OpenStack-Neutron-VPNaaS-配置

 配置openstack版本：Juno

vpnaas配置的資料很少，官網目前參考的https://wiki.openstack.org/wiki/Neutron/VPNaaS/HowToInstall比較舊，方面配置基本沒有講

經歷漫長時間的查找資料、學習，現終於配置成功了，記錄下來給大家參考一下，有什么不正確的地方及時留言

1.1 准備

yum install openstack-neutron-vpn-agent libreswan -y  

vi /etc/sysctl
net.ipv4.ip_forward=1
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.rp_filter = 0

1.2添加vpn服務

vim /etc/neutron/neutron.conf
[DEFAULT]
service_plugins = router,vpnaas
[service_providers]
service_provider = VPN:Vpn:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default

 1.3 配置vpnaas

vim /etc/neutron/vpn_agent.ini 

[DEFAULT]
# VPN-Agent configuration file
# Note vpn-agent inherits l3-agent, so you can use configs on l3-agent also
interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
[vpnagent]
vpn_device_driver=neutron.services.vpn.device_drivers.ipsec.OpenSwanDriver
[ipsec]
ipsec_status_check_interval=30

vi /usr/share/neutron/rootwrap/vpnaas.filters

[Filters]
ip: IpFilter, ip, root
ip_exec: IpNetnsExecFilter, ip, root
openswan: CommandFilter, ipsec, root
libreswan: CommandFilter, certutil, root

 1.4 dashboard啟用vpn

vim /etc/openstack-dashboard/local_settings 

OPENSTACK_NEUTRON_NETWORK = {
        'enable_vpn': True,
        }

1.5 啟動ipsec

chkconfig ipsec on 
service ipsec start

　　

2 修改代碼

2.1

vi /usr/lib/python2.7/site-packages/neutron/services/vpn/device_drivers/ipsec.py

97行添加 
        bcertutil = "certutil"
    114行添加 
        NSS_FILES = [
         'cert8.db',
         'key3.db',
         'secmod.db'
     ]
    189行添加 
        def _ensure_nss(self, nss_files):
            if not os.path.isfile(nss_files):
                #start nss database
                self._execute([self.bcertutil,
                        '-N',
                        '--empty-password',
                        '-d', self.ipsecd_dir,
                        ])
    204行添加
        for nss_file in self.NSS_FILES:
             nss_path = os.path.join(self.ipsecd_dir, nss_file)
             self._ensure_nss(nss_path)
    327行添加
        self.ipsecd_dir = os.path.join(
             self.etc_dir, 'ipsec.d')
    409、410行修改和刪除
        修改 '--ipsecdir', self.etc_dir  成：  '--ipsecdir', self.ipsecd_dir
        刪除 '--use-netkey',
    422行刪除
        '--defaultroutenexthop', nexthop,
    470行添加
        pid_file = self.pid_path + '.pid'
        if os.path.exists(pid_file):
            os.remove(pid_file)

2.2

vi /usr/lib/python2.7/site-packages/neutron/services/vpn/device_drivers/template/openswan/ipsec.conf.template

    3行刪除：nat_traversal=yes
    7行刪除：keylife=60m 添加：salifetime=60m
    20行刪除：leftnexthop=%defaultroute
    31行刪除：rightnexthop=%defaultroute
    63行刪除：lifetime={{ipsec_site_connection.ipsecpolicy.lifetime_value}}s 添加：salifetime={{ipsec_site_connection.ipsecpolicy.lifetime_value}}s

3. 重啟服務

systemctl enable neutron-vpn-agent
service neutron-vpn-agent start
重啟neutron所有服務

 

PS

Centos7中直接yum安裝的libswan版本是3.8.這個會造成ipsec報錯:whack：Pluto is not running(no "/var/run/pluto/pluto.ctl") 

原因是版本的問題，3.8中很多配置都變了

經過測試使用2.6.38后，不需要修改neutron的代碼ipsec就可用,本博客只是在使用3.8的情況下需要修改的代碼