Home

VPN as a Service

Installation

# apt-get install openswan neutron-plugin-vpn-agent

Configuration

1. Create file /etc/neutron/rootwrap.d/vpnaas.filters

    # cat > /etc/neutron/rootwrap.d/vpnaas.filters << EOF
    [Filters]
    
    ip: IpFilter, ip, root
    ip_exec: IpNetnsExecFilter, ip, root
    openswan: CommandFilter, ipsec, root
    
    EOF
   

2. Create file /etc/neutron/vpn_agent.ini:

    # cat > /etc/neutron/vpn_agent.ini << EOF
    [DEFAULT]
    interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
    
    [vpnagent]
    vpn_device_driver=neutron.services.vpn.device_drivers.ipsec.OpenSwanDriver
    
    [ipsec]
    ipsec_status_check_interval=60
    
    EOF
   

3. Aggiungere il plugin in neutron.conf:

    service_plugins = router,firewall,vpnaas         
   

4. Aggiungere (a quelli già eventualmente presenti per altri servizi) il service provider vpn in /etc/neutron/neutron.conf:

    [service_providers]
    service_provider=VPN:openswan:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default
    service_provider = FIREWALL:Iptables:neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver:default
   

[Nota]: sembra che ci sia una dipendenza tra vpnaas e firewall, per cui vanno messi entrambi

5. Restart dei servizi di neutron.

    # cd /etc/init.d
    # for s in `ls neutron-*`; do service $s restart; done
   

6. Infine, per abilitare il pannello VPN in horizon, modificare il file /etc/openstack-dashboard/local_settings.py:

    OPENSTACK_NEUTRON_NETWORK = {
     ...
    'enable_vpn': True,
    ...
    }
   

   Restart apache2:

    # service apache2 restart
   

Usage

In the example that will be shown in this document there will be one tenant at each site with one instance running within each tenant. A complete VPNaaS deployment requires an IKE Policy, IPSec Policy, VPN Service and an IPSec Site Connection. The steps for creating the VPNaaS policy are as follows:

• Step 1: Create an IKE Policy From the "VPN" object under "Manage Network" in the Dashboard sidebar, select "Add IKE Policy" from the "IKE Policies" tab. In the example shown in the following figure, the IKE Policy has the following settings:

  • Name = ike_pol_1
  • Leave all other settings at their defaults

  

• Step 2: Create an IPSec Policy From the "VPN" object under "Manage Network" in the Dashboard sidebar, select "Add IPSec Policy" from the "IPSec Policies" tab. In the example shown in the following figure, the IPSec Policy has the following settings:

  • Name = ipsec_pol_1
  • Leave all other settings at their defaults

  

• Step 3: Create a VPN Service From the "VPN" object under "Manage Network" in the Dashboard sidebar, select "Add VPN Service" from the "VPN Services" tab. In the example shown in the next figure, the VPN Service has the following settings:

  • Name = vpn_service_1
  • Router = os-router-1
  • Subnet = 10.10.10.0/24 # the private subnet range

  

• Step 4: Gather Neutron Router Information From the "Routers" object under "Manage Network" in the Dashboard sidebar, select the router name you created. Once you select the router name you will see a list of "Interfaces" in the "Router Overview" screen. In the example shown here, the "Fixed IP Address" associated with the External Gateway is the address that you need to know for the "IPSec Site Connections" configuration. Also the subnet range for the private subnet needs to be known before entering the IPSec Site Connection configuration:

  

  Do this on both site nodes.

• Step 5: Gather Neutron Router Information From the "VPN" object under "Manage Network" in the Dashboard sidebar, select "Add IPSec Site Connection" from the "IPSec Site Connections" tab. In the example shown here, the IPSec Site Connection has the following settings:

  • Name = site1-to-site2
  • VPN Service associated with this connection = vpn_service_1 # This is the VPN service name you created in Step 3
  • IKE Policy associated with this connection = ike_pol_1 # This is the IKE Policy name you created in Step 1
  • IPSec Policy associated with this connection = ipsec_pol_1 # This is the IPSec Policy name you created in Step 2
  • Peer gateway public IPv4/IPv6 Address or FQDN = 192.168.82.10 # This is the remote site's router public IP address that you noted in Step 4
  • Peer router identity or authentication (Peer ID) = 192.168.82.10 # This is is the remote site's router public IP address, email, key id or FQDN
  • Remote peer subnet = 10.10.20.0/24 # This is the remote site's private subnet that this IPSec connection will allow VPN access to. This information was gather in Step 4
  • Pre-Shared Key (PSK) string = cisco123 # Set your own PSK. Note: A future version of VPNaaS will support certificates

  

• Step 6: Reproduce Steps 1-5 at the Second Site Go through all of the steps from above at the second site and use the IP addresses and Peer information based on the topology shown previously.

• Step 7: Launch an Instance at Each Site Using the Dashboard or CLI, launch an instance at each site. Once each instance is running at each site, login to one instance and check connectivity to the instance at the far site.