Ask Your Question
0

How to create an IPSec tunnel using VPNaaS and port forwarding?

asked 2014-06-26 21:19:21 -0600

ed gravatar image

updated 2014-06-29 21:42:50 -0600

I'm running Icehouse on 3x ubuntu 14.04 nodes (controller/network/compute) behind a physical router/firewall and I'm trying to use VPNaaS to connect my local Openstack to AWS:

Floating IP Subnet (192.168.x.x)  <--> (192.168.x.x) router (203.x.x.x)<-------->(54.x.x.x AWS 
Elastic IP)OpenSwan(10.x.x.x) <--> AWS VPC Subnets (10.x.x.x)

I used this guide to setup OpenSwan on AWS http://rbgeek.wordpress.com/2014/04/2... and I configured my external router to forward the ports 500 UDP and 4500 TCP/UDP to the network node however the VPN does not come up:

root@stack-controller:~# neutron ipsec-site-connection-list
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+
| id                                   | name | peer_address  | peer_cidrs     | route_mode | auth_mode | status |
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+
| 676eb804-d6b6-4886-8f46-a53b4ab06d61 | AWS  | 54.x.x.x | "10.x.0.0/16" | static     | psk       | DOWN   |
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+

I'm having a hard time to find guides or tutorials about VPNaaS and I'm not sure if forwarding the ports to the network node is the correct way to do it. I'm also not sure what logs to look for troubleshooting. I found this on the /var/log/neutron/vpn_agent.log:

2014-06-27 12:04:08.224 14862 ERROR neutron.services.vpn.device_drivers.ipsec [-] Failed to enable vpn process on router 5ae62a29-90f1-45ea-82f4-0b26c80ecce3
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec     raise RuntimeError(m)
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec RuntimeError:
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-5ae62a29-90f1-45ea-82f4-0b26c80ecce3', 'ipsec', 'pluto', '--ctlbase', '/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/var/run/pluto', '--ipsecdir', '/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/etc/ipsec.secrets', '--virtual_private', '%v4:192.168.10.0/24,%v4:10.21.0.0/16']
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec Exit code: 10
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec Stdout: ''
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec Stderr: 'adjusting ipsec.d to /var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/etc\npluto: lock file "/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/var/run/pluto.pid" already exists\n'
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec

Does anyone have any experience with this kind of setup?

++++++++++++++++++++++++++++++++++++++++++++++++

EDIT: Made some progress. Now I can establish Phase 1 however Phase 2 is not playing ball (192.168.10.150 is the neutron router where VPNaaS is running):

16:30:36.130221 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I ident
16:30:36.130259 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I ident
16:30:36.130899 IP 192.168.10.150.isakmp > ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp: isakmp: phase 1 R ident
16:30:36.130911 IP 192.168.10.150.isakmp > ec2-54-x-x-x.us-west-2.compute.amazonaws.com ...
(more)
edit retag flag offensive close merge delete

Comments

Don't use comments if not for brief "comments". Update the question to add more details as you go and make it a clear question. Read https://ask.openstack.org/en/faq and get familiar with how to use this site.

smaffulli gravatar imagesmaffulli ( 2014-06-27 15:58:04 -0600 )edit

1 answer

Sort by ยป oldest newest most voted
0

answered 2014-06-29 21:31:40 -0600

ed gravatar image

updated 2014-06-29 21:41:16 -0600

After removing all the VPNaaS objects from Horizon and and recreating them from scratch with all default values except for IP addresses and pre-shared keys, I got it working:

root@stack-controller:~# neutron ipsec-site-connection-list
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+
| id                                   | name | peer_address  | peer_cidrs     | route_mode | auth_mode | status |
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+
| d58a0e53-138e-4996-b24d-93e0ef1ec71f | AWS  | 54.x.x.x      | "10.x.0.0/16"  | static     | psk       | ACTIVE |
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+

This is the ipsec.conf file on the AWS OpenSwan server:

version 2.0     
config setup
        dumpdir=/var/run/pluto/
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
        oe=off
        protostack=netkey                                                                  
conn AWS2VPNaaS
 left=10.x.x.x    #OpenSwan server local IP on AWS
 leftsubnets=10.x.x.x/16    # AWS VPC Subnets
 leftid=54.x.x.x    #OpenSwan server Elastic IP on AWS
 leftsourceip=10.x.x.x   #OpenSwan server local IP on AWS
 right=203.x.x.x     #Local router with port forwarding UDP 500/4500 to neutron router
 rightsubnets=192.168.0.0/16    #Floating IP subnets
 rightid=192.168.10.150      #neutron router Floating IP
 pfs=no
 forceencaps=yes
 authby=secret
 auto=start

Also make sure you have the following lines on /etc/ipsec.secrets:

include /var/lib/openswan/ipsec.secrets.inc
<local router external IP> <AWS Elastic IP>: PSK "<pre-shared key value>"
<neutron router IP> <AWS Elastic IP>: PSK "<pre-shared key value>"

Hopefully it'll make it easier for whoever wants to setup an OpenStack/AWS Hybrid Cloud with VPNaaS.

edit flag offensive delete link more

Comments

hi , can you provide any documentation about openstack/aws hybrid cloud !!! thanks

raniaadouni gravatar imageraniaadouni ( 2018-09-02 11:39:22 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

Stats

Asked: 2014-06-26 21:19:21 -0600

Seen: 2,449 times

Last updated: Jun 29 '14