How to create an IPSec tunnel using VPNaaS and port forwarding?
I'm running Icehouse on 3x ubuntu 14.04 nodes (controller/network/compute) behind a physical router/firewall and I'm trying to use VPNaaS to connect my local Openstack to AWS:
Floating IP Subnet (192.168.x.x) <--> (192.168.x.x) router (203.x.x.x)<-------->(54.x.x.x AWS
Elastic IP)OpenSwan(10.x.x.x) <--> AWS VPC Subnets (10.x.x.x)
I used this guide to setup OpenSwan on AWS http://rbgeek.wordpress.com/2014/04/2... and I configured my external router to forward the ports 500 UDP and 4500 TCP/UDP to the network node however the VPN does not come up:
root@stack-controller:~# neutron ipsec-site-connection-list
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+
| id | name | peer_address | peer_cidrs | route_mode | auth_mode | status |
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+
| 676eb804-d6b6-4886-8f46-a53b4ab06d61 | AWS | 54.x.x.x | "10.x.0.0/16" | static | psk | DOWN |
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+
I'm having a hard time to find guides or tutorials about VPNaaS and I'm not sure if forwarding the ports to the network node is the correct way to do it. I'm also not sure what logs to look for troubleshooting. I found this on the /var/log/neutron/vpn_agent.log:
2014-06-27 12:04:08.224 14862 ERROR neutron.services.vpn.device_drivers.ipsec [-] Failed to enable vpn process on router 5ae62a29-90f1-45ea-82f4-0b26c80ecce3
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec raise RuntimeError(m)
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec RuntimeError:
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-5ae62a29-90f1-45ea-82f4-0b26c80ecce3', 'ipsec', 'pluto', '--ctlbase', '/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/var/run/pluto', '--ipsecdir', '/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/etc/ipsec.secrets', '--virtual_private', '%v4:192.168.10.0/24,%v4:10.21.0.0/16']
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec Exit code: 10
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec Stdout: ''
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec Stderr: 'adjusting ipsec.d to /var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/etc\npluto: lock file "/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/var/run/pluto.pid" already exists\n'
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec
Does anyone have any experience with this kind of setup?
++++++++++++++++++++++++++++++++++++++++++++++++
EDIT: Made some progress. Now I can establish Phase 1 however Phase 2 is not playing ball (192.168.10.150 is the neutron router where VPNaaS is running):
16:30:36.130221 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I ident
16:30:36.130259 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I ident
16:30:36.130899 IP 192.168.10.150.isakmp > ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp: isakmp: phase 1 R ident
16:30:36.130911 IP 192.168.10.150.isakmp > ec2-54-x-x-x.us-west-2.compute.amazonaws.com ...
Don't use comments if not for brief "comments". Update the question to add more details as you go and make it a clear question. Read https://ask.openstack.org/en/faq and get familiar with how to use this site.