb2e22455b9850c6efff407584                       |* \6 V& l# X* ~2 ?& Y5 K: b5 w
  +--------------------------+--------------------------------------------------------+8 z0 k0 g" V. u9 [# ]
Note2 l0 ^5 L: M: e( l5 y* a5 F7 ^( U
Please do not specify --peer-cidr option in this case. Peer CIDR(s) are provided by a peer endpoint group.
) l2 @3 a. _: \, x5 y3 CConfigure VPNaaS without endpoint group (the legacy way)¶0 }0 E- I2 h3 V: p" J' @; a' G
Create the IKE policy, IPsec policy, VPN service. Then, create an ipsec site connection that applies the above policies and service.0 I* q! y/ R# O/ O0 e- H' x
Create an IKE policy:3 J3 z) Y0 G6 `2 \2 W! N
$ openstack vpn ike policy create ikepolicy1: a+ m# h1 Y0 G2 b: k
  +-------------------------------+----------------------------------------+
+ Z, J/ K4 F! q  | Field                         | Value                                  |
' C1 k! P0 q& S3 F  +-------------------------------+----------------------------------------+( J. P) a$ W8 M8 j+ H, V, z
  | Authentication Algorithm      | sha1                                   |
. @% `. k% N7 T" c; I2 b. E* y  | Description                   |                                        |+ x! X4 m) o& T; G& ?' z9 x
  | Encryption Algorithm          | aes-128                                |
: }* x/ j' n( z; ?# D" L) q# _  | ID                            | 99e4345d-8674-4d73-acb4-0e2524425e34   |
/ ]6 _) S5 D2 L9 x% s  | IKE Version                   | v1                                     |
" g  R; n" I  [3 Y7 o  | Lifetime                      | {u'units': u'seconds', u'value': 3600} |, k" V, S* u  ^1 a* |3 |: L( G# v
  | Name                          | ikepolicy1                             |7 A+ R" y3 {/ d
  | Perfect Forward Secrecy (PFS) | group5                                 |4 n% x. @* h. ]  |
  | Phase1 Negotiation Mode       | main                                   |
, O3 c8 l: @- u. S0 f$ T8 E- h4 r  | Project                       | 095247cb2e22455b9850c6efff407584       |
  p1 j( G* {, Y: m! f! Q( u- I  | project_id                    | 095247cb2e22455b9850c6efff407584       |
, H. E* N7 @& f* N) h: I5 `  +-------------------------------+----------------------------------------+
9 z. T4 [. K" `Create an IPsec policy:* g0 d/ _9 g( y( l' I6 f
$ openstack vpn ipsec policy create ipsecpolicy1
8 k- v- f' b4 O+ M) y; m0 x; T3 q  +-------------------------------+----------------------------------------+
# z5 R" u/ q9 c3 v5 S  | Field                         | Value                                  |
! ]& k: p  F4 m- [% y2 q  +-------------------------------+----------------------------------------+
6 N1 v% r$ u' u0 E/ E* I$ S  | Authentication Algorithm      | sha1                                   |
; [: z! a- k: j7 r( x' j0 G! o  | Description                   |                                        |
7 z0 \. j& U# }  | Encapsulation Mode            | tunnel                                 |
+ q: W- K, d$ b2 u) e- U* L  | Encryption Algorithm          | aes-128                                |
1 N  @4 H7 u* p  | ID                            | e6f547af-4a1d-4c28-b40b-b97cce746459   |6 U7 A9 s# j2 n/ w; `
  | Lifetime                      | {u'units': u'seconds', u'value': 3600} |
' d, w: `# A% L8 ?! j  | Name                          | ipsecpolicy1                           |
8 A7 [6 y" ^7 N  | Perfect Forward Secrecy (PFS) | group5                                 |. R9 |# s( a2 U2 y; R# @
  | Project                       | 095247cb2e22455b9850c6efff407584       |
# B# T' y" g! ^( w* G  | Transform Protocol            | esp                                    |0 C2 M9 Z7 s8 I) R, F4 x
  | project_id                    | 095247cb2e22455b9850c6efff407584       |' Y6 M% Y* k4 e% g: b% c! ^
  +-------------------------------+----------------------------------------+# M+ g, `0 @0 D  {
Create a VPN service:
+ N/ S: q3 z3 b8 P- I$ \$ openstack vpn service create vpn \- {8 K% j: x/ O5 v" H: W) H; b& e
  --router 66ca673a-cbbd-48b7-9fb6-bfa7ee3ef724 \
7 z& C8 L8 Y5 I7 @  --subnet cdfb411e-e818-466a-837c-7f96fc41a6d9
9 M% ~7 C3 T4 ^+ y  +----------------+--------------------------------------+
8 R! l4 S- r! g. z7 x, p  | Field          | Value                                |. a# h) Q5 R9 Q' D. J
  +----------------+--------------------------------------+
/ L! x* |' E. o5 I7 T: H6 M  | Description    |                                      |
% Y' b4 W3 x; G$ P5 b* k! M* a  | Flavor         | None                                 |, g. G+ x' R& h, c. v
  | ID             | 79ef6250-ddc3-428f-88c2-0ec8084f4e9a |& ~7 D5 \- v" N! q6 `
  | Name           | vpn                                  |3 g9 E- A5 `- Y0 y
  | Project        | 095247cb2e22455b9850c6efff407584     |- f$ H: U% [+ c$ }2 Q* G( e( N
  | Router         | 66ca673a-cbbd-48b7-9fb6-bfa7ee3ef724 |# v3 ]: g$ p- f2 R0 D3 l
  | State          | True                                 |" z6 W) {2 Z( }5 t
  | Status         | PENDING_CREATE                       |
' p$ N9 N" X3 F* C8 L0 k2 Q  | Subnet         | cdfb411e-e818-466a-837c-7f96fc41a6d9 |
7 @: ]$ q) r  j8 P4 i  | external_v4_ip | 192.168.20.2                         |' Z1 O  ^: u. X2 A! z/ ^8 x
  | external_v6_ip | 2001:db8::d                          |, l( Y8 T; z6 S7 r2 P1 T
  | project_id     | 095247cb2e22455b9850c6efff407584     |
1 t1 q* x- B% B5 `  _1 q5 a  +----------------+--------------------------------------+
8 D0 o$ E) o; X* g Note" U  \5 T4 n, O8 X
The --subnet option is required in this scenario.
+ R) K' P( K7 J0 A! o% [Create an ipsec site connection:$ V$ e: k% i: j: M$ Q6 R. Q, |& u
$ openstack vpn ipsec site connection create conn \
* s0 G$ W( V, |! [9 }  --vpnservice vpn \: q8 g& b7 X% O/ \0 Q
  --ikepolicy ikepolicy1 \
) z% l$ r7 e0 N  --ipsecpolicy ipsecpolicy1 \' F) G  a; ?" |3 X
  --peer-address 192.168.20.11 \
: A5 X+ D6 w  P8 c6 L" P  --peer-id 192.168.20.11 \
8 X, V, ?' h3 m4 X3 S6 B  --peer-cidr 192.168.1.0/24 \
5 |. E: m* y5 P: d* W* _  --psk secret. @/ d0 q+ d' S1 i2 w7 T! {0 Q* c
  +--------------------------+--------------------------------------------------------+- r8 R% l+ p. I6 I% E( k, V; Q. d
  | Field                    | Value                                                  |2 h0 q8 q* L0 a0 |+ s
  +--------------------------+--------------------------------------------------------+
; L2 w3 ]# t% X- @( t# `  | Authentication Algorithm | psk                                                    |
* C  H/ J3 C# Z# U  | Description              |                                                        |/ x5 r" h" F# q7 P* {  H3 v
  | ID                       | 5b2935e6-b2f0-423a-8156-07ed48703d13                   |1 `" i5 a) B  G, t
  | IKE Policy               | 99e4345d-8674-4d73-acb4-0e2524425e34                   |
" b/ q4 ?/ }4 ?! `  | IPSec Policy             | e6f547af-4a1d-4c28-b40b-b97cce746459                   |
3 p& a  Z" m" `8 N9 |  | Initiator                | bi-directional                                         |$ J( ?! r1 Y  O4 ]# i5 g
  | Local Endpoint Group ID  | None                                                   |7 I1 Q& A/ T& G. e- h! y4 x8 p
  | Local ID                 |                                                        |
: c" u7 Z/ X) O5 m* T. J% Z9 ]  | MTU                      | 1500                                                   |; A3 a% x- {& ~
  | Name                     | conn                                                   |
4 T& H+ p) o( x. ~6 e  | Peer Address             | 192.168.20.11                                          |
1 K; V' v  x, J- c' A  n4 g% S  | Peer CIDRs               | 192.168.1.0/24                                         |! S; c' s. w2 k0 c) Q
  | Peer Endpoint Group ID   | None                                                   |4 _! E% k- z/ X+ W: ]
  | Peer ID                  | 192.168.20.11                                          |
, B1 ~, {4 t7 u; G8 t" N: U+ o  | Pre-shared Key           | secret                                                 |" K' e, S0 S' k7 X# Q9 b- R
  | Project                  | 095247cb2e22455b9850c6efff407584                       |$ f, S8 \& F4 j: `2 @
  | Route Mode               | static                                                 |
' s9 e% b+ M+ f) `  c  | State                    | True                                                   |3 Q# Q( E1 w- e; Q5 U4 I
  | Status                   | PENDING_CREATE                                         |
! u4 S, k- U' s1 Y1 r8 K  | VPN Service              | 79ef6250-ddc3-428f-88c2-0ec8084f4e9a                   |
3 V1 _% r9 {( w2 z' u5 i  | dpd                      | {u'action': u'hold', u'interval': 30, u'timeout': 120} |1 ]8 }2 W1 \2 d5 L# H
  | project_id               | 095247cb2e22455b9850c6efff407584                       |$ @+ e7 o0 m% j/ _
  +--------------------------+--------------------------------------------------------+. n9 ], N7 U9 _% u2 A
Note2 s  m( _3 p+ K" O5 k# l$ V
Please do not specify --local-endpoint-group and --peer-endpoint-group options in this case.
# F3 P8 ~+ O3 P* X8 O* y& y9 j" o3 O" H* ?6 M
回复

举报

admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
 楼主| 发表于 2019-4-26 10:17:48 | 显示全部楼层
Installation) O) s# z4 W1 c/ p
In order to use Neutron-VPNaaS with devstack (http://devstack.org) a single node setup, you'll need the following settings in your local.conf (NEW: neutron-vpnaas plugin is added)." S. J+ g4 g! m
4 C# b" R  g4 s+ i0 y
[[local|localrc]]
6 C* ~4 W$ m4 q3 t
# t0 N) O9 L% h4 e7 oenable_plugin neutron-vpnaas https://git.openstack.org/openstack/neutron-vpnaas/ d% {* ^7 a0 x- l! I  A( ]. M
" @+ |; }, @( w5 T  I2 r3 E
disable_service n-net
' S7 a' t3 X9 h" `* Ienable_service q-svc
: B4 a- \3 e9 p" ~# renable_service q-agt
1 A( L0 v% i2 r" aenable_service q-dhcp
$ R- N8 X3 T" P- s& _2 r" ^! Denable_service q-l30 k6 l& O1 B" a2 `
enable_service q-meta
1 K; J+ B: D5 d# Optional, to enable tempest configuration as part of devstack
; l; }. N5 t+ y7 {* Nenable_service tempest
) D5 l' ]6 n1 }0 G. {1 d3 y! m" \
0 J$ A9 @  J0 Y- n1 t# `7 E# IPSec driver to use. Optional, defaults to OpenSwan.  \! ]2 X) s$ x/ j
IPSEC_PACKAGE="openswan") R' _) F) Q* K" c4 Q
Quick Test Script
2 u6 v2 A2 k" M; g# M: m/ Bhttp://paste.openstack.org/raw/44702/
4 ]) p( P) z( r+ S5 D  G9 |; j' l# H0 @5 u. @
This quick test script create two site with a router,a network and a subnet connected with public network. Then, connect both site via VPN.3 `5 x9 z3 n$ a* }7 x5 ~& ], Z
9 ^+ ?9 r! Q" Q9 {7 B& \6 i* @8 c1 M
Using Two DevStack Nodes for Testing
7 e) V! u8 S0 D6 B8 c! NYou can use two DevStack nodes connected by a common "public" network to test VPNaaS. The second node can be set up with the same public network as the first node, except it will use a different gateway IP (and hence router IP). In this example, we'll assume we have two DevStack nodes (East and West), each running on hardware (you can do the same thing with multiple VM guests, if desired). (Note: you can also create similar topology using two virtual routers with one devstack)  S' S( A% \4 ^$ j1 C

. [3 w' V; S6 h( _! h% Y4 j/ Z$ ~. ?" VExample Topology  O1 M1 }* z; q+ m6 f: T) T

. C- C1 M7 l  Z0 _+ y4 bA dedicated physical port can be used for the "public" network connection (e.g. eth2) interconnected by a physical switch. You'll need to add the port to the OVS bridge on each DevStack node (e.g. sudo ovs-vsctl add-port br-ex eth2).: }" B: \; e) S: W
1 v6 P1 c8 Y! i6 s7 c
      (10.1.0.0/24 - DevStack East)( t! H- L- m4 ]% W+ }: A
              |9 W9 Y' N# Y+ a9 o! a, o4 p
              |  10.1.0.1
  ?! Q8 ?! i1 C4 `. [9 d     [Neutron Router]0 i. t, V; L& _- Q1 j( D0 q
              |  172.24.4.226
4 g8 |: ^7 s" }0 n              |
' K. p# _% G9 g% U0 W              |  172.24.4.225& m4 V+ [6 t1 v2 K- `* X
     [Internet GW]
2 D% z0 {7 m" P              |  3 ~! p7 c$ w9 W  Z) b: S+ [/ k
              |1 y( h, T+ i( M5 N) N
     [Internet GW]
- G2 m  w( y; u5 `              | 172.24.4.232% `5 n2 B+ m2 L
              |( A7 }5 h2 t( A3 [6 [
              | 172.24.4.233( ^8 C7 C/ E: ]
     [Neutron Router]
# I2 i" v1 R3 U  |              |  10.2.0.1& i( G. F6 o2 p( W# F+ Y1 s7 P$ ~
              |3 x: M7 i5 R9 S4 u7 I( S, i( ^
     (10.2.0.0/24 DevStack West)# @" y, n- A: Y; E3 F; t" m
DevStack Configuration, p# E- O! c/ }5 m9 }9 c

) }0 @* `% E- J6 VFor East you can append these lines to the localrc, which will give you a private net of 10.1.0.0/24 and public network of 172.24.4.0/24/ N. m: h3 E+ Q+ n
, z: \: ^  n. N! K
PUBLIC_SUBNET_NAME=yoursubnet
& M+ }% V9 d* t$ U! `PRIVATE_SUBNET_NAME=mysubnet
- E3 u: w3 Q7 h8 |" ]6 \" w2 bFIXED_RANGE=10.1.0.0/247 f# c# t" _/ u
NETWORK_GATEWAY=10.1.0.1
$ K+ @' I# Y8 c. Q2 f( \. TPUBLIC_NETWORK_GATEWAY=172.24.4.225
3 [! h% L5 O+ n+ z! y7 M2 I- IQ_FLOATING_ALLOCATION_POOL=start=172.24.4.226,end=172.24.4.231
  c0 Z3 ?5 @% i1 g' Z& ~For West you can add these lines to localrc to use a different local network, public GW (and implicitly router) IP:4 k; G) z, K: ]( _& e+ Z

) h' S# N0 P; m7 uPUBLIC_SUBNET_NAME=yoursubnet
+ e2 L4 V% Q" F5 }, _, p4 `PRIVATE_SUBNET_NAME=mysubnet* M( j$ \3 d8 K; S" H
FIXED_RANGE=10.2.0.0/24
7 A& U6 D' x- @( Y7 B1 _3 r+ fNETWORK_GATEWAY=10.2.0.1
1 h& s% J9 e- m: r, n) t1 yPUBLIC_NETWORK_GATEWAY=172.24.4.232
; C/ L' C1 G1 }. N7 LQ_FLOATING_ALLOCATION_POOL=start=172.24.4.233,end=172.24.4.238
# ^9 G) f% ~/ [( W8 T3 W+ D0 qVPNaaS Configuration# Y; m+ [; z$ s/ G$ ^+ E

) p/ k5 E5 l! q' x( ^With DevStack running on East and West and connectivity confirmed (make sure you can ping one router/GW from the other), you can perform these VPNaaS CLI commands.) `0 s. [. K$ j5 q# H

  }( s" `. s. S) qOn East1 x- Q( V6 N6 c* l4 {

" U/ [! T( _/ p" Y- Y2 Kneutron vpn-ikepolicy-create ikepolicy1& v1 S; I# i% e) M
neutron vpn-ipsecpolicy-create ipsecpolicy1- t( c. q  x' y( _0 p
neutron vpn-service-create --name myvpn --description "My vpn service" router1 mysubnet8 @* U# I( V1 u; v
neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address 172.24.4.233 --peer-id 172.24.4.233 --peer-cidr 10.2.0.0/24 --psk secret
% d5 p' R* F' b" n$ v0 y5 x, bOn West
9 p6 i. A% A; A' V6 k
0 A. @+ D! \1 n* `neutron vpn-ikepolicy-create ikepolicy18 B/ G8 Y0 V; V3 _/ q$ m1 X, w
neutron vpn-ipsecpolicy-create ipsecpolicy1% n% s8 L+ U+ L; b- h
neutron vpn-service-create --name myvpn --description "My vpn service" router1 mysubnet
2 g8 U- Z8 q2 k( z5 Tneutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address 172.24.4.226 --peer-id 172.24.4.226 --peer-cidr 10.1.0.0/24 --psk secret
; t. }& v! Z6 ]1 i$ @: ^/ [Note: Please make sure setup security group (open icmp for vpn subnet etc)
/ c' s& J3 C8 p# [% X: _
: D. f( s+ w4 b# ]* L3 C" L9 H' `Verification4 [2 n. O: A3 ~' b
( {: S8 ]0 O2 j: [
You can spin up VMs on each node, and then from the VM ping the far end router's public IP. With tcpdump running on one of the nodes, you can see that pings appear as encrypted packets (ESP). Note that BOOTP, IGMP, and the keepalive packets between the two nodes are not encrypted (nor are pings between the two external IP addresses).+ f6 N9 x+ i3 ^1 h$ C+ R; ~; G
% [5 a8 G+ @2 K3 t/ }- C
Kilo Update- T7 w: t: V! F% d

# q1 P; k9 Z# T. T( `For Kilo, the localrc contents was moved into local.conf. With (VirtualBox) VMs used as hosts, where eth0 was set up as NAT, and eth1 set up as Internal Network, the following configurations were used in local.conf:! D( y; p, I; t, ?3 F( P
) ^' C$ o  ]$ z; O
   OVS_PHYSICAL_BRIDGE=br-ex9 Y$ f! d$ X# Q1 h- _9 b/ ~
   PUBLIC_INTERFACE=eth1
% l2 P1 z& j/ N2 }! h  uOnce stacked, VMs were created for testing, VPN IPSec commands used to establish connections between the nodes, and security group rules added to allow ICMP and SSH.6 b$ ], G% b  a3 Q3 X' r
& \- Q% z) R5 b- [$ Z5 P+ w
VPNaaS with Single DevStack and Two Routers
. g, l9 ~6 d, X$ MSimple instructions on how to setup a test environment where a VPNaaS IPSec connection can be established using the reference implementation (OpenSwan). This example uses VIrtualBox running on laptop to provide a VM for running DevStack. It assumes a Kilo release (post Juno).
' y9 R/ e7 m5 L4 |
; n; |' [4 v, [; u3 G2 H  |The idea here is to have a single OpenStack cloud created using DevStack, two routers (one created automatically), two private networks (one created automatically) -10.1.0.0/24 and 10.2.0.0/24, a VM in each private network, and establish a VPN connection between the two private nets, using the public network (172.24.4.0/24).
; i! H$ j: J% q& C5 ]7 w- N9 a: v- r2 E- B0 U, M7 B5 q  I
Preparation
; e+ ~/ \) D2 B4 A& @Create a VM (e.g. 7 GB RAM, 2 CPUs) running Ubuntu 14.04, with NAT I/F for access to the Internet. Clone a DevStack repo with latest (Kilo-1 used for this example).
' p$ L( n8 x3 w1 M6 w7 x! c
6 s- ]7 i! t! a0 B9 A) U. E! G+ a2 uDevStack Configuration
4 b7 o9 a$ u* v& d0 K. Q+ nFor this example, the following local.conf is used:- [3 q, C9 i% h! Z+ |0 C

  P4 B' X3 i) k! }   localrc5 s' j, \0 u; N9 v/ G) |
   GIT_BASE=https://github.com
$ g. [/ ^7 x, t2 C: j   DEST=/opt/stack
! o7 ]9 I2 j' \2 M- w4 i   
. x6 P+ v4 [7 x: r2 X% L6 h$ d; W   disable_service n-net
) }# Q* I* a3 ?; |' a- x   enable_service q-svc
3 g: E: r2 r' w5 L8 k   enable_service q-agt$ d6 V1 A$ v6 r5 \1 i
   enable_service q-dhcp! u9 M- z0 b5 d) L9 _  j+ J
   enable_service q-l3
1 l, K9 a1 Q+ Q5 A6 m   enable_service q-meta
+ o  J" S) ?% H; N' ]6 a( x   enable_service neutron
8 `, ^% C7 q7 Y2 }3 s: ?" ^   enable_plugin neutron-vpnaas https://git.openstack.org/openstack/neutron-vpnaas
' P7 P4 M  M0 d# c. S   
0 K7 O  p+ \. l   FIXED_RANGE=10.1.0.0/246 f7 s7 U  s2 ^
   FIXED_NETWORK_SIZE=256
4 l: B% a  H' K   NETWORK_GATEWAY=10.1.0.1" m4 S- N+ f) p0 J
   PRIVATE_SUBNET_NAME=privateA
; C# F* `# R7 I$ T  Q7 z: a  r7 \   6 a- ]- @9 g8 n2 I/ f5 E, l
   PUBLIC_SUBNET_NAME=public-subnet
# x! O* q7 f2 h2 {- v   FLOATING_RANGE=172.24.4.0/24# M$ c9 d2 w0 E% W8 v; n! L; @% M
   PUBLIC_NETWORK_GATEWAY=172.24.4.10& x6 v1 T. `7 Q5 @. I8 j7 a
   Q_FLOATING_ALLOCATION_POOL="start=172.24.4.11,end=172.24.4.29"
% `  h3 E: n, {, U1 M" V/ Z5 s   
+ y2 Z, U3 z! F) \/ v$ e   LIBVIRT_TYPE=qemu
1 A/ N- F% o- K' R* S+ z9 }) D; Q   ' C: q/ g# h9 I$ M$ n/ R' r* q& G
   IMAGE_URLS="http://cloud-images.ubuntu.com/releases/14.04.1/release/ubuntu-14.04-server-cloudimg-amd64.tar.gz,http://download.cirros-cloud.net ... 3-x86_64-uec.tar.gz"
' J) a8 g4 O' W" d( T; W   / C+ [0 [3 o0 D8 ?% Y8 s( m
   SCREEN_LOGDIR=/opt/stack/screen-logs
% V8 u; J9 f7 o0 d4 M$ b2 B7 [4 r   SYSLOG=True
( G1 D$ f) M( e: G   LOGFILE=~/devstack/stack.sh.log! A2 W$ M' L/ r+ T8 G# k& u1 `) h! }
   
3 p# y' o) v0 `3 t   ADMIN_PASSWORD=password3 N$ N$ J0 u, l3 \( S, g* _
   MYSQL_PASSWORD=password  V8 H  A- Z1 P5 d6 q! j" B2 p
   RABBIT_PASSWORD=password
4 K# ?  ?6 k- T" R   SERVICE_PASSWORD=password( ]+ q6 t& D% G3 F8 ^
   SERVICE_TOKEN=tokentoken
: I8 K0 a0 o$ L- u   
$ s$ z/ \8 J' E* ?( _5 Z3 e   Q_USE_DEBUG_COMMAND=True! c" v  c( y! y
   
! H+ T! \0 O5 }  F# V. F   # RECLONE=No
* q, k6 |: T4 Y* x6 e" H   RECLONE=yes
0 @4 \2 `- J7 B$ C' B8 \+ L2 s   OFFLINE=False
% v5 h  B' ]/ n* a7 U  x+ Y/ nStart up the cloud using ./stack.sh and ensure it completes successfully. Once stacked, you can change RECLONE to No." Z9 {9 q6 z! Q7 j9 c
8 X3 T2 V0 `  |, m9 A, p
Cloud Configuration( u2 @( A2 `9 g7 n: N
Once stacking is completed, you'll have a private network (10.1.0.0/24), and a router (router1). To prepare for establishing a VPN connection, a second network, subnet, and router needs to be created, and a VM spun up in each private network.: C) }3 m( m0 @5 b9 u$ _
- A) h& S- ^1 ?+ |* w
   # Create second net, subnet, router
' D/ P( ~5 H2 v) [4 h  M% k   source ~/devstack/openrc admin demo
# i: H) d4 r# O3 V  p3 r   neutron net-create privateB/ e. `) B, i% |5 W5 M2 a, I
   neutron subnet-create --name subB privateB 10.2.0.0/24 --gateway 10.2.0.1: }* ?0 s  F9 X' r- ~6 B5 b
   neutron router-create router2& x( g# h! D  D8 j8 ^
   neutron router-interface-add router2 subB
$ S! b% y$ E( N4 o3 ?7 {   neutron router-gateway-set router2 public& U1 b0 n( f& X: N, P/ M
   5 [2 g, u. `$ Z
   # Start up a VM in the privateA subnet." S# Z$ Z, p% {  m0 R
   PRIVATE_NET=`neutron net-list | grep 'private ' | cut -f 2 -d' '`
% u5 S2 i# m0 Y% t" N4 N   nova boot --flavor 1 --image cirros-0.3.3-x86_64-uec --nic net-id=$PRIVATE_NET peter
1 ?' S+ K0 B! o! q  T   
4 |7 y, d$ S2 [& b0 U8 \, b   # Start up a VM in the privateB subnet* N" w9 r$ \. ]7 [% C) D
   PRIVATE_NETB=`neutron net-list | grep privateB | cut -f 2 -d' '`$ E4 O; p7 {$ @6 i4 p8 i
   nova boot --flavor 1 --image cirros-0.3.3-x86_64-uec --nic net-id=$PRIVATE_NETB paul# l3 T* x) Z6 g: }
At this point, you can verify that you have basic connectivity. Note, DevStack will create a static route that will allow you to ping the private I/F IP of router1 from privateB network. You can remove the route, if desired.* N2 {# W5 J- \$ ~. n" x

  p! C. v, g7 l) i+ rIPSec Site-to-site Connection Creation
: m, m# k0 p1 a2 vThe following commands will create the IPSec connection:
' P4 U: B) V  K( I) G3 t
/ f( t& K! G! O# c3 L7 ]   # Create VPN connections2 Z2 u& S# B" M* {
   neutron vpn-ikepolicy-create ikepolicy
6 O7 X# g/ c* Q# j8 o2 D/ u   neutron vpn-ipsecpolicy-create ipsecpolicy
' r: p& x- N! ?" o" U& o   neutron vpn-service-create --name myvpn --description "My vpn service" router1 privateA
3 a0 \; H. d; T/ c   ! G% s& x9 s8 v
   neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn \$ @1 `: x# F; h7 u
   --ikepolicy-id ikepolicy --ipsecpolicy-id ipsecpolicy --peer-address 172.24.4.13 \. l, \$ S5 B5 k0 ]" d
   --peer-id 172.24.4.13 --peer-cidr 10.2.0.0/24 --psk secret2 z) S! q3 E6 N. Q. d; L
   1 o* O! k5 X" @8 @3 i
   neutron vpn-service-create --name myvpnB --description "My vpn serviceB" router2 subB/ g7 q, w& v6 C
   8 t  R" f. \  F: v" D( b) b
   neutron ipsec-site-connection-create --name vpnconnection2 --vpnservice-id myvpnB \, E$ C' H1 u1 N
   --ikepolicy-id ikepolicy --ipsecpolicy-id ipsecpolicy --peer-address 172.24.4.11 \" ~& \$ c* q# y+ J$ k) a
   --peer-id 172.24.4.11 --peer-cidr 10.1.0.0/24 --psk secret
7 b( U. \. W& }At this point (once the connections become active - which can take up to 30 seconds or so), you should be able to ping from the VM in the privateA network, to the VM in the privateB network. You'll see encrypted packets, if you tcpdump using the qg-# interface from one of the router namespaces. If you delete one of the connections, you'll see that the pings fail (if all works out correctly :).
. p+ l  c. T- t% f) ~9 Q, X4 e* H% a4 g  O
Multiple Local Subnets3 \4 s( b& T* r5 e) {
Early in Mitaka, IPSec site-to-site connections will support multiple local subnets, in addition to the current multiple peer CIDRs. The multiple local subnet feature is triggered by not specifying a local subnet, when creating a VPN service. Backwards compatibility is maintained with single local subnets, by providing the subnet in the VPN service creation.
: Q0 o6 k  f5 W. u5 F% X: K5 S" q9 C: R
To support multiple local subnets, a new capability has been provided (in Liberty), called "Endpoint Groups". Each endpoint group will define one or more endpoints of a specific type, and can be used to specify both local and peer endpoints for IPSec Connections. The Endpoint Groups separate the "what gets connected" from the "how to connect" for a VPN service, and can be used for different flavors of VPN, in the future. An example:0 r( i0 L* W9 ^4 X0 B) s, ^
# p( j# P; R3 R# v3 ^
   # Create VPN connections5 e  W5 J! x& I( z2 X9 }- [0 G
   neutron vpn-ikepolicy-create ikepolicy
/ _" M4 [' B- m& m. D, G: u   neutron vpn-ipsecpolicy-create ipsecpolicy4 K  y0 o9 \, o$ P
   neutron vpn-service-create --name myvpnC --description "My vpn service" router1
. l! X0 f+ t- I1 c$ V5 YTo prepare for an IPSec site-to-site, one would create an endpoint group for the local subnets, and an endpoint group for the peer CIDRs, like so:# I+ H/ H7 w6 o$ A+ ?! K1 V6 @

6 L# K# s* b6 P" h6 i$ \/ N   neutron vpn-endpoint-group-create --name my-locals --type subnet --value privateA --value privateA2* ~1 i- t; B* D% z  p9 [; b( F, {7 @
   neutron vpn-endpoint-group-create --name my-peers --type cidr --value 10.2.0.0/24 --value 20.2.0.0/24
" U' d* ?) t4 b9 K/ Q- zwhere privateA and privateA2 are two local (private) subnets, and 10.2.0.0/24 and 20.2.0.0/24 are two CIDRs representing peer (private) subnets that will be used by a connection. Then, when creating the IPSec site-to-site connection, these endpoint group IDs would be specified, instead of the peer-cidrs attribute:  D5 ~7 \) d' J: n7 I) q
/ o2 f+ p4 _! P4 t3 v9 ?
   neutron ipsec-site-connection-create --name vpnconnection3 --vpnservice-id myvpnC \
' C5 v9 b8 K7 e3 ]" U* ?" {; z   --ikepolicy-id ikepolicy --ipsecpolicy-id ipsecpolicy --peer-address 172.24.4.11 \& q- d; y8 Z; o
   --peer-id 172.24.4.11 --local-ep-group my-locals --peer-ep-group my-peers --psk secret
: `( D. w1 q' Q1 y* ?9 zNotes:7 r! ?* v8 p# y3 u7 W  [7 m% Y2 i

' U* f6 @8 X1 b7 \) ~8 oThe validation logic makes sure that endpoint groups and peer CIDRs are not intermixed.
7 `. j, ^0 J/ P% d7 L& C+ [Endpoint group types are subnet, cidr, network, router, and vlan. However, only subnet and cidr are implemented (for IPSec use).0 E- L) E+ o- w
The endpoints in a group must be of the same type, although can mix IP versions.
$ i0 S1 `7 v  {9 C  IFor IPSec connections, validation currently enforces that the local and peer endpoints all use the same IP version.- V! [  J/ C( w9 o9 B! R7 V5 e  S
IPSec connection validation requires that local endpoints are subnets, and peer endpoints are CIDRs.- n! ^7 F$ k. Q: e& ]$ P: L
Migration will convert information for any existing VPN services and connections to endpoint groups.
. L& k# F5 J$ UThe original APIs will work for backward compatibility.
5 B( _7 u/ S5 f' t6 y7 nHorizon Support
' }& ^, H& i$ N& y4 h8 R- zCheckout Test branch! O! ^8 H% K# a6 Y
Horizon support has been merged.
7 x8 _% \1 @. x+ Y5 n/ R2 c7 U+ Q+ L' n6 X- a
Enable VPN section in Horizon
1 E! l$ @) {$ K+ D3 INote that ff q-vpn is enabled Horizon VPN support is enabled automatically.
7 T) h+ l% T5 H' s. y! ?; r
! l9 T& ]8 f1 _1 w: aOpen: D# @" D+ L  L2 f7 ]
/opt/stack/horizon/openstack_dashboard/local/local_settings.py
! ]; f5 _$ v% u! H6 i: Mand replace. n  `0 a  z) r9 G

  a8 r6 M$ J# k9 d- U, WOPENSTACK_NEUTRON_NETWORK = {
" i2 b' h1 i+ x5 A% ^) d0 `9 \    'enable_vpn': False,5 j0 L, ~, _+ w9 x# _( |
}$ F" L& f- E; Y/ h) Q& p. z% ]: m( c
with' f7 y% [0 R! m) g* n$ y& H0 o

8 x, O' ~. N6 q- I% X* b. x# qOPENSTACK_NEUTRON_NETWORK = {2 l$ a2 y6 v& B
    'enable_vpn': True,
7 G4 g  D/ f. J2 F3 l( y}
回复

举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则

返回首页|Archiver|手机版|小黑屋|易陆发现技术论坛 ( 蜀ICP备2026014127号-1 )

GMT+8, 2026-6-12 04:38 , Processed in 0.054017 second(s), 21 queries .

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表