Ask Your Question

How to create an IPSec tunnel using VPNaaS and port forwarding?

asked 2014-06-26 21:19:21 -0500

ed gravatar image

updated 2014-06-29 21:42:50 -0500

I'm running Icehouse on 3x ubuntu 14.04 nodes (controller/network/compute) behind a physical router/firewall and I'm trying to use VPNaaS to connect my local Openstack to AWS:

Floating IP Subnet (192.168.x.x)  <--> (192.168.x.x) router (203.x.x.x)<-------->(54.x.x.x AWS 
Elastic IP)OpenSwan(10.x.x.x) <--> AWS VPC Subnets (10.x.x.x)

I used this guide to setup OpenSwan on AWS and I configured my external router to forward the ports 500 UDP and 4500 TCP/UDP to the network node however the VPN does not come up:

root@stack-controller:~# neutron ipsec-site-connection-list
| id                                   | name | peer_address  | peer_cidrs     | route_mode | auth_mode | status |
| 676eb804-d6b6-4886-8f46-a53b4ab06d61 | AWS  | 54.x.x.x | "10.x.0.0/16" | static     | psk       | DOWN   |

I'm having a hard time to find guides or tutorials about VPNaaS and I'm not sure if forwarding the ports to the network node is the correct way to do it. I'm also not sure what logs to look for troubleshooting. I found this on the /var/log/neutron/vpn_agent.log:

2014-06-27 12:04:08.224 14862 ERROR [-] Failed to enable vpn process on router 5ae62a29-90f1-45ea-82f4-0b26c80ecce3
2014-06-27 12:04:08.224 14862 TRACE     raise RuntimeError(m)
2014-06-27 12:04:08.224 14862 TRACE RuntimeError:
2014-06-27 12:04:08.224 14862 TRACE Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-5ae62a29-90f1-45ea-82f4-0b26c80ecce3', 'ipsec', 'pluto', '--ctlbase', '/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/var/run/pluto', '--ipsecdir', '/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/etc/ipsec.secrets', '--virtual_private', '%v4:,%v4:']
2014-06-27 12:04:08.224 14862 TRACE Exit code: 10
2014-06-27 12:04:08.224 14862 TRACE Stdout: ''
2014-06-27 12:04:08.224 14862 TRACE Stderr: 'adjusting ipsec.d to /var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/etc\npluto: lock file "/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/var/run/" already exists\n'
2014-06-27 12:04:08.224 14862 TRACE

Does anyone have any experience with this kind of setup?


EDIT: Made some progress. Now I can establish Phase 1 however Phase 2 is not playing ball ( is the neutron router where VPNaaS is running):

16:30:36.130221 IP > isakmp: phase 1 I ident
16:30:36.130259 IP > isakmp: phase 1 I ident
16:30:36.130899 IP > isakmp: phase 1 R ident
16:30:36.130911 IP > ...
edit retag flag offensive close merge delete


Don't use comments if not for brief "comments". Update the question to add more details as you go and make it a clear question. Read and get familiar with how to use this site.

smaffulli gravatar imagesmaffulli ( 2014-06-27 15:58:04 -0500 )edit

1 answer

Sort by ยป oldest newest most voted

answered 2014-06-29 21:31:40 -0500

ed gravatar image

updated 2014-06-29 21:41:16 -0500

After removing all the VPNaaS objects from Horizon and and recreating them from scratch with all default values except for IP addresses and pre-shared keys, I got it working:

root@stack-controller:~# neutron ipsec-site-connection-list
| id                                   | name | peer_address  | peer_cidrs     | route_mode | auth_mode | status |
| d58a0e53-138e-4996-b24d-93e0ef1ec71f | AWS  | 54.x.x.x      | "10.x.0.0/16"  | static     | psk       | ACTIVE |

This is the ipsec.conf file on the AWS OpenSwan server:

version 2.0     
config setup
conn AWS2VPNaaS
 left=10.x.x.x    #OpenSwan server local IP on AWS
 leftsubnets=10.x.x.x/16    # AWS VPC Subnets
 leftid=54.x.x.x    #OpenSwan server Elastic IP on AWS
 leftsourceip=10.x.x.x   #OpenSwan server local IP on AWS
 right=203.x.x.x     #Local router with port forwarding UDP 500/4500 to neutron router
 rightsubnets=    #Floating IP subnets
 rightid=      #neutron router Floating IP

Also make sure you have the following lines on /etc/ipsec.secrets:

include /var/lib/openswan/
<local router external IP> <AWS Elastic IP>: PSK "<pre-shared key value>"
<neutron router IP> <AWS Elastic IP>: PSK "<pre-shared key value>"

Hopefully it'll make it easier for whoever wants to setup an OpenStack/AWS Hybrid Cloud with VPNaaS.

edit flag offensive delete link more


hi , can you provide any documentation about openstack/aws hybrid cloud !!! thanks

raniaadouni gravatar imageraniaadouni ( 2018-09-02 11:39:22 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools



Asked: 2014-06-26 21:19:21 -0500

Seen: 2,725 times

Last updated: Jun 29 '14