Virtual Private Network-as-a-Service (VPNaaS) scenario

Enabling VPNaaS

This section describes the setting for the reference implementation. Vendor plugins or drivers can have different setup procedure and perhaps they provide their version of manuals.

  1. Enable the VPNaaS plug-in in the /etc/neutron/neutron.conf file by appending vpnaas to service_plugins in [DEFAULT]:

    [DEFAULT]
    # ...
    service_plugins = vpnaas
    

    Note

    vpnaas is just example of reference implementation. It depends on a plugin that you are going to use. Consider to set suitable plugin for your own deployment.

  2. Configure the VPNaaS service provider by creating the /etc/neutron/neutron_vpnaas.conf file as follows, strongswan used in Ubuntu distribution:

    [service_providers]
    service_provider = VPN:strongswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default
    

    Note

    There are several kinds of service drivers. Depending upon the Linux distribution, you may need to override this value. Select libreswan for RHEL/CentOS, the config will like this: service_provider = VPN:openswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default. Consider to use the appropriate one for your deployment.

  3. Configure the VPNaaS plugin for the L3 agent by adding to /etc/neutron/l3_agent.ini the following section, StrongSwanDriver used in Ubuntu distribution:

    [AGENT]
    extensions = vpnaas
    
    [vpnagent]
    vpn_device_driver = neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver
    

    Note

    There are several kinds of device drivers. Depending upon the Linux distribution, you may need to override this value. Select LibreSwanDriver for RHEL/CentOS, the config will like this: vpn_device_driver = neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver. Consider to use the appropriate drivers for your deployment.

  4. Create the required tables in the database:

    # neutron-db-manage --subproject neutron-vpnaas upgrade head
    

    Note

    In order to run the above command, you need to have neutron-vpnaas package installed on controller node.

  5. Restart the neutron-server in controller node to apply the settings.

  6. Restart the neutron-l3-agent in network node to apply the settings.

Configure VPNaaS without endpoint group (the legacy way)

Create the IKE policy, IPsec policy, VPN service. Then, create an ipsec site connection that applies the above policies and service.

  1. Create an IKE policy:

    $ openstack vpn ike policy create ikepolicy1
      +-------------------------------+----------------------------------------+
      | Field                         | Value                                  |
      +-------------------------------+----------------------------------------+
      | Authentication Algorithm      | sha1                                   |
      | Description                   |                                        |
      | Encryption Algorithm          | aes-128                                |
      | ID                            | 99e4345d-8674-4d73-acb4-0e2524425e34   |
      | IKE Version                   | v1                                     |
      | Lifetime                      | {u'units': u'seconds', u'value': 3600} |
      | Name                          | ikepolicy1                             |
      | Perfect Forward Secrecy (PFS) | group5                                 |
      | Phase1 Negotiation Mode       | main                                   |
      | Project                       | 095247cb2e22455b9850c6efff407584       |
      | project_id                    | 095247cb2e22455b9850c6efff407584       |
      +-------------------------------+----------------------------------------+
    
  2. Create an IPsec policy:

    $ openstack vpn ipsec policy create ipsecpolicy1
      +-------------------------------+----------------------------------------+
      | Field                         | Value                                  |
      +-------------------------------+----------------------------------------+
      | Authentication Algorithm      | sha1                                   |
      | Description                   |                                        |
      | Encapsulation Mode            | tunnel                                 |
      | Encryption Algorithm          | aes-128                                |
      | ID                            | e6f547af-4a1d-4c28-b40b-b97cce746459   |
      | Lifetime                      | {u'units': u'seconds', u'value': 3600} |
      | Name                          | ipsecpolicy1                           |
      | Perfect Forward Secrecy (PFS) | group5                                 |
      | Project                       | 095247cb2e22455b9850c6efff407584       |
      | Transform Protocol            | esp                                    |
      | project_id                    | 095247cb2e22455b9850c6efff407584       |
      +-------------------------------+----------------------------------------+
    
  3. Create a VPN service:

    $ openstack vpn service create vpn \
      --router 66ca673a-cbbd-48b7-9fb6-bfa7ee3ef724 \
      --subnet cdfb411e-e818-466a-837c-7f96fc41a6d9
      +----------------+--------------------------------------+
      | Field          | Value                                |
      +----------------+--------------------------------------+
      | Description    |                                      |
      | Flavor         | None                                 |
      | ID             | 79ef6250-ddc3-428f-88c2-0ec8084f4e9a |
      | Name           | vpn                                  |
      | Project        | 095247cb2e22455b9850c6efff407584     |
      | Router         | 66ca673a-cbbd-48b7-9fb6-bfa7ee3ef724 |
      | State          | True                                 |
      | Status         | PENDING_CREATE                       |
      | Subnet         | cdfb411e-e818-466a-837c-7f96fc41a6d9 |
      | external_v4_ip | 192.168.20.2                         |
      | external_v6_ip | 2001:db8::d                          |
      | project_id     | 095247cb2e22455b9850c6efff407584     |
      +----------------+--------------------------------------+
    

    Note

    The --subnet option is required in this scenario.

  4. Create an ipsec site connection:

    $ openstack vpn ipsec site connection create conn \
      --vpnservice vpn \
      --ikepolicy ikepolicy1 \
      --ipsecpolicy ipsecpolicy1 \
      --peer-address 192.168.20.11 \
      --peer-id 192.168.20.11 \
      --peer-cidr 192.168.1.0/24 \
      --psk secret
      +--------------------------+--------------------------------------------------------+
      | Field                    | Value                                                  |
      +--------------------------+--------------------------------------------------------+
      | Authentication Algorithm | psk                                                    |
      | Description              |                                                        |
      | ID                       | 5b2935e6-b2f0-423a-8156-07ed48703d13                   |
      | IKE Policy               | 99e4345d-8674-4d73-acb4-0e2524425e34                   |
      | IPSec Policy             | e6f547af-4a1d-4c28-b40b-b97cce746459                   |
      | Initiator                | bi-directional                                         |
      | Local Endpoint Group ID  | None                                                   |
      | Local ID                 |                                                        |
      | MTU                      | 1500                                                   |
      | Name                     | conn                                                   |
      | Peer Address             | 192.168.20.11                                          |
      | Peer CIDRs               | 192.168.1.0/24                                         |
      | Peer Endpoint Group ID   | None                                                   |
      | Peer ID                  | 192.168.20.11                                          |
      | Pre-shared Key           | secret                                                 |
      | Project                  | 095247cb2e22455b9850c6efff407584                       |
      | Route Mode               | static                                                 |
      | State                    | True                                                   |
      | Status                   | PENDING_CREATE                                         |
      | VPN Service              | 79ef6250-ddc3-428f-88c2-0ec8084f4e9a                   |
      | dpd                      | {u'action': u'hold', u'interval': 30, u'timeout': 120} |
      | project_id               | 095247cb2e22455b9850c6efff407584                       |
      +--------------------------+--------------------------------------------------------+
    

    Note

    Please do not specify --local-endpoint-group and --peer-endpoint-group options in this case.