Ask Your Question
5

How to set up neutron vpn service (VPNaaS)?

asked 2013-10-23 22:35:58 -0500

dasp gravatar image

updated 2013-10-23 22:37:20 -0500

I was wondering where can I find documentation on the new Neutron VPN service.

In cloud-archive package (official) repositories, there is support for VPN in Horizon and a package called neutron-plugin-vpn-agent exists.

However, I wasn't able to find any documentation on where to install the package (network or compute nodes?) and how to configure it.

The only documentation I managed to find ( https://wiki.openstack.org/wiki/Neutron/VPNaaS/HowToInstall ) applies to CloudStack and looks quite outdated. I am interested in setting up VPNaaS using packages only.

edit retag flag offensive close merge delete

Comments

I followed the wiki a while ago and installed an all-in-one devstack. Then created a couple of routers uplinked to the same external network and made a vpn between them. So my advice is to install devstack, get it working, see what the config files look like, then try from the packages.

darragh-oreilly gravatar imagedarragh-oreilly ( 2013-10-24 10:31:09 -0500 )edit

5 answers

Sort by ยป oldest newest most voted
1

answered 2014-02-10 16:23:57 -0500

bishnoink gravatar image

updated 2014-02-10 16:25:56 -0500

I got this working on my setup. I made following changes:

installed : openswan_2.6.37-1_amd64.deb

added following in "/etc/neutron/neutron.conf":

service_plugins = neutron.services.vpn.plugin.VPNDriverPlugin
service_provider=VPN:openswan:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default

created : /etc/neutron/rootwrap.d/vpnaas.filters

# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user

# format seems to be
# cmd-name: filter-name, raw-command, user, args

[Filters]

ip: IpFilter, ip, root
ip_exec: IpNetnsExecFilter, ip, root
openswan: CommandFilter, ipsec, root

File  /etc/neutron/vpn_agent.ini:

[DEFAULT]
# VPN-Agent configuration file
# Note vpn-agent inherits l3-agent, so you can use configs on l3-agent also
interface_driver =neutron.agent.linux.interface.OVSInterfaceDriver

[vpnagent]
#vpn device drivers which vpn agent will use
#If we want to use multiple drivers,  we need to define this option multiple times.
vpn_device_driver=neutron.services.vpn.device_drivers.ipsec.OpenSwanDriver
#vpn_device_driver=another_driver

[ipsec]
#Status check interval
#ipsec_status_check_interval=60
edit flag offensive delete link more

Comments

Hi. Have manage to enable VPN in HAVANA?

Madox gravatar imageMadox ( 2014-12-03 05:47:40 -0500 )edit
0

answered 2014-01-20 04:39:46 -0500

Bada gravatar image

Hello,

I have the same error and can't find any good documentation. Any help ?

Thanks

edit flag offensive delete link more
0

answered 2014-06-26 00:52:32 -0500

ed gravatar image

Check this out, I got it working and posted it here: https://ask.openstack.org/en/question...

There are 2 links on the thread, I followed the configs and now all services are up and running and showing at the Dashboard.

Now I'm trying to use VPNaaS to connect to a OpenSwan box running on an Ubuntu instance at AWS via IPSec however I'm having a hard time finding any guides.

edit flag offensive delete link more
0

answered 2013-10-24 05:14:46 -0500

updated 2013-11-13 12:09:15 -0500

I've only found this http://blog.csdn.net/quqi99/article/details/9734251 It describes how to configure ipsec. After that I've installed package openstack-neutron-vpn-agent

[root@tn1 share]# cat /etc/neutron/vpn_agent.ini 
[DEFAULT]
# VPN-Agent configuration file
# Note vpn-agent inherits l3-agent, so you can use configs on l3-agent also
interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
[vpnagent]
#vpn device drivers which vpn agent will use
#If we want to use multiple drivers,  we need to define this option multiple times.
#vpn_device_driver=neutron.services.vpn.device_drivers.ipsec.OpenSwanDriver
#vpn_device_driver=another_driver

[ipsec]
#Status check interval
#ipsec_status_check_interval=60

Service started, but I got error in /var/log/neutron/vpn-agent.log:

2013-10-24 14:12:12.133 29314 ERROR neutron.agent.l3_agent [-] Failed synchronizing routers
2013-10-24 14:12:12.133 29314 TRACE neutron.agent.l3_agent Traceback (most recent call last):
2013-10-24 14:12:12.133 29314 TRACE neutron.agent.l3_agent   File "/usr/lib/python2.6/site-packages/neutron/agent/l3_agent.py", line 753, in _sync_routers_task
2013-10-24 14:12:12.133 29314 TRACE neutron.agent.l3_agent     self._process_routers(routers, all_routers=True)
2013-10-24 14:12:12.133 29314 TRACE neutron.agent.l3_agent   File "/usr/lib/python2.6/site-packages/neutron/services/vpn/agent.py", line 143, in _process_routers
2013-10-24 14:12:12.133 29314 TRACE neutron.agent.l3_agent     device.sync(self.context, routers)
2013-10-24 14:12:12.133 29314 TRACE neutron.agent.l3_agent   File "/usr/lib/python2.6/site-packages/neutron/openstack/common/lockutils.py", line 247, in inner
2013-10-24 14:12:12.133 29314 TRACE neutron.agent.l3_agent     retval = f(*args, **kwargs)
2013-10-24 14:12:12.133 29314 TRACE neutron.agent.l3_agent   File "/usr/lib/python2.6/site-packages/neutron/services/vpn/device_drivers/ipsec.py", line 652, in sync
2013-10-24 14:12:12.133 29314 TRACE neutron.agent.l3_agent     context, self.host)
2013-10-24 14:12:12.133 29314 TRACE neutron.agent.l3_agent   File "/usr/lib/python2.6/site-packages/neutron/services/vpn/device_drivers/ipsec.py", line 453, in get_vpn_services_on_host
2013-10-24 14:12:12.133 29314 TRACE neutron.agent.l3_agent     topic=self.topic)
2013-10-24 14:12:12.133 29314 TRACE neutron.agent.l3_agent   File "/usr/lib/python2.6/site-packages/neutron/openstack/common/rpc/proxy.py", line 130, in call
2013-10-24 14:12:12.133 29314 TRACE neutron.agent.l3_agent     exc.info, real_topic, msg.get('method'))
2013-10-24 14:12:12.133 29314 TRACE neutron.agent.l3_agent Timeout: Timeout while waiting on RPC response - topic: "ipsec_driver", RPC method: "get_vpn_services_on_host" info: "<unknown>"
2013-10-24 14:12:12.133 29314 TRACE neutron.agent.l3_agent
edit flag offensive delete link more

Comments

This is exactly the same problem I am having, that's why I think something is missing here.

dasp gravatar imagedasp ( 2013-10-24 08:16:20 -0500 )edit

One more vote for this problem. I'm using RDO - Havana distro. And the same same exactly error: get_vpn_services_on_host What is the problem? According to this: https://bugs.launchpad.net/neutron/+bug/1228005 It's possible to setup the VPNaaS with some troubles. Can somebody help here with some comments?

gatuus gravatar imagegatuus ( 2013-11-13 12:02:26 -0500 )edit

I've also hit the same "Timeout while waiting on RPC response - topic: "ipsec_driver", RPC method: "get_vpn_services_on_host" info: "<unknown>"" -issue. I've got a setup with separate controller and network nodes and this comes up in the network node vpn_agent.log.

Jukka gravatar imageJukka ( 2013-12-01 03:38:26 -0500 )edit

VPN agent can work only with ML2 core plugin. If you use any other core plugin you will get this error.

Just in case someone still interested in this subject.

surabujin gravatar imagesurabujin ( 2014-10-01 15:29:01 -0500 )edit

Hi. Do you manage to put the VPN running in HAVANA ?

Madox gravatar imageMadox ( 2014-12-02 12:17:10 -0500 )edit
0

answered 2013-10-31 10:16:35 -0500

Hello all, I also have troubles with VPNaaS in Havana : the status is staying on "Pending Create" state!

But FYI, I have something in my /etc/neutron/vpn_agent.ini that you didn't put, is the line :

vpn_device_driver=neutron.services.vpn.device_drivers.ipsec.OpenSwanDriver

Also you have to add in /etc/neutron/neutron.conf (on your controller node if you are not in All in One): service_plugins = neutron.services.vpn.plugin.VPNPlugin

Well, if someone manage to start the connection VPN, please post here ;-)

edit flag offensive delete link more

Comments

I found this: http://www.sebastien-han.fr/blog/2012/06/20/setup-cloud-pipe-vpn-in-openstack/ It's a bit old, but is about cloudpipe, which is mentioned in the nova configuration reference.

dasp gravatar imagedasp ( 2013-10-31 10:49:09 -0500 )edit

Thanks, yes it's a bit old =) I'm sure vpnaas (site to site) could work fine, juste don't find the source of this issue!! "Failed synchronizing routers"

osnrgynm gravatar imageosnrgynm ( 2013-10-31 10:58:18 -0500 )edit

Same situation, neutron vpn-service create stuck on pending create at IceHouse, any solution for this :(

adhi gravatar imageadhi ( 2014-12-09 22:15:55 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

3 followers

Stats

Asked: 2013-10-23 22:35:58 -0500

Seen: 8,561 times

Last updated: Jun 26 '14