×××aas简介
×××ass是neutron的vpn服务,目前社区提供了基于openswan实现的IPsec ×××以及基于硬件实现CiscoCsrIPsec ×××
×××aas配置
yum install openstack-neutron-vpn-agent.noarch -y
yum install libreswan -y # 这里装的是libreswan包
yum install openswan -y # 如果你装的是openswan,你需要添加如下repo
[root@controller001 yum.repos.d]# cat openswan.repo
[home_mcr-x]
name=Xelerance supported Openswan (RHEL_7)
type=rpm-md
baseurl=http://download.opensuse.org/repositories/home:/mcr-x/RHEL_7/
gpgcheck=1
gpgkey=http://download.opensuse.org/repositories/home:/mcr-x/RHEL_7/repodata/repomd.xml.key
enabled=1
vim /etc/neutron/neutron.conf # 添加vpnaas模块
[DEFAULT]
service_plugins = router,vpnaas
[service_providers]
service_provider = ×××:Vpn:neutron.services.vpn.service_drivers.ipsec.IPsec×××Driver:default
vim /etc/neutron/vpn_agent.ini
[DEFAULT]
# ×××-Agent configuration file
# Note vpn-agent inherits l3-agent, so you can use configs on l3-agent also
interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
[vpnagent]
vpn_device_driver=neutron.services.vpn.device_drivers.ipsec.OpenSwanDriver
[ipsec]
ipsec_status_check_interval=60
vim /etc/neutron/rootwrap.d/vpnaas.filters # 添加权限管理文件,不然运行会报权限不足
[Filters]
ip: IpFilter, ip, root
ip_exec: IpNetnsExecFilter, ip, root
openswan: CommandFilter, ipsec, root
# dashboard启用vpn
vim /etc/openstack-dashboard/local_settings
OPENSTACK_NEUTRON_NETWORK = {
'enable_vpn': True,
}
service neutron-server restart # 重新加载neutron.conf配置文件
service neutron-vpn-agent start # 启动vpn-agent服务
# 我实验的openstack平台使用了neutron dvr模式,创建vpn service的时候报错如下:
2015-01-02 12:06:55.990 8191 ERROR neutron.agent.linux.utils [-]
Command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-30e06cb3-7f2c-4f4c-b8f0-248d125c30a4', 'ip', 'route', 'get', '172.16.101.69']
Exit code: 2
Stdout: ''
Stderr: 'RTNETLINK answers: Network is unreachable\n'上了neutron dvr后,原来创建router的namespace,现在一分为二了,类似这样:
snat-30e06cb3-7f2c-4f4c-b8f0-248d125c30a4 # snat qrouter-30e06cb3-7f2c-4f4c-b8f0-248d125c30a4 # 专门floating ip用的
今天下午测试centos7 openstack juno版没有dvr的vpnaas,还是报错
Command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-9b23f645-2151-4024-b3ac-d36cfb3f9ed0', 'ipsec', 'whack', '--ctlbase', '/var/lib/neutron/ipsec/9b23f645-2151-4024-b3ac-d36cfb3f9ed0/var/run/pluto', '--status'] Exit code: 1 Stdout: '' Stderr: 'whack: Pluto is not running (no "/var/lib/neutron/ipsec/9b23f645-2151-4024-b3ac-d36cfb3f9ed0/var/run/pluto.ctl")\n'
这里报错是安装libreswan包的问题,有openstack群里面的朋友安装的是openswan(版本要高点),结果就成功了,有空的时候我得测试一把。
参考链接
http://www.ibm.com/developerworks/cn/cloud/library/1311_zhanghua_openstacknetwork2/
http://blog.csdn.net/lynn_kong/article/details/16866855
https://gist.github.com/cloudnull/8851787#file-neutron-vpnaas-fwaas-lbaas-configsetup-rst
https://www.mirantis.com/blog/mirantis-openstack-express-vpn-service-vpnaas-step-step/
