- 积分
- 16843
在线时间 小时
最后登录1970-1-1
|
马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有账号?开始注册
x
3 `8 Z' |9 v% B! C
* q8 U2 w$ C8 p& \- f2 k9 L以下为手动编写这个文件:& Y3 e5 {3 Q5 F$ [2 Q
cd /usr/share/openstack-dashboard/openstack_dashboard/enabled/* `2 ], }6 U* y/ b* d; }5 |
touch _7100_project_vpn_panel.py! O S8 ^' ?- r l& k6 T
文件内容如下:- H$ v S; x4 P. Q; w1 `% f
[root@localhost enabled]# vim _7100_project_vpn_panel.py
+ y( F2 Q3 B" I: c- a0 B" h# Licensed under the Apache License, Version 2.0 (the "License"); you may; ?" C+ q* c, q9 y& v1 k# A
# not use this file except in compliance with the License. You may obtain7 }4 `8 ?5 B5 y9 Q4 u. w9 A8 P# Q
# a copy of the License at R5 w. C6 Z& v
#
6 q6 O. V1 u4 y7 k3 I- H# http://www.apache.org/licenses/LICENSE-2.0$ p" J, ]: y4 t" B) \3 \
#
" b4 ]8 H1 Y& b' C$ G7 ?' s# Unless required by applicable law or agreed to in writing, software
* j* q" R! m& M# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
) f% E( n/ F5 D8 N# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
' k+ q+ V2 L' A" w4 O( C) m& L# D# License for the specific language governing permissions and limitations
w7 X, ^4 N/ ], E! n# under the License.
# F/ y. z. A+ A' t. t
$ U' Q; o/ w$ r# u# b9 {# The slug of the panel to be added to HORIZON_CONFIG. Required.3 T* t5 @/ k6 X7 n) i6 ^, ]% M
PANEL = 'vpn'
: I3 g4 T# r. B7 I! [+ a# The slug of the dashboard the PANEL associated with. Required.5 P( |' V* d' M s/ K5 l
PANEL_DASHBOARD = 'project'% u3 j" X% B- |3 x; Q
# The slug of the panel group the PANEL is associated with.
# q+ P1 I" g' e& wPANEL_GROUP = 'network'
( w3 a, M e) `
4 H. Z- j0 r+ q, \# T# Python panel class of the PANEL to be added.( m `: Z% A/ H) o- _
ADD_PANEL = 'neutron_vpnaas_dashboard.dashboards.project.vpn.panel.VPN'
6 N# n/ G& @& P% T$ Y, d
# f- h) K% I+ k5 u& \. O. sADD_INSTALLED_APPS = ["neutron_vpnaas_dashboard"]) o/ b" G; \. d$ p
4 Y6 X& |8 V1 b
, y; _7 X8 H. z; |3 f) }4.1 vim /etc/neutron/neutron.conf
( g" O; [# X+ P' r& J[DEFAULT]
, [/ V5 e5 h0 D( q$ E( sservice_plugins = router,vpnaas6 P- @9 `; e8 Z7 F8 }
1 `! E r! D/ t& U4 }
4.2 vim /etc/neutron/neutron_vpnaas.conf0 T t6 @% n+ E+ u
[service_providers]
7 F. I( X' A4 L" V4 x: ?) x6 dservice_provider = VPN:strongswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default1 w6 Y' s: e) h% A) c$ u2 J
$ X5 V; m1 G2 I4 ?4.3 vim /etc/neutron/l3_agent.ini
& E% n0 o8 j: G& R. b[agent]
. ~5 j) L% B# D8 @8 Bextensions = vpnaas, m J4 T- F5 A6 B' I
[vpnagent]6 T& ^2 w: J" i
vpn_device_driver = neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver
. V, s6 q4 q/ @, U
7 t( B2 a u2 `5 w, s) Z% m# i4.4 执行 neutron-db-manage --subproject neutron-vpnaas upgrade head9 a6 t" j) g, h5 h* t, q; n) k
2 b; S, I1 @! n. l5. 重启服务
4 ?* e/ D, W/ usystemctl restart neutron-server; p4 f. k, e; w# @& n+ y
systemctl restart neutron-l3-agent8 H2 Q2 i; s, `
systemctl restart apache26 P' d# P$ f, y1 B2 z) @
---------------------
6 A) ^# l7 M) [! e# ~% e; K5 {! D' }6 [8 ~+ P1 f/ E
# R/ w; |0 a* a" i- ~/ Y
2 h$ T6 c. B3 q' X9 F8 w- fVirtual Private Network-as-a-Service (VPNaaS)
1 U% m( |* J* {3 R, M
5 j' ~' P5 Q* t2 t+ ITHIS PAGE LAST UPDATED:
0 l5 R: a$ P7 Z+ y7 [5 L/ `Enabling VPNaaS¶5 z/ K4 E! C0 _
This section describes the setting for the reference implementation. Vendor plugins or drivers can have different setup procedure and perhaps they provide their version of manuals.: m* M* E: L$ d2 k, i
Enable the VPNaaS plug-in in the /etc/neutron/neutron.conf file by appending vpnaas to service_plugins in [DEFAULT]:
0 j$ W9 _' S! I: ~; v1 A[DEFAULT]
6 r Z; c+ A: l& i0 H1 `# ...
) P- W+ U, d0 p1 Aservice_plugins = vpnaas
, L6 l+ R/ C b0 e+ c Note, E5 o9 x0 ?+ j/ q! q% `" s6 G4 |" l
vpnaas is just example of reference implementation. It depends on a plugin that you are going to use. Consider to set suitable plugin for your own deployment.6 h: Z7 a$ P3 s3 p
Configure the VPNaaS service provider by creating the /etc/neutron/neutron_vpnaas.conf file as follows, strongswan used in Ubuntu distribution:' A A0 b! m0 y
[service_providers]- ^ F4 B. F4 R# Y& ? Z) x
service_provider = VPN:strongswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default) j" d5 d4 s' c5 I
Note
, o, E' q J2 Z9 p' ZThere are several kinds of service drivers. Depending upon the Linux distribution, you may need to override this value. Select libreswan for RHEL/CentOS, the config will like this: service_provider = VPN:openswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default. Consider to use the appropriate one for your deployment.; a+ K( K9 V* P. Z# |8 y1 f0 Z# M! M
Configure the VPNaaS plugin for the L3 agent by adding to /etc/neutron/l3_agent.ini the following section, StrongSwanDriver used in Ubuntu distribution:. C8 @) d$ Q3 a: ~6 |6 O7 ^) _! ]
[AGENT]
* g& z* F/ `. k# N4 k3 yextensions = vpnaas
1 J: E4 O$ j! r. w2 I( |[vpnagent]+ p5 e$ @& W* G' o/ b
vpn_device_driver = neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver0 _2 m% S/ ]% h) o
Note
: Z: j& G( c: @5 U- `! T/ a. ?There are several kinds of device drivers. Depending upon the Linux distribution, you may need to override this value. Select LibreSwanDriver for RHEL/CentOS, the config will like this: vpn_device_driver = neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver. Consider to use the appropriate drivers for your deployment.+ N# |6 r3 _9 B1 j0 W2 g5 [, P9 O
Create the required tables in the database:2 l; p5 `* C d, Q |3 o
# neutron-db-manage --subproject neutron-vpnaas upgrade head
( b6 `. K1 r' H5 T7 y" B: w/ T- } Note
; h2 \ `$ {0 {% FIn order to run the above command, you need to have neutron-vpnaas package installed on controller node.+ P" W, z/ u3 p
Restart the neutron-server in controller node to apply the settings.
( B! ~6 @- f- i, wRestart the neutron-l3-agent in network node to apply the settings.! `$ L' g. K6 W4 ~8 t
Using VPNaaS with endpoint group (recommended)¶+ i. n, z4 _) D3 A
IPsec site-to-site connections will support multiple local subnets, in addition to the current multiple peer CIDRs. The multiple local subnet feature is triggered by not specifying a local subnet, when creating a VPN service. Backwards compatibility is maintained with single local subnets, by providing the subnet in the VPN service creation.& x4 B+ _5 g1 p7 K* {7 W" A% k
To support multiple local subnets, a new capability called “End Point Groups” has been added. Each endpoint group will define one or more endpoints of a specific type, and can be used to specify both local and peer endpoints for IPsec connections. The endpoint groups separate the “what gets connected” from the “how to connect” for a VPN service, and can be used for different flavors of VPN, in the future.7 K; x- i/ ?; n" y* T I0 m
Refer Multiple Local Subnets for more detail.
: P: k0 P- [, D0 E+ XCreate the IKE policy, IPsec policy, VPN service, local endpoint group and peer endpoint group. Then, create an IPsec site connection that applies the above policies and service.
9 Y" V+ A& c1 e# p7 ` U$ }Create an IKE policy:
& N/ }7 K( n8 C+ ]& \+ F6 _$ openstack vpn ike policy create ikepolicy
1 C% d3 i- R% n$ ?. `9 ]5 L +-------------------------------+----------------------------------------+8 ? ]: B6 {" J' H5 k9 |- Z
| Field | Value |2 o$ Q0 v* ~. c( S* k* e! L
+-------------------------------+----------------------------------------+- D6 r" E; S6 o2 q* O7 D: V, j
| Authentication Algorithm | sha1 |/ q/ k! p8 c) `
| Description | |
" ~$ z$ X' V8 ~6 j | Encryption Algorithm | aes-128 |1 W# x7 R; l4 a" A# X! o
| ID | 735f4691-3670-43b2-b389-f4d81a60ed56 |
4 e) O! A Y6 }; V | IKE Version | v1 |' Q# d+ L9 M+ {7 B( f2 P( i0 Q5 d
| Lifetime | {u'units': u'seconds', u'value': 3600} |
; L! ^1 u5 W; w, x4 M# W | Name | ikepolicy |
- u* R, J3 Y1 Y5 q0 L | Perfect Forward Secrecy (PFS) | group5 |* K: y8 C( _4 x
| Phase1 Negotiation Mode | main |
* \1 ~2 p5 @8 l p( k9 V% ~ | Project | 095247cb2e22455b9850c6efff407584 |
! G2 G& }8 g# U9 T | project_id | 095247cb2e22455b9850c6efff407584 |4 P4 E# {% x9 Y
+-------------------------------+----------------------------------------+
4 [5 J) _, e+ o4 O" eCreate an IPsec policy:! ~* L5 C3 H7 z8 U+ }, N* {' ]( [$ D
$ openstack vpn ipsec policy create ipsecpolicy7 Y% y& U( X+ Q! r0 \) }, F' {4 N
+-------------------------------+----------------------------------------+
; X+ D9 |1 m1 U# G" p* J, n | Field | Value |
9 E* |' Q1 D, y, p +-------------------------------+----------------------------------------+ q6 G, g$ v# q* x! ?
| Authentication Algorithm | sha1 |# m1 o2 D( a6 W: T8 e8 I' X+ c
| Description | |5 A' D3 V( }* u5 s4 H9 ?2 v
| Encapsulation Mode | tunnel |
, e: Q9 R2 A( A | Encryption Algorithm | aes-128 |; p. C2 Y3 m2 l, m
| ID | 4f3f46fc-f2dc-4811-a642-9601ebae310f |, @4 F( }1 K6 @; N# { V9 p
| Lifetime | {u'units': u'seconds', u'value': 3600} |
, k4 g3 D: o; d4 f | Name | ipsecpolicy |0 k& a9 O' Q+ t! \" h0 }
| Perfect Forward Secrecy (PFS) | group5 |
5 G; {- R' W' q) M* T9 V5 _ | Project | 095247cb2e22455b9850c6efff407584 |
$ e Q5 @3 F9 k: x1 Q | Transform Protocol | esp |. H8 S7 Y; K9 q
| project_id | 095247cb2e22455b9850c6efff407584 |6 ]+ z9 y8 g6 g Z! S
+-------------------------------+----------------------------------------+
* n: }) m) p) T: J. [" @5 JCreate a VPN service:2 W" j9 V; b( u1 F, i# ?6 R$ |6 }
$ openstack vpn service create vpn \0 L* j( a7 ?' J) e; T+ P+ ^
--router 9ff3f20c-314f-4dac-9392-defdbbb36a661 R* t9 q7 F2 ^; m
+----------------+--------------------------------------+8 o* `' r. K' Z8 u
| Field | Value |
1 y$ g, Z+ [" f8 f3 W +----------------+--------------------------------------+# s8 Y# X5 B" M! r
| Description | |
$ ]! n9 E0 c& x& ?" b/ X | Flavor | None |
* A; R+ T$ O3 A( N3 B+ W' `' y | ID | 9f499f9f-f672-4ceb-be3c-d5ff3858c680 |
' E& j; |8 G) }1 `; W$ j# K, | | Name | vpn |# k# T, a* d9 T: ]1 V
| Project | 095247cb2e22455b9850c6efff407584 |
n) K( u1 k) [ | Router | 9ff3f20c-314f-4dac-9392-defdbbb36a66 |+ O4 z& p5 S- F" }
| State | True |, b2 {; q! [5 o' y0 u5 N2 x3 {
| Status | PENDING_CREATE |
K1 k l! \; o, r0 B2 P | Subnet | None |
& |9 N0 ~5 [6 u% v2 N3 E( A | external_v4_ip | 192.168.20.7 |
8 W: H% B& [9 A! Y0 C | external_v6_ip | 2001:db8::7 |
; V5 s6 x+ e( i' q | project_id | 095247cb2e22455b9850c6efff407584 |1 J2 e) s: F: R% f- ]2 a) q& {3 l
+----------------+--------------------------------------+
9 N: y9 w& g6 P) P( E# t) ? Note! n$ c% i5 Y5 e
Please do not specify --subnet option in this case.% H9 @! ]1 }6 d5 r, t1 f! P, S
The Networking openstackclient requires a router (Name or ID) and name.* i. @4 p$ m6 R: g4 _. Z
Create local endpoint group:
$ u5 T) F2 f6 ~6 U$ openstack vpn endpoint group create ep_subnet \+ ~% E2 c* r1 _6 d) n1 {4 E) k
--type subnet \
+ d' `; y1 [. i/ d: r --value 1f888dd0-2066-42a1-83d7-56518895e47d5 D' L: y) t0 @6 b
+-------------+-------------------------------------------+
v# X- B @+ k8 H0 Q- d0 ~ | Field | Value |
[) y1 p, i8 e9 v/ R +-------------+-------------------------------------------+
. y2 z# D+ R# k2 i | Description | |+ S) d5 Z2 b4 y! i' k
| Endpoints | [u'1f888dd0-2066-42a1-83d7-56518895e47d'] |
5 G; V R+ Z9 l! {" F, q; h9 p | ID | 667296d0-67ca-4d0f-b676-7650cf96e7b1 |
# K; k9 s; [" M% j | Name | ep_subnet |( q0 M5 z! x% X' \! O
| Project | 095247cb2e22455b9850c6efff407584 |: ^ h# x; h$ L* f6 M; z7 j {# p
| Type | subnet |
8 f* X$ c% |+ O/ t | project_id | 095247cb2e22455b9850c6efff407584 |5 n: H! r4 e, l* w2 }4 C; g
+-------------+-------------------------------------------+4 g6 f0 L8 c8 `. e$ r* Z( K& A
Note
! _6 r" r0 A) f8 o' iThe type of a local endpoint group must be subnet.. v$ j4 F, T0 c Q5 p8 C
Create peer endpoint group:
8 e% @: c2 j+ r2 X8 j$ openstack vpn endpoint group create ep_cidr \
$ ?5 i& a3 W$ V --type cidr \
& K7 h* N5 Z0 @ --value 192.168.1.0/24
# R$ h6 @2 U1 v5 m2 f +-------------+--------------------------------------+
$ v) {- W6 Z. [4 e2 b | Field | Value |
& N) S% @. ?+ L$ H$ D1 h" r0 h +-------------+--------------------------------------+
; q; }: a0 y1 j6 T | Description | |$ l4 G- P+ u+ X) q
| Endpoints | [u'192.168.1.0/24'] |& \% M4 K( [1 m4 U' @
| ID | 5c3d7f2a-4a2a-446b-9fcf-9a2557cfc641 |4 L$ Z% m/ Y! f
| Name | ep_cidr |" N; L7 ~4 f2 P8 C
| Project | 095247cb2e22455b9850c6efff407584 |* f S# `+ b- r- t8 J
| Type | cidr |# C' X. z+ v* w: \; I
| project_id | 095247cb2e22455b9850c6efff407584 |
6 Z, I; R0 I2 }. t9 x3 Y +-------------+--------------------------------------+
% A% N4 f) _2 x( b% d, y Note5 x. B" b9 u( |# r
The type of a peer endpoint group must be cidr.
/ M! W) f% X$ _Create an ipsec site connection:
8 S3 X; L# G" d: K* f7 D, x$ openstack vpn ipsec site connection create conn \
& d* ~( I3 J% I8 y+ H --vpnservice vpn \
, Z) F C( {. V" I5 v1 l. p! O m --ikepolicy ikepolicy \
3 P) z0 t* b1 G ? --ipsecpolicy ipsecpolicy \
' x# ~; \3 ~) o" s --peer-address 192.168.20.9 \
* Q" t& J* |$ E9 b --peer-id 192.168.20.9 \
$ d3 t2 O# Y4 v3 o! U --psk secret \/ s8 W; c0 b1 `
--local-endpoint-group ep_subnet \
6 m: p6 l' ?8 m' q$ C/ f --peer-endpoint-group ep_cidr
' C3 P$ B3 f( |* U +--------------------------+--------------------------------------------------------+
3 O; B8 e+ @! c- p | Field | Value |8 |! [) N$ ^2 P0 m0 N0 |0 R3 Z
+--------------------------+--------------------------------------------------------+8 d- ]( N7 z* ?& d# l
| Authentication Algorithm | psk |
% B- a! [0 M$ C v4 z$ o | Description | |
5 ^! j W! H s5 b9 R0 |" q( Z2 x; E | ID | 07e400b7-9de3-4ea3-a9d0-90a185e5b00d |
3 {/ J% e4 ]4 w* h' W | IKE Policy | 735f4691-3670-43b2-b389-f4d81a60ed56 |
% [+ m4 N, E+ O; b2 `9 [, x | IPSec Policy | 4f3f46fc-f2dc-4811-a642-9601ebae310f |
. r' C/ R/ l; E, x | Initiator | bi-directional |
! G% e9 S9 w$ \9 v9 [: ]- C | Local Endpoint Group ID | 667296d0-67ca-4d0f-b676-7650cf96e7b1 |& W& e" a* T% m4 @7 ~
| Local ID | |2 o% }9 H$ H5 n$ o
| MTU | 1500 |0 G2 @, I9 T8 x0 |$ t0 L6 m
| Name | conn |' H& N' D. f8 D
| Peer Address | 192.168.20.9 |
2 x# L! x9 y5 d, _3 f7 [/ F, y6 S6 w | Peer CIDRs | |/ ]& @* x- |+ x* @" `+ p
| Peer Endpoint Group ID | 5c3d7f2a-4a2a-446b-9fcf-9a2557cfc641 |) X3 k$ e+ B! H' z* L4 @
| Peer ID | 192.168.20.9 |
5 Q5 x3 W; P* b: h4 F; h1 ` | Pre-shared Key | secret |
/ h6 `/ z7 I, n* h7 v# U5 Z | Project | 095247cb2e22455b9850c6efff407584 |
, T' N/ f6 E! j0 X3 @; q | Route Mode | static |+ j( p5 H. Y- V0 b1 C
| State | True |- p; w+ z# w# L3 ~1 i
| Status | PENDING_CREATE |
* c+ O1 Q4 {" |5 k: J | VPN Service | 9f499f9f-f672-4ceb-be3c-d5ff3858c680 |
; J2 M7 H+ x0 A8 N' [# Y | dpd | {u'action': u'hold', u'interval': 30, u'timeout': 120} |
0 z& Q- _6 Z* ~+ B% L | project_id | 095247cb2e22455b9850c6efff407584 |
+ T) N7 t9 x ?, |* N# b+ | +--------------------------+--------------------------------------------------------+5 z2 N& H( P. u% C/ P
Note
0 n( Q5 \; b3 H% }8 i% B2 \Please do not specify --peer-cidr option in this case. Peer CIDR(s) are provided by a peer endpoint group.
* y3 N" I* v2 o: |Configure VPNaaS without endpoint group (the legacy way)¶
- x% b3 L6 ^% S9 C# JCreate the IKE policy, IPsec policy, VPN service. Then, create an ipsec site connection that applies the above policies and service.
' z; ^5 o- F. SCreate an IKE policy:+ z; _4 W4 I' {! |" q
$ openstack vpn ike policy create ikepolicy1
8 @$ \3 t" u0 l" u5 w+ v7 w/ T. g +-------------------------------+----------------------------------------+
! n0 N1 @" ^+ e" [ | Field | Value |2 d) Y0 F' f( d& I; f
+-------------------------------+----------------------------------------+
; V; I5 ^0 o. I# c7 ? | Authentication Algorithm | sha1 |
9 A" b5 z) x, Q | Description | |' E3 ^6 R; Q- G; d# B
| Encryption Algorithm | aes-128 |) I& A2 m' U6 R \. X: p8 x
| ID | 99e4345d-8674-4d73-acb4-0e2524425e34 |
3 c2 R* `0 i$ O7 f* N% Z+ I | IKE Version | v1 |
: X/ S N# r. C1 _ | Lifetime | {u'units': u'seconds', u'value': 3600} |
( D% i% B. k' R( _0 E2 ^! w" T | Name | ikepolicy1 |3 u* z( {( A8 k; {8 }( R
| Perfect Forward Secrecy (PFS) | group5 |
1 @: s" {0 z$ |5 Q | Phase1 Negotiation Mode | main |5 L0 g$ g u( a9 q/ ~2 T* F! J) r$ g
| Project | 095247cb2e22455b9850c6efff407584 | l9 w0 f8 L8 R/ |6 `
| project_id | 095247cb2e22455b9850c6efff407584 |
& b& q: L. M5 B3 S1 d$ z +-------------------------------+----------------------------------------+
O# Q* A3 K5 ^; Z( yCreate an IPsec policy:
/ \" u! u; Y# E* g$ openstack vpn ipsec policy create ipsecpolicy1; c" T% H5 v; a6 q8 ]6 O
+-------------------------------+----------------------------------------+% K; B( Y1 l% |/ V, U
| Field | Value |
2 @8 W' z' H. c( l +-------------------------------+----------------------------------------+
4 \/ }8 f* L; | ?, e# U$ | | Authentication Algorithm | sha1 |
+ N+ ~, N( Q' M | Description | |& Q$ w; i6 X' O& s- |6 z! W
| Encapsulation Mode | tunnel |
- C1 C; ]: C" W | Encryption Algorithm | aes-128 |1 ]; ^4 G1 n% s1 Q! @; r3 U+ @; ^5 N
| ID | e6f547af-4a1d-4c28-b40b-b97cce746459 |
+ K) q# {3 u+ s! s | Lifetime | {u'units': u'seconds', u'value': 3600} |( m8 o, d; k8 ]6 V
| Name | ipsecpolicy1 |
- U( S. F" k) N) Q( c | Perfect Forward Secrecy (PFS) | group5 |8 k1 V: Q3 S" z! b5 {! V
| Project | 095247cb2e22455b9850c6efff407584 |
0 `( T: D4 H9 q& K' J, ^6 [ | Transform Protocol | esp |1 h4 z3 c8 C! l9 @7 n0 r
| project_id | 095247cb2e22455b9850c6efff407584 |
& I- k" D y2 z +-------------------------------+----------------------------------------+& U$ a6 p. Z- E' u9 k! N
Create a VPN service:
, a4 S* g- }. }6 ^3 Q$ C8 V- L9 C$ openstack vpn service create vpn \9 A& T; A: q2 ]. t1 L
--router 66ca673a-cbbd-48b7-9fb6-bfa7ee3ef724 \7 ^4 q4 y5 o, P! L1 R; U
--subnet cdfb411e-e818-466a-837c-7f96fc41a6d9
+ G# L- U: k/ G +----------------+--------------------------------------+; B0 g' P4 O0 A; R: ? l I+ W
| Field | Value |
8 y2 l+ s% \: M7 |! F/ i0 L$ Z +----------------+--------------------------------------+8 V w2 p% v3 y7 D* X
| Description | |9 q5 t8 I. L* A* _1 p
| Flavor | None |3 ?0 S+ e( j& s2 Z) e1 F
| ID | 79ef6250-ddc3-428f-88c2-0ec8084f4e9a |6 V2 Y& l7 N7 _
| Name | vpn |
4 n: u0 q9 F7 N" \9 c+ r" t$ P | Project | 095247cb2e22455b9850c6efff407584 |
5 D# _' @; R4 i/ w | Router | 66ca673a-cbbd-48b7-9fb6-bfa7ee3ef724 |( `; t3 G6 w) q) y u$ r
| State | True |
8 O4 P3 c( K" P/ m. b6 V* o- M, I4 u | Status | PENDING_CREATE |" O. c' o: K( D5 b
| Subnet | cdfb411e-e818-466a-837c-7f96fc41a6d9 |0 \/ n* K; X7 g5 F, }! ^
| external_v4_ip | 192.168.20.2 |
- w2 g+ z# j% m0 o+ [ | external_v6_ip | 2001:db8::d |
+ C0 L" F! T+ H6 ~3 z: X% U | project_id | 095247cb2e22455b9850c6efff407584 |
0 F2 n8 ^: Z. S: R1 o) Z +----------------+--------------------------------------+! }% R* T4 ~3 P
Note
& i( F h% J; P+ Y/ R0 u4 jThe --subnet option is required in this scenario.; a- I( V5 \* [
Create an ipsec site connection:
/ `* c% v) D: P: d6 Q" e$ openstack vpn ipsec site connection create conn \. A5 b$ U, Q3 Y* V* {
--vpnservice vpn \
0 v0 i3 X% L& @1 z7 A2 I% h N --ikepolicy ikepolicy1 \
n, V5 J0 m5 o1 K) O* V --ipsecpolicy ipsecpolicy1 \
$ Y% c! b1 P, J; I* v, X2 u --peer-address 192.168.20.11 \! D! h8 s" S! W5 g h
--peer-id 192.168.20.11 \" y$ L) X/ Y: c2 k
--peer-cidr 192.168.1.0/24 \
g& H: w j4 w6 F0 N --psk secret
, D2 J2 a! N) D$ g8 @( [' Q7 k +--------------------------+--------------------------------------------------------+* T, z! q- W1 ]5 ~, t8 r" L
| Field | Value |: |: \$ ~3 I/ J0 x" Q: P/ L
+--------------------------+--------------------------------------------------------+
) z: [8 W) t }# N5 ^0 l% Q | Authentication Algorithm | psk |
: z3 I3 x. ]# x" M( N2 T+ x& m | Description | |8 o; e$ r9 [0 ^: G
| ID | 5b2935e6-b2f0-423a-8156-07ed48703d13 |3 ] k. k% R3 C5 D
| IKE Policy | 99e4345d-8674-4d73-acb4-0e2524425e34 |& Z. p6 h1 K5 s5 l# X
| IPSec Policy | e6f547af-4a1d-4c28-b40b-b97cce746459 |! I9 q# s6 s. S" f/ N+ f
| Initiator | bi-directional |$ n$ ?# U% F. ~7 v4 s) a7 H c
| Local Endpoint Group ID | None |. M# P1 U S, I
| Local ID | |
* N- y$ ~/ K+ {2 V7 z C | MTU | 1500 |9 V7 i6 h0 g8 ~2 M, L+ p, |4 K
| Name | conn |
/ q% W* f) Y# \$ ^) }' [1 H5 d | Peer Address | 192.168.20.11 |* E' h% A$ I0 [+ S1 M' b+ r3 D
| Peer CIDRs | 192.168.1.0/24 |
; ^* d2 S, T' C5 O | Peer Endpoint Group ID | None |/ m0 X+ j0 M' B
| Peer ID | 192.168.20.11 |: Z# r8 M W+ q6 L" s
| Pre-shared Key | secret |6 q+ e7 K4 n9 @; M: _; g
| Project | 095247cb2e22455b9850c6efff407584 |
% y6 I6 h7 X. I" h! E M0 t, t | Route Mode | static |
+ W f, \8 o e9 z9 H | State | True |
7 ~% O# g: }( \0 v) I% Y | Status | PENDING_CREATE |% B1 t4 e5 }) r7 f9 `3 a0 Y: ~
| VPN Service | 79ef6250-ddc3-428f-88c2-0ec8084f4e9a |1 B# T+ @! N5 [) N3 A5 N
| dpd | {u'action': u'hold', u'interval': 30, u'timeout': 120} |2 p( t+ A3 _9 t% f( d# Y2 I
| project_id | 095247cb2e22455b9850c6efff407584 | R0 {7 b8 p' J# \
+--------------------------+--------------------------------------------------------+
6 \ p x: M- ^3 e5 J. W2 u Note% |( M& j" J: _4 [% @
Please do not specify --local-endpoint-group and --peer-endpoint-group options in this case.3 B0 T8 ?* Z0 I% |! D" K
" D$ h) a0 }4 E7 D0 i& {- w) C
|
|
/4 
|返回首页|Archiver|小黑屋|易陆发现技术论坛
( 蜀ICP备2026014127号-1 )
窥视卡
雷达卡
发表于 2019-4-26 10:09:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜
楼主