From ef4069a1d35c7de1718c630cecfe47071d9d7933 Mon Sep 17 00:00:00 2001 From: Paul Bourke Date: Thu, 24 Nov 2016 11:56:59 +0000 Subject: [PATCH] Add basic docs for neutron-vpnaas Change-Id: I2b456b1626875d863f896ad7fc6c0024f5ed110f --- doc/networking-guide.rst | 62 ++++++++++++++++++++++++++++++++++++++++ setup.cfg | 1 + tools/init-vpn | 61 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 124 insertions(+) create mode 100755 tools/init-vpn diff --git a/doc/networking-guide.rst b/doc/networking-guide.rst index 77eacce0dd..8916dce1c2 100644 --- a/doc/networking-guide.rst +++ b/doc/networking-guide.rst @@ -87,3 +87,65 @@ to the following link: For the source code, please refer to the following link: https://github.com/openstack/networking-sfc + +Neutron VPNaaS (VPN-as-a-Service) +================================ + +Preparation and deployment +-------------------------- + +Modify the configuration file ``/etc/kolla/globals.yml`` and change +the following: + +:: + + enable_neutron_vpnaas: "yes" + +Verification +------------ + +VPNaaS is a complex subject, hence this document provides directions for a +simple smoke test to verify the service is up and running. + +On the network node(s), the ``neutron_vpnaas_agent`` should be up (image naming +and versioning may differ depending on deploy configuration): + +:: + + docker ps --filter name=neutron_vpnaas_agent + CONTAINER ID IMAGE + COMMAND CREATED STATUS PORTS + NAMES + 97d25657d55e + operator:5000/kolla/oraclelinux-source-neutron-vpnaas-agent:4.0.0 + "kolla_start" 44 minutes ago Up 44 minutes + neutron_vpnaas_agent + +kolla-ansible includes a small script that can be used in tandem with +``tools/init-runonce`` to verify the VPN using two routers and two Nova VMs: + +:: + + tools/init-runonce + tools/init-vpn + +Verify both VPN services are active: + +:: + + neutron vpn-service-list + +--------------------------------------+----------+--------------------------------------+--------+ + | id | name | router_id | status | + +--------------------------------------+----------+--------------------------------------+--------+ + | ad941ec4-5f3d-4a30-aae2-1ab3f4347eb1 | vpn_west | 051f7ce3-4301-43cc-bfbd-7ffd59af539e | ACTIVE | + | edce15db-696f-46d8-9bad-03d087f1f682 | vpn_east | 058842e0-1d01-4230-af8d-0ba6d0da8b1f | ACTIVE | + +--------------------------------------+----------+--------------------------------------+--------+ + +Two VMs can now be booted, one on vpn_east, the other on vpn_west, and +encrypted ping packets observed being sent from one to the other. + +For more information on this and VPNaaS in Neutron refer to the VPNaaS area on +the OpenStack wiki: + + https://wiki.openstack.org/wiki/Neutron/VPNaaS/HowToInstall + https://wiki.openstack.org/wiki/Neutron/VPNaaS diff --git a/setup.cfg b/setup.cfg index 81f0999044..5bc85d75af 100644 --- a/setup.cfg +++ b/setup.cfg @@ -33,6 +33,7 @@ data_files = share/kolla/doc = doc/* share/kolla/etc_examples = etc/* share/kolla = tools/init-runonce + share/kolla = tools/init-vpn share/kolla = tools/openrc-example share/kolla = setup.cfg diff --git a/tools/init-vpn b/tools/init-vpn new file mode 100755 index 0000000000..08c000fb73 --- /dev/null +++ b/tools/init-vpn @@ -0,0 +1,61 @@ +#!/usr/bin/env bash + +# Script originally copied from https://wiki.openstack.org/wiki/Neutron/VPNaaS/HowToInstall + +EXT_NW_ID=`neutron net-list | awk '/public/{print $2}'` +WEST_SUBNET='192.168.1.0/24' +EAST_SUBNET='192.168.2.0/24' + +function setup_site(){ + local site_name=$1 + local cidr=$2 + neutron net-create net_$site_name + neutron subnet-create --name subnet_$site_name net_$site_name $2 + neutron router-create router_$site_name + neutron router-interface-add router_$site_name subnet_$site_name + neutron router-gateway-set router_$site_name $EXT_NW_ID + neutron vpn-service-create --name vpn_$site_name router_$site_name subnet_$site_name +} + +function get_external_ip(){ + local router_id=`neutron router-show $1 | awk '/ id /{print $4}'` + echo `neutron port-list -c fixed_ips -c device_id -c device_owner|grep router_gateway | awk +'/'.$router_id.'/{print $5}' | sed 's/["}]//g'` +} + +function clean_site(){ + local site_name=$1 + neutron ipsec-site-connection-delete conn_$site_name + neutron vpn-service-list | awk '/vpn_'$site_name'/{print "neutron vpn-service-delete " $2}' | +bash + neutron router-gateway-clear router_$site_name + neutron router-interface-delete router_$site_name subnet_$site_name + neutron router-list | awk '/router_'$site_name'/{print "neutron router-delete " $2}' | bash + neutron subnet-list | awk '/subnet_'$site_name'/{print "neutron subnet-delete " $2}' | bash + neutron net-list | awk '/net_'$site_name'/{print "neutron net-delete " $2}' | bash +} + +function setup(){ + neutron vpn-ikepolicy-create ikepolicy1 + neutron vpn-ipsecpolicy-create ipsecpolicy1 + setup_site west $WEST_SUBNET + WEST_IP=$(get_external_ip router_west) + setup_site east $EAST_SUBNET + EAST_IP=$(get_external_ip router_east) + neutron ipsec-site-connection-create --name conn_east --vpnservice-id vpn_east --ikepolicy-id +ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address $WEST_IP --peer-id $WEST_IP --peer-cidr +$WEST_SUBNET --psk secret + neutron ipsec-site-connection-create --name conn_west --vpnservice-id vpn_west --ikepolicy-id +ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address $EAST_IP --peer-id $EAST_IP --peer-cidr +$EAST_SUBNET --psk secret +} + +function cleanup(){ + clean_site west + clean_site east + neutron vpn-ikepolicy-delete ikepolicy1 + neutron vpn-ipsecpolicy-delete ipsecpolicy1 +} + +cleanup +setup