Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

After removing all the VPNaaS from scratch and recreating them with all default values except for IP addresses and pre-shared keys, I got it working:

root@stack-controller:~# neutron ipsec-site-connection-list
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+
| id                                   | name | peer_address  | peer_cidrs     | route_mode | auth_mode | status |
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+
| d58a0e53-138e-4996-b24d-93e0ef1ec71f | AWS  | 54.x.x.x      | "10.x.0.0/16"  | static     | psk       | ACTIVE |
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+

This is the ipsec.conf file on the AWS server:

version 2.0     
config setup
        dumpdir=/var/run/pluto/
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
        oe=off
        protostack=netkey                                                                  
conn AWS2VPNaaS
 left=10.x.x.x    #OpenSwan server local IP on AWS
 leftsubnets=10.x.x.x/16    # AWS VPC Subnets
 leftid=54.x.x.x    #OpenSwan server Elastic IP on AWS
 leftsourceip=10.x.x.x   #OpenSwan server local IP on AWS
 right=203.x.x.x     #Local router with port forwarding UDP 500/4500 to neutron router
 rightsubnets=192.168.0.0/16    #Floating IP subnets
 rightid=192.168.10.150      #neutron router Floating IP
 pfs=no
 forceencaps=yes
 authby=secret
 auto=start

Hopefully it'll make it easier for whoever wants to setup an OpenStack/AWS Hybrid Cloud.

After removing all the VPNaaS objects from scratch Horizon and and recreating them from scratch with all default values except for IP addresses and pre-shared keys, I got it working:

root@stack-controller:~# neutron ipsec-site-connection-list
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+
| id                                   | name | peer_address  | peer_cidrs     | route_mode | auth_mode | status |
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+
| d58a0e53-138e-4996-b24d-93e0ef1ec71f | AWS  | 54.x.x.x      | "10.x.0.0/16"  | static     | psk       | ACTIVE |
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+

This is the ipsec.conf file on the AWS server:

version 2.0     
config setup
        dumpdir=/var/run/pluto/
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
        oe=off
        protostack=netkey                                                                  
conn AWS2VPNaaS
 left=10.x.x.x    #OpenSwan server local IP on AWS
 leftsubnets=10.x.x.x/16    # AWS VPC Subnets
 leftid=54.x.x.x    #OpenSwan server Elastic IP on AWS
 leftsourceip=10.x.x.x   #OpenSwan server local IP on AWS
 right=203.x.x.x     #Local router with port forwarding UDP 500/4500 to neutron router
 rightsubnets=192.168.0.0/16    #Floating IP subnets
 rightid=192.168.10.150      #neutron router Floating IP
 pfs=no
 forceencaps=yes
 authby=secret
 auto=start

Hopefully it'll make it easier for whoever wants to setup an OpenStack/AWS Hybrid Cloud.

After removing all the VPNaaS objects from Horizon and and recreating them from scratch with all default values except for IP addresses and pre-shared keys, I got it working:

root@stack-controller:~# neutron ipsec-site-connection-list
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+
| id                                   | name | peer_address  | peer_cidrs     | route_mode | auth_mode | status |
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+
| d58a0e53-138e-4996-b24d-93e0ef1ec71f | AWS  | 54.x.x.x      | "10.x.0.0/16"  | static     | psk       | ACTIVE |
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+

This is the ipsec.conf file on the AWS server:

version 2.0     
config setup
        dumpdir=/var/run/pluto/
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
        oe=off
        protostack=netkey                                                                  
conn AWS2VPNaaS
 left=10.x.x.x    #OpenSwan server local IP on AWS
 leftsubnets=10.x.x.x/16    # AWS VPC Subnets
 leftid=54.x.x.x    #OpenSwan server Elastic IP on AWS
 leftsourceip=10.x.x.x   #OpenSwan server local IP on AWS
 right=203.x.x.x     #Local router with port forwarding UDP 500/4500 to neutron router
 rightsubnets=192.168.0.0/16    #Floating IP subnets
 rightid=192.168.10.150      #neutron router Floating IP
 pfs=no
 forceencaps=yes
 authby=secret
 auto=start

Also make sure you have the following lines on /etc/ipsec.secrets:

include /var/lib/openswan/ipsec.secrets.inc
<local router external IP> <AWS Elastic IP>: PSK "<pre-shared key value>"
<neutron router IP> <AWS Elastic IP>: PSK "<pre-shared key value>"

Hopefully it'll make it easier for whoever wants to setup an OpenStack/AWS Hybrid Cloud.

After removing all the VPNaaS objects from Horizon and and recreating them from scratch with all default values except for IP addresses and pre-shared keys, I got it working:

root@stack-controller:~# neutron ipsec-site-connection-list
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+
| id                                   | name | peer_address  | peer_cidrs     | route_mode | auth_mode | status |
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+
| d58a0e53-138e-4996-b24d-93e0ef1ec71f | AWS  | 54.x.x.x      | "10.x.0.0/16"  | static     | psk       | ACTIVE |
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+

This is the ipsec.conf file on the AWS OpenSwan server:

version 2.0     
config setup
        dumpdir=/var/run/pluto/
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
        oe=off
        protostack=netkey                                                                  
conn AWS2VPNaaS
 left=10.x.x.x    #OpenSwan server local IP on AWS
 leftsubnets=10.x.x.x/16    # AWS VPC Subnets
 leftid=54.x.x.x    #OpenSwan server Elastic IP on AWS
 leftsourceip=10.x.x.x   #OpenSwan server local IP on AWS
 right=203.x.x.x     #Local router with port forwarding UDP 500/4500 to neutron router
 rightsubnets=192.168.0.0/16    #Floating IP subnets
 rightid=192.168.10.150      #neutron router Floating IP
 pfs=no
 forceencaps=yes
 authby=secret
 auto=start

Also make sure you have the following lines on /etc/ipsec.secrets:

include /var/lib/openswan/ipsec.secrets.inc
<local router external IP> <AWS Elastic IP>: PSK "<pre-shared key value>"
<neutron router IP> <AWS Elastic IP>: PSK "<pre-shared key value>"

Hopefully it'll make it easier for whoever wants to setup an OpenStack/AWS Hybrid Cloud.Cloud with VPNaaS.