OpenStack/sandbox/Juno Plus Install and Setup of Cloud Services Router(CSR) for OpenStack VPN

From DocWiki

Jump to: navigation, search

This guide provides instructions on setting up a Cloud Service Router (CSR) to provide site-to-site secure VPN (IPSec VPNaaS) for an OpenStack cloud computing environment. The setup described here uses the Cisco Juno+ OpenStack repository. To use the community Juno or Icehouse release, see Install_and_Setup_of_Cisco_Cloud_Services_Router_(CSR)_for_OpenStack_VPN#Step_2:_CSR_Preparation.

The guide describes in detail how to set up one of the two sites for the IPSec site-to-site VPN connectivity. The guide then briefly describes how to set up the destination site using the same procedure with different IPs.

Note: These instructions use DevStack as a way to start OpenStack. The same procedures can be applied, with some modifications, to a conventional OpenStack deployment.

You can follow these instructions to create a complete site-to-site connection with two clouds using CSRs. Alternately, you can employ the reference OpenStack VPN implementation or a compatible virtual or physical VPN device for the other end of the site-to-site VPN connection.

The OpenStack VPNaaS feature is an experimental release, and APIs may change in the future. The Cisco VPNaaS implementation requires a Cisco CSR and Nexus 1000V (N1kV). Contact Cisco Sales for more information on these products.

Note: This software is provided "as is," and in no event does Cisco warrant that the software is error free or that customer will be able to operate the software without problems or interruptions.

Contents

Audience

This page is written for a technical audience. You should be familiar with OpenStack, particularly the compute (Nova) and networking (Neutron) components. In addition, it is assumed that:

  • You have a basic understanding of how to start up DevStack (http://devstack.org/).
  • You know how to configure an OpenStack VPN using either Horizon or the Neutron client.

Prerequisites

You must have the following resources available in order to set up an OpenStack cloud for VPN operation with CSR:

  • A CSR 3.13 .qcow2 image.
  • CSR licenses (one per endpoint; contact Cisco Sales).
  • The latest N1kV .iso and .deb images.
  • Access to the Cisco Juno+ Devstack repository.
  • Access to the community Kilo or Cisco Juno+ repo for OpenStack projects.
  • Adequate hardware (CPU and memory) for running OpenStack with CSR images. See theCisco CSR 1000V Cloud Services Router Software Configuration Guide.
  • Connectivity to another OpenStack cloud or compatible IPSec VPN site-to-site device (virtual or physical). Alternatively, connectivity to another node on which to set up a second DevStack cloud as described in this guide.
  • Ubuntu Server 14.04 LTS 64 bit (Trusty), with all current updates, on your DevStack host(s). Using a different operating system is possible, but these instructions assume you are using Ubuntu Trusty.

Topology Overview

In the example configuration, the network's physical topology appears as follows:

Physical Topology of the Network

There are two Cisco UCS systems, both of which host an OpenStack (using DevStack) cloud for the site-to-site VPN endpoints. A physical connection between the two nodes is used for the "public" network (172.32.1.0/24). Traffic between the private networks (10.1.0.0/24 and 10.2.0.0/24) is encrypted. In the example setup, the physical switch used for the public network has its interfaces set up as trunk ports, configured to allow VLAN 321.

There is an internal sub-network on each node (10.0.32.0/24 and 10.0.33.0/24) for management of the CSR during operation, and another network (192.168.200.0/24) for setup of the clouds.

Note: Internally, OpenStack uses 192.168.168.2 to communicate with the N1kV that is created (configured with Q_CISCO_PLUGIN_VSM_IP in the localrc file).

The first cloud (running on the devstack-32 host) has the following topology:

Topology of Cloud 1

Note: The IPs and hostnames in this guide are examples only. Substitute your own IPs and hostnames when building your VPN.

The other host, on devstack-33, has the following topology:

Topology of Cloud 2

Note the following information in these diagrams:

  • The pulic and private subnets used for the CSR
  • The physical ethernet interfaces on each node

Procedure

Note: IP addresses used in this guide are examples only. Substitute your own network information when installing and configuring your system.

Step 1: Obtaining DevStack

Download the DevStack code from the cisco-openstack repo and the OpenStack code from the Cisco Juno+ repo. The Cisco Juno+ code has additional scripts to help you set up a CSR router and an N1kV switch.

To obtain the code, enter the following:

cd 
git clone -b csr1kv_for_routing_juno_minimal https://github.com/CiscoSystems/devstack.git

Step 2: Preparing Your Environment

Step 2a: Download the CSR Image

Download your CSR .qcow2 image into the ~/csr/3.13/ directory.

Step 2b: Download the Nexus 1000V Images

Download the N1kV .iso and .dmg images into the ~/n1kv/ directory.

Step 2c (optional): Disable the Firewall

If you use a firewall and have a proxy server, you may have to disable the proxy for the local nodes, public subnet, private subnet, CSR managed IPs, the N1kV (192.168.168.2), and L3 config agent (10.0.32.2). Enter the command in the same terminal window where DevStack will be run. You might also want to put the command in your .bashrc to disable the proxy when you start your shell.

printf -v lan '%s,' 192.168.200.{2..3};
printf -v public '%s,' 172.32.1.{10,11,12,13,20,21,22,23};
printf -v private '%s,' 10.1.0.{1..10};
printf -v admin_ips '%s,' 10.0.32.{10..19};
export no_proxy="cisco.com,${lan%,},${public%,},${private%,},${admin_ips%,},192.168.168.2,10.0.32.2";

Note: Replace the IPs in the example (10.0.32.*, 172.32.1.*, 10.1.0.*, 192.168.200.*) with the ones that apply for your system.

Step 3: Configuring DevStack

On the devstack-32 host, configure the following attributes in your localrc file as shown in the example below. (The example values used in this guide are given in parentheses. Substitute your own values.)

  • Local (FIXED_RANGE) network (In the example, 10.1.0.0/24, with the router [GW] using 10.1.0.1)
  • Public gateway (GW) (172.32.1.10 on the 172.32.1.0/24 public network)
  • Set of floating IPs reserved on the public network (in the range 172.32.1.11 to 172.32.1.19)
  • Allocated IPs for management interfaces for CSRs (10.0.32.10 to 10.0.32.254; the L3 config agent uses 10.0.32.2).
  • the public network interface (eth3)
  • VLN range for use by N1kV (320-339)

Here is a link to an example localrc file using the above information.

In the localrc file, set your password for services, MySQL, and the VSM (N1kV). Use the filename for the CSR and N1kV images that were downloaded in the previous step.

Note: This localrc file enables the ciscocfgagent and q-ciscorouter services, which are required by the cisco_vpn service (also enabled). The cisco_vpn service runs the q-vpn service using Cisco service and device drivers and does not use the q-l3 service (ciscocfgagent and q-ciscorouter are used instead).

Note: The N1kV VM is created when the stack.sh script is run, and 192.168.168.2 (as specified in localrc) is used to communicate with the N1kV. A VLAN range is configured for the N1kV and it uses the second entry in the range for the external subnet interfaces. In this example the range is 320-339 and the public network uses VLAN 321, which is why the physical switch between clouds must be configured with this VLAN allowed.

To install a fixed (stable) Juno version with updates for an integrated VPN/L3 router plugin, add the lines below to localrc. To use the latest (and changing) Kilo development code for OpenStack projects, omit the lines:

# Networking Service
NEUTRON_REPO=${GIT_BASE}/cisco-openstack/neutron.git
NEUTRON_BRANCH=stable/junoplus

# The following will be picked up from the community 'opsenstack' area
# Compute service
NOVA_BRANCH=stable/juno

# Volume Service
CINDER_BRANCH=stable/juno

# Image Service
GLANCE_BRANCH=stable/juno

# Web UI (Dashboard)
HORIZON_BRANCH=stable/juno

# Auth Services
KEYSTONE_BRANCH=stable/juno

# Any others desired...

Step 4: Starting OpenStack

Step 4a: Run the stack Script

Start DevStack. Enter:

cd ~/devstack
./stack.sh

The script takes several minutes to run.

Step 4b: Modify localrc

Once everything is installed and running, you do not need to clone the repo if you run the script again, and can save time by skipping that step. Modify the localrc file to disable RECLONE:

# RECLONE=yes
RECLONE=No

Step 4c: Start Some VMs

You need at least one VM per node to test the VPN. Create one or more VMs using Horizon or the component CLI interface.

The following script creates two VMs of different types. If you save the script, rename it for the node you are working on.

cat << EOT | tee build-vms.32
source ~/devstack/openrc admin admin
glance image-update cirros-0.3.3-x86_64-uec --property hw_vif_model=e1000

source ~/devstack/openrc admin demo
PRIVATE_NET=\`neutron net-list | grep private | cut -f 2 -d'|' | cut -f 2 -d' '\`

nova boot --flavor 1 --image cirros-0.3.3-x86_64-uec --nic net-id=\$PRIVATE_NET peter
nova boot --flavor 3 --image ubuntu-14.04-server-cloudimg-amd64 --user-data \$HOME/devstack/user_data.txt --nic net-id=\$PRIVATE_NET paul
EOT

chmod 755 build-vms.32

cat << EOT | tee user_data.txt
#cloud-config
password: cisco1
chpasswd: { expire: false}
ssh_pwauth: true
EOT

build-vms.32

This script creates a Cirros and an Ubuntu VM on the private subnet (10.1.0.0/24). Use Horizon or the nova list command to see what IPs were assigned to each VM.

Step 5: Setting up the other host

Set up the other host as described in steps 1 to 4, with the following differences:

Step 1

No changes.

Step 2

Step 2a

No changes.

Step 2b

No changes.

Step 2c

Use the proxy information for the second host. For example:

printf -v lan '%s,' 192.168.200.{2..3};
printf -v public '%s,' 172.32.1.{10,11,12,13,20,21,22,23};
printf -v private '%s,' 10.2.0.{1..10};
printf -v admin_ips '%s,' 10.0.33.{10..19};
export no_proxy="cisco.com,${lan%,},${public%,},${private%,},${admin_ips%,},192.168.168.2,10.0.33.2";

Step 3

Configure the second host, devstack-33, with its own attributes. In this example:

  • Local network (FIXED_RANGE) is 10.2.0.0/24 with router (GW) using 10.2.0.1
  • Public GW is at 172.24.4.20 on the 172.24.4.0/24 public network.
  • Set of floating IPs reserved on the public network is in the range 172.24.4.21 to 172.24.4.29
  • Use eth5 for the public network interface, and eth4 for the host admin network.
  • Use the cisco_vpn_agent.ini file via the Q_VPN_EXTRA_CONF_FILES

Here is a link to an example localrc file using the above information.


Step 4

Step 4a

No changes.

Remember that the stack.sh script takes several minutes to run.

Step 4b

No changes.

Step 4c

If you use the VM creation script, name it for the new node as in the following example:

cat << EOT | tee build-vms.33
source ~/devstack/openrc admin admin
glance image-update cirros-0.3.3-x86_64-uec --property hw_vif_model=e1000

source ~/devstack/openrc admin demo
PRIVATE_NET=\`neutron net-list | grep private | cut -f 2 -d'|' | cut -f 2 -d' '\`

nova boot --flavor 1 --image cirros-0.3.3-x86_64-uec --nic net-id=\$PRIVATE_NET mary
nova boot --flavor 3 --image ubuntu-14.04-server-cloudimg-amd64 --user-data \$HOME/devstack/user_data.txt --nic net-id=\$PRIVATE_NET thomas
EOT

chmod 755 build-vms.33

cat << EOT | tee user_data.txt
#cloud-config
password: cisco1
chpasswd: { expire: false}
ssh_pwauth: true
EOT

./build-vms.33

Verifying Basic Operation

Verify connectivity between the VMs and the CSR router (router1):

  1. SSH into the VM.
  2. ping the local IP of the CSR.

Verify connectivity between the local CSR and

  • The remote CSR
  • Local VMs and local subnet

Do the following:

  1. SSH into the CSR.
  2. ping the CSR via the public subnet.
  3. ping the local VMs via the local subnet.

Select the internal tenant used for the CSR. Enter the following:

source ~/devstack/openrc neutron L3AdminTenant
nova list

To SSH in, use:

ssh stack@10.0.32.10 -o KexAlgorithms=diffie-hellman-group14-sha1

Use the IP from the nova list output, and use a password of cisco.

Enter running to identify the VRF used for public and private networks (this is the same VRF)

Enter ping vrf nrouter-xxxxxx 172.32.1.21, for example, to check the remote CSR from the devstack-32 CSR (assuming it was assigned the 172.32.1.21 IP for its public interface).

To verify access to the CSR's REST APIs (assuming that the CSR's management IP is 10.0.32.10), enter:

curl  -X POST https://10.0.32.10:55443/api/v1/auth/token-services -H "Accept:application/json" -H "Content-Length: 0" -u "stack:cisco" -d "" -k -3 -v

This command should return an authorization token for the CSR:

... (verbose output), then ...
{"kind": "object#auth-token", "expiry-time": "Tue Nov 18 13:37:10 2014", "token-id": "rbfYhwy/OKpGAYUL02DW03g+moWpXkUbehYBOK5YPmI=", "link": "https://10.0.32.10:55443/api

Once you have confirmed that there is REST management access to the CSR from the host and the CSR has connectivity on the public and private interfaces, configure a site-to-site IPSec connection between the two clouds. On devstack-32, enter:

source openrc admin demo

neutron vpn-ikepolicy-create ikepolicy1
neutron vpn-ipsecpolicy-create ipsecpolicy1
neutron vpn-service-create --name myvpn --description "My vpn service" router1 private-subnet

neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 \
        --ipsecpolicy-id ipsecpolicy1 --peer-address 172.32.1.21 --peer-id 172.32.1.21 \
        --peer-cidr 10.2.0.0/24 --psk secret


To set up the connection on devstack-33, use the IPs for that node:

source openrc admin demo

neutron vpn-ikepolicy-create ikepolicy1
neutron vpn-ipsecpolicy-create ipsecpolicy1
neutron vpn-service-create --name myvpn --description "My vpn service" router1 private-subnet

neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 \
        --ipsecpolicy-id ipsecpolicy1 --peer-address 172.32.1.11 --peer-id 172.32.1.11 \
        --peer-cidr 10.1.0.0/24 --psk secret

You should be able to ping from a VM in the devstack-32 cloud to a VM in the devstack-33 cloud. Use the neutron vpn-service-status and ipsec-site-connection-list commands to see the status of the IPSec connection. You can also SSH into the CSR and view the configuration, exmaine logs, and enable debugging.

Note: It takes time for the VPN connection to be negotiated. The connection may not be available instantly.

Reference Information

Rating: 0.0/5 (0 votes cast)

Personal tools