OpenStack:Havana:VPNaaS

From DocWiki

Jump to: navigation, search

Contents

Overview

This guide will provide a quick walk through of setting up OpenStack VPNaaS (Virtual Private Network as a Service) functionality that is now available in the Cisco OpenStack Installer (COI) Havana Release 2 (H.2).

This guide can be used for configuring IKE and IPSec Policies for VPNaaS on any H.2 release, but the networking topology is based on an example walk through from the OpenStack Havana All-in-One Guide. The specific scenario that was used for validating the VPNaaS functionality found in this guide is the AIO with Per-Tenant Routers with Private Networks example.

An AIO deployment was built at two sites and VPNaaS will be used to connect a tenants at each site.

Diagrams

You can review the diagram in Figure 1 to better understand the example topology: Figure 1


Figure 1: VPNaaS Example Topology

Vpnaas topo.jpg












VPNaaS Configuration

As was previously stated, the VPNaaS functionality is now on by default in the COI H.2 release. All you have to do is configure VPNaaS via CLI (not shown here) or via the OpenStack Dashboard.

In the example that will be shown in this document there will be one tenant (OpenStack refers to these as "Projects") at each site with one instance running within each tenant. A complete VPNaaS deployment requires an IKE Policy, IPSec Policy, VPN Service and an IPSec Site Connection. The steps for creating the VPNaaS policy are as follows:

Step 1: Create an IKE Policy

From the "VPN" object under "Manage Network" in the Dashboard sidebar, select "Add IKE Policy" from the "IKE Policies" tab. In the example shown in Figure 2, the IKE Policy has the following settings:

  • Name = ike_pol_1
  • Leave all other settings at their defaults

Figure 2


Figure 2: IKE Policy

Vpnaas ike.jpg





























Step 2: Create an IPSec Policy

From the "VPN" object under "Manage Network" in the Dashboard sidebar, select "Add IPSec Policy" from the "IPSec Policies" tab. In the example shown in Figure 3, the IPSec Policy has the following settings:

  • Name = ipsec_pol_1
  • Leave all other settings at their defaults

Figure 3


Figure 3: IPSec Policy

Vpnaas ipsec.jpg





























Step 3: Create a VPN Service

From the "VPN" object under "Manage Network" in the Dashboard sidebar, select "Add VPN Service" from the "VPN Services" tab. In the example shown in Figure 4, the VPN Service has the following settings:

  • Name = vpn_service_1
  • Router = os-router-1 # There should be only one router in the drop down list in most cases and it is the per-tenant router that you setup during the initial Neutron networking configuration.
  • Subnet = 10.10.10.0/24 # This will be the private subnet range that you created for instances to attach to during the initial Neutron networking configuration

Figure 4


Figure 4: VPN Service

Vpnaas vpn service.jpg





















Step 4: Gather Neutron Router Information

From the "Routers" object under "Manage Network" in the Dashboard sidebar, select the router name you created during the AIO Neutron network installation at each site. Once you select the router name you will see a list of "Interfaces" in the "Router Overview" screen. In the example shown in Figure 5, the "Fixed IP Address" associated with the External Gateway is the address that you need to know for the "IPSec Site Connections" configuration. Also the subnet range for the private subnet needs to be known before entering the IPSec Site Connection configuration:

Figure 5


Figure 5: Router IP Address

Vpnaas router.jpg













Alternatively, you can access the needed router information via CLI by looking at the Neutron router list:

root@all-in-one:~# neutron router-list
+--------------------------------------+-------------+-----------------------------------------------------------------------------+
| id                                   | name        | external_gateway_info                                                       |
+--------------------------------------+-------------+-----------------------------------------------------------------------------+
| e9c35b5e-1778-431c-8b86-5f1a45dfafa9 | os-router-1 | {"network_id": "38a958f2-8675-4412-98ce-975c28480eb7", "enable_snat": true} |
+--------------------------------------+-------------+-----------------------------------------------------------------------------+

Then looking at the Neutron router port list for that router:

root@all-in-one:~# neutron router-port-list os-router-1
+--------------------------------------+------+-------------------+--------------------------------------------------------------------------------------+
| id                                   | name | mac_address       | fixed_ips                                                                            |
+--------------------------------------+------+-------------------+--------------------------------------------------------------------------------------+
| a94e1de9-3757-448b-bd91-4da253b579e8 |      | fa:16:3e:f9:86:5a | {"subnet_id": "93628298-7201-48ae-bdaa-fd0967998dd0", "ip_address": "192.168.81.10"} |
| f1fd003a-379b-4939-aba8-e226aed6644f |      | fa:16:3e:cf:59:84 | {"subnet_id": "a7fa1adf-c601-43d6-92c3-cbdbab1d7ea7", "ip_address": "10.10.10.1"}    |
+--------------------------------------+------+-------------------+--------------------------------------------------------------------------------------+

Do this on both site AIO nodes. Below is the port list for the second AIO site:

root@all-in-one-site2:~# neutron router-port-list os-router-2
+--------------------------------------+------+-------------------+--------------------------------------------------------------------------------------+
| id                                   | name | mac_address       | fixed_ips                                                                            |
+--------------------------------------+------+-------------------+--------------------------------------------------------------------------------------+
| 168ae5f7-0c94-4454-abab-94bd035c4f67 |      | fa:16:3e:9a:47:c3 | {"subnet_id": "7e7e4ddb-e5c3-495e-a8d2-1af4897532aa", "ip_address": "10.10.20.1"}    |
| 5d54641c-cbc3-4a2f-ab9e-22c405a3310d |      | fa:16:3e:fa:20:7a | {"subnet_id": "e87600f2-fd9e-42c3-93c9-e585f7557400", "ip_address": "192.168.82.10"} |
+--------------------------------------+------+-------------------+--------------------------------------------------------------------------------------+

Step 5: Gather Neutron Router Information

From the "VPN" object under "Manage Network" in the Dashboard sidebar, select "Add IPSec Site Connection" from the "IPSec Site Connections" tab. In the example shown in Figure 6, the IPSec Site Connection has the following settings:

  • Name = site1-to-site2
  • VPN Service associated with this connection = vpn_service_1 # This is the VPN service name you created in Step 3
  • IKE Policy associated with this connection = ike_pol_1 # This is the IKE Policy name you created in Step 1
  • IPSec Policy associated with this connection = ipsec_pol_1 # This is the IPSec Policy name you created in Step 2
  • Peer gateway public IPv4/IPv6 Address or FQDN = 192.168.82.10 # This is the remote site's router public IP address that you noted in Step 4
  • Peer router identity or authentication (Peer ID) = 192.168.82.10 # This is is the remote site's router public IP address, email, key id or FQDN
  • Remote peer subnet = 10.10.20.0/24 # This is the remote site's private subnet that this IPSec connection will allow VPN access to. This information was gather in Step 4
  • Pre-Shared Key (PSK) string = cisco123 # Set your own PSK. Note: A future version of VPNaaS will support certificates

Figure 6


Figure 6: IPSec Site Connection

Vpnaas site connection.jpg






























Note: The "Status" under the "IPSec Site Connections" tab will show "Pending Create" which is normal and will change to "Active" once an instance is launched and the VPN is connected.

Step 6: Reproduce Steps 1-5 at the Second Site

Go through all of the steps from above at the second site and use the IP addresses and Peer information based on the topology shown previously.

Ensure that each policy setting and IP address information matches for both sides. A quick way to look at the IPSec Site Connection information is to check the IPSec Site Connection information using the Neutron CLI (this can also be done via the Dashboard): At one site:

root@all-in-one:~# neutron ipsec-site-connection-list
+--------------------------------------+----------------+---------------+-----------------+------------+-----------+----------------+
| id                                   | name           | peer_address  | peer_cidrs      | route_mode | auth_mode | status         |
+--------------------------------------+----------------+---------------+-----------------+------------+-----------+----------------+
| 974db203-06bf-4f8d-98a7-c971b2855984 | site1-to-site2 | 192.168.82.10 | "10.10.20.0/24" | static     | psk       | PENDING_CREATE |
+--------------------------------------+----------------+---------------+-----------------+------------+-----------+----------------+
root@all-in-one:~# neutron ipsec-site-connection-show site1-to-site2
+----------------+----------------------------------------------------+
| Field          | Value                                              |
+----------------+----------------------------------------------------+
| admin_state_up | True                                               |
| auth_mode      | psk                                                |
| description    |                                                    |
| dpd            | {"action": "hold", "interval": 30, "timeout": 120} |
| id             | 974db203-06bf-4f8d-98a7-c971b2855984               |
| ikepolicy_id   | 5782e92d-65d5-4326-a0cf-c09679e8a833               |
| initiator      | bi-directional                                     |
| ipsecpolicy_id | 045a68b8-987f-43c2-ad37-18e29ce66fb2               |
| mtu            | 1500                                               |
| name           | site1-to-site2                                     |
| peer_address   | 192.168.82.10                                      |
| peer_cidrs     | 10.10.20.0/24                                      |
| peer_id        | 192.168.82.10                                      |
| psk            | cisco123                                           |
| route_mode     | static                                             |
| status         | PENDING_CREATE                                     |
| tenant_id      | 2f8ddde944e74db992dcbbea32b996cb                   |
| vpnservice_id  | 72454835-c2f5-4560-8325-9afa50661bfa               |
+----------------+----------------------------------------------------+

And again at the second site:

root@all-in-one-site2:~# neutron ipsec-site-connection-list
+--------------------------------------+----------------+---------------+-----------------+------------+-----------+----------------+
| id                                   | name           | peer_address  | peer_cidrs      | route_mode | auth_mode | status         |
+--------------------------------------+----------------+---------------+-----------------+------------+-----------+----------------+
| f237f7e8-f2d5-4791-8e42-e3d3dedac809 | site2-to-site1 | 192.168.81.10 | "10.10.10.0/24" | static     | psk       | PENDING_CREATE |
+--------------------------------------+----------------+---------------+-----------------+------------+-----------+----------------+
root@all-in-one-site2:~# neutron ipsec-site-connection-show site2-to-site1
+----------------+----------------------------------------------------+
| Field          | Value                                              |
+----------------+----------------------------------------------------+
| admin_state_up | True                                               |
| auth_mode      | psk                                                |
| description    |                                                    |
| dpd            | {"action": "hold", "interval": 30, "timeout": 120} |
| id             | f237f7e8-f2d5-4791-8e42-e3d3dedac809               |
| ikepolicy_id   | 46367afe-607b-4d3d-8226-144475088756               |
| initiator      | bi-directional                                     |
| ipsecpolicy_id | c6fd5ebb-5aac-4fef-ae02-86f6a0e9f3f2               |
| mtu            | 1500                                               |
| name           | site2-to-site1                                     |
| peer_address   | 192.168.81.10                                      |
| peer_cidrs     | 10.10.10.0/24                                      |
| peer_id        | 192.168.81.10                                      |
| psk            | cisco123                                           |
| route_mode     | static                                             |
| status         | PENDING_CREATE                                     |
| tenant_id      | e296cbe33c18458ab2acd3395b0545c4                   |
| vpnservice_id  | a18d4971-6f65-4a2a-a769-4f94973a2a4d               |
+----------------+----------------------------------------------------+

Step 7: Launch an Instance at Each Site

Using the Dashboard or CLI, launch an instance at each site (For a refresher on this step check the AIO document: http://docwiki.cisco.com/wiki/OpenStack:Havana:All-in-One#Boot_an_Instance_-_for_Models_1_and_2)

Once each instance is running at each site, login to one instance and check connectivity to the instance at the far site:

root@all-in-one:~# ip netns exec qrouter-125194ed-05ed-4b5b-bc94-c3a95430c748 ssh cirros@10.10.10.2
The authenticity of host '10.10.10.2 (10.10.10.2)' can't be established.
RSA key fingerprint is 2b:1b:9c:83:b3:98:32:67:e5:9a:b1:df:c8:27:87:13.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.10.2' (RSA) to the list of known hosts.
$ 

Ping site2 instance:

$ ping 10.10.20.2
PING 10.10.20.2 (10.10.20.2): 56 data bytes
64 bytes from 10.10.20.2: seq=0 ttl=62 time=4.112 ms
64 bytes from 10.10.20.2: seq=1 ttl=62 time=1.689 ms
. . .

Authors

Shannon McFarland (@eyepv6) - Principal Engineer

Rating: 4.0/5 (2 votes cast)

Personal tools