Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

How to create an IPSec tunnel using VPNaaS using port forwarding?

I'm running Icehouse on 3x ubuntu 14.04 nodes (controller/network/compute) behind a physical router/firewall and I'm trying to use VPNaaS to connect my local Openstack to AWS:

Floating IP Subnet (192.168.x.x)  <--> (192.168.x.x) router (203.x.x.x)<-------->(54.x.x.x AWS Elastic IP)OpenSwan(10.x.x.x) <--> AWS VPC Subnets (10.x.x.x)

I used this guido to setup OpenSwan on AWS http://rbgeek.wordpress.com/2014/04/26/site-to-site-vpn-between-aws-vpc-and-customer-site-using-linux/ and I configured my external router to forward the ports 500 UDP and 4500 TCP/UDP to the network node however the VPN does not come up:

root@stack-controller:~# neutron ipsec-site-connection-list
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+
| id                                   | name | peer_address  | peer_cidrs     | route_mode | auth_mode | status |
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+
| 676eb804-d6b6-4886-8f46-a53b4ab06d61 | AWS  | 54.x.x.x | "10.x.0.0/16" | static     | psk       | DOWN   |
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+

I'm having a hard time to find guides or tutorials about VPNaaS and I'm not sure if forwarding the ports to the network node is the correct way to do it. I'm also not sure what logs to look for troubleshooting. I found this on the /var/log/neutron/vpn_agent.log:

2014-06-27 12:04:08.224 14862 ERROR neutron.services.vpn.device_drivers.ipsec [-] Failed to enable vpn process on router 5ae62a29-90f1-45ea-82f4-0b26c80ecce3
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec     raise RuntimeError(m)
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec RuntimeError:
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-5ae62a29-90f1-45ea-82f4-0b26c80ecce3', 'ipsec', 'pluto', '--ctlbase', '/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/var/run/pluto', '--ipsecdir', '/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/etc/ipsec.secrets', '--virtual_private', '%v4:192.168.10.0/24,%v4:10.21.0.0/16']
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec Exit code: 10
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec Stdout: ''
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec Stderr: 'adjusting ipsec.d to /var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/etc\npluto: lock file "/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/var/run/pluto.pid" already exists\n'
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec

Does anyone have any experience with this kind of setup?

How to create an IPSec tunnel using VPNaaS using port forwarding?

I'm running Icehouse on 3x ubuntu 14.04 nodes (controller/network/compute) behind a physical router/firewall and I'm trying to use VPNaaS to connect my local Openstack to AWS:

Floating IP Subnet (192.168.x.x)  <--> (192.168.x.x) router (203.x.x.x)<-------->(54.x.x.x AWS  Elastic IP)OpenSwan(10.x.x.x) <--> AWS VPC Subnets (10.x.x.x)

I used this guido to setup OpenSwan on AWS http://rbgeek.wordpress.com/2014/04/26/site-to-site-vpn-between-aws-vpc-and-customer-site-using-linux/ and I configured my external router to forward the ports 500 UDP and 4500 TCP/UDP to the network node however the VPN does not come up:

root@stack-controller:~# neutron ipsec-site-connection-list
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+
| id                                   | name | peer_address  | peer_cidrs     | route_mode | auth_mode | status |
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+
| 676eb804-d6b6-4886-8f46-a53b4ab06d61 | AWS  | 54.x.x.x | "10.x.0.0/16" | static     | psk       | DOWN   |
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+

I'm having a hard time to find guides or tutorials about VPNaaS and I'm not sure if forwarding the ports to the network node is the correct way to do it. I'm also not sure what logs to look for troubleshooting. I found this on the /var/log/neutron/vpn_agent.log:

2014-06-27 12:04:08.224 14862 ERROR neutron.services.vpn.device_drivers.ipsec [-] Failed to enable vpn process on router 5ae62a29-90f1-45ea-82f4-0b26c80ecce3
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec     raise RuntimeError(m)
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec RuntimeError:
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-5ae62a29-90f1-45ea-82f4-0b26c80ecce3', 'ipsec', 'pluto', '--ctlbase', '/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/var/run/pluto', '--ipsecdir', '/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/etc/ipsec.secrets', '--virtual_private', '%v4:192.168.10.0/24,%v4:10.21.0.0/16']
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec Exit code: 10
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec Stdout: ''
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec Stderr: 'adjusting ipsec.d to /var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/etc\npluto: lock file "/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/var/run/pluto.pid" already exists\n'
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec

Does anyone have any experience with this kind of setup?

How to create an IPSec tunnel using VPNaaS using port forwarding?

I'm running Icehouse on 3x ubuntu 14.04 nodes (controller/network/compute) behind a physical router/firewall and I'm trying to use VPNaaS to connect my local Openstack to AWS:

Floating IP Subnet (192.168.x.x)  <--> (192.168.x.x) router (203.x.x.x)<-------->(54.x.x.x AWS 
Elastic IP)OpenSwan(10.x.x.x) <--> AWS VPC Subnets (10.x.x.x)

I used this guido guide to setup OpenSwan on AWS http://rbgeek.wordpress.com/2014/04/26/site-to-site-vpn-between-aws-vpc-and-customer-site-using-linux/ and I configured my external router to forward the ports 500 UDP and 4500 TCP/UDP to the network node however the VPN does not come up:

root@stack-controller:~# neutron ipsec-site-connection-list
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+
| id                                   | name | peer_address  | peer_cidrs     | route_mode | auth_mode | status |
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+
| 676eb804-d6b6-4886-8f46-a53b4ab06d61 | AWS  | 54.x.x.x | "10.x.0.0/16" | static     | psk       | DOWN   |
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+

I'm having a hard time to find guides or tutorials about VPNaaS and I'm not sure if forwarding the ports to the network node is the correct way to do it. I'm also not sure what logs to look for troubleshooting. I found this on the /var/log/neutron/vpn_agent.log:

2014-06-27 12:04:08.224 14862 ERROR neutron.services.vpn.device_drivers.ipsec [-] Failed to enable vpn process on router 5ae62a29-90f1-45ea-82f4-0b26c80ecce3
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec     raise RuntimeError(m)
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec RuntimeError:
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-5ae62a29-90f1-45ea-82f4-0b26c80ecce3', 'ipsec', 'pluto', '--ctlbase', '/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/var/run/pluto', '--ipsecdir', '/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/etc/ipsec.secrets', '--virtual_private', '%v4:192.168.10.0/24,%v4:10.21.0.0/16']
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec Exit code: 10
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec Stdout: ''
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec Stderr: 'adjusting ipsec.d to /var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/etc\npluto: lock file "/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/var/run/pluto.pid" already exists\n'
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec

Does anyone have any experience with this kind of setup?

How to create an IPSec tunnel using VPNaaS using and port forwarding?

I'm running Icehouse on 3x ubuntu 14.04 nodes (controller/network/compute) behind a physical router/firewall and I'm trying to use VPNaaS to connect my local Openstack to AWS:

Floating IP Subnet (192.168.x.x)  <--> (192.168.x.x) router (203.x.x.x)<-------->(54.x.x.x AWS 
Elastic IP)OpenSwan(10.x.x.x) <--> AWS VPC Subnets (10.x.x.x)

I used this guide to setup OpenSwan on AWS http://rbgeek.wordpress.com/2014/04/26/site-to-site-vpn-between-aws-vpc-and-customer-site-using-linux/ and I configured my external router to forward the ports 500 UDP and 4500 TCP/UDP to the network node however the VPN does not come up:

root@stack-controller:~# neutron ipsec-site-connection-list
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+
| id                                   | name | peer_address  | peer_cidrs     | route_mode | auth_mode | status |
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+
| 676eb804-d6b6-4886-8f46-a53b4ab06d61 | AWS  | 54.x.x.x | "10.x.0.0/16" | static     | psk       | DOWN   |
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+

I'm having a hard time to find guides or tutorials about VPNaaS and I'm not sure if forwarding the ports to the network node is the correct way to do it. I'm also not sure what logs to look for troubleshooting. I found this on the /var/log/neutron/vpn_agent.log:

2014-06-27 12:04:08.224 14862 ERROR neutron.services.vpn.device_drivers.ipsec [-] Failed to enable vpn process on router 5ae62a29-90f1-45ea-82f4-0b26c80ecce3
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec     raise RuntimeError(m)
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec RuntimeError:
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-5ae62a29-90f1-45ea-82f4-0b26c80ecce3', 'ipsec', 'pluto', '--ctlbase', '/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/var/run/pluto', '--ipsecdir', '/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/etc/ipsec.secrets', '--virtual_private', '%v4:192.168.10.0/24,%v4:10.21.0.0/16']
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec Exit code: 10
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec Stdout: ''
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec Stderr: 'adjusting ipsec.d to /var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/etc\npluto: lock file "/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/var/run/pluto.pid" already exists\n'
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec

Does anyone have any experience with this kind of setup?

How to create an IPSec tunnel using VPNaaS and port forwarding?

I'm running Icehouse on 3x ubuntu 14.04 nodes (controller/network/compute) behind a physical router/firewall and I'm trying to use VPNaaS to connect my local Openstack to AWS:

Floating IP Subnet (192.168.x.x)  <--> (192.168.x.x) router (203.x.x.x)<-------->(54.x.x.x AWS 
Elastic IP)OpenSwan(10.x.x.x) <--> AWS VPC Subnets (10.x.x.x)

I used this guide to setup OpenSwan on AWS http://rbgeek.wordpress.com/2014/04/26/site-to-site-vpn-between-aws-vpc-and-customer-site-using-linux/ and I configured my external router to forward the ports 500 UDP and 4500 TCP/UDP to the network node however the VPN does not come up:

root@stack-controller:~# neutron ipsec-site-connection-list
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+
| id                                   | name | peer_address  | peer_cidrs     | route_mode | auth_mode | status |
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+
| 676eb804-d6b6-4886-8f46-a53b4ab06d61 | AWS  | 54.x.x.x | "10.x.0.0/16" | static     | psk       | DOWN   |
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+

I'm having a hard time to find guides or tutorials about VPNaaS and I'm not sure if forwarding the ports to the network node is the correct way to do it. I'm also not sure what logs to look for troubleshooting. I found this on the /var/log/neutron/vpn_agent.log:

2014-06-27 12:04:08.224 14862 ERROR neutron.services.vpn.device_drivers.ipsec [-] Failed to enable vpn process on router 5ae62a29-90f1-45ea-82f4-0b26c80ecce3
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec     raise RuntimeError(m)
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec RuntimeError:
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-5ae62a29-90f1-45ea-82f4-0b26c80ecce3', 'ipsec', 'pluto', '--ctlbase', '/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/var/run/pluto', '--ipsecdir', '/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/etc/ipsec.secrets', '--virtual_private', '%v4:192.168.10.0/24,%v4:10.21.0.0/16']
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec Exit code: 10
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec Stdout: ''
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec Stderr: 'adjusting ipsec.d to /var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/etc\npluto: lock file "/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/var/run/pluto.pid" already exists\n'
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec

Does anyone have any experience with this kind of setup?

Made some progress. Now I can establish Phase 1 however Phase 2 is not playing ball (192.168.10.150 is the neutron router where VPNaaS is running):

16:30:36.130221 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I ident
16:30:36.130259 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I ident
16:30:36.130899 IP 192.168.10.150.isakmp > ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp: isakmp: phase 1 R ident
16:30:36.130911 IP 192.168.10.150.isakmp > ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp: isakmp: phase 1 R ident
16:30:36.476008 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I inf
16:30:36.476040 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I inf
16:30:46.486848 IP 192.168.10.150.isakmp > ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp: isakmp: phase 1 R ident
16:30:46.487304 IP 192.168.10.150.isakmp > ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp: isakmp: phase 1 R ident
16:30:46.697906 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I inf
16:30:46.698444 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I inf
16:30:53.699180 IP 192.168.10.150.isakmp > ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp: isakmp: parent_sa ikev2_init[I]
16:30:53.699206 IP 192.168.10.150.isakmp > ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp: isakmp: parent_sa ikev2_init[I]
16:30:53.913204 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: parent_sa ikev2_init[R]
16:30:53.913240 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: parent_sa ikev2_init[R]
16:31:04.882425 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I ident
16:31:04.882728 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I ident
16:31:04.882800 IP 192.168.10.150 > ec2-54-x-x-x.us-west-2.compute.amazonaws.com: ICMP 192.168.10.150 udp port isakmp unreachable, length 556
16:31:04.883477 IP 192.168.10.150 > ec2-54-x-x-x.us-west-2.compute.amazonaws.com: ICMP 192.168.10.150 udp port isakmp unreachable, length 556
16:31:15.184537 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I ident
16:31:15.184812 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I ident
16:31:15.184881 IP 192.168.10.150 > ec2-54-x-x-x.us-west-2.compute.amazonaws.com: ICMP 192.168.10.150 udp port isakmp unreachable, length 556
16:31:15.185401 IP 192.168.10.150 > ec2-54-x-x-x.us-west-2.compute.amazonaws.com: ICMP 192.168.10.150 udp port isakmp unreachable, length 556
16:31:34.417928 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I ident
16:31:34.418332 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I ident
16:31:34.418458 IP 192.168.10.150 > ec2-54-x-x-x.us-west-2.compute.amazonaws.com: ICMP 192.168.10.150 udp port isakmp unreachable, length 556
16:31:34.419349 IP 192.168.10.150 > ec2-54-x-x-x.us-west-2.compute.amazonaws.com: ICMP 192.168.10.150 udp port isakmp unreachable, length 556

This is the ipsec status on the AWS box:

000 "AWS2LocalConnection/1x1":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "AWS2LocalConnection/1x1":   policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 16,16; interface: eth0;
000 "AWS2LocalConnection/1x1":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "AWS2LocalConnection/1x1":   aliases: AWS2LocalConnection
000
000 #1: "AWS2LocalConnection/1x1":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 36s; nodpd; idle; import:admin initiate
000 #1: pending Phase 2 for "AWS2LocalConnection/1x1" replacing #0

How to create an IPSec tunnel using VPNaaS and port forwarding?

I'm running Icehouse on 3x ubuntu 14.04 nodes (controller/network/compute) behind a physical router/firewall and I'm trying to use VPNaaS to connect my local Openstack to AWS:

Floating IP Subnet (192.168.x.x)  <--> (192.168.x.x) router (203.x.x.x)<-------->(54.x.x.x AWS 
Elastic IP)OpenSwan(10.x.x.x) <--> AWS VPC Subnets (10.x.x.x)

I used this guide to setup OpenSwan on AWS http://rbgeek.wordpress.com/2014/04/26/site-to-site-vpn-between-aws-vpc-and-customer-site-using-linux/ and I configured my external router to forward the ports 500 UDP and 4500 TCP/UDP to the network node however the VPN does not come up:

root@stack-controller:~# neutron ipsec-site-connection-list
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+
| id                                   | name | peer_address  | peer_cidrs     | route_mode | auth_mode | status |
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+
| 676eb804-d6b6-4886-8f46-a53b4ab06d61 | AWS  | 54.x.x.x | "10.x.0.0/16" | static     | psk       | DOWN   |
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+

I'm having a hard time to find guides or tutorials about VPNaaS and I'm not sure if forwarding the ports to the network node is the correct way to do it. I'm also not sure what logs to look for troubleshooting. I found this on the /var/log/neutron/vpn_agent.log:

2014-06-27 12:04:08.224 14862 ERROR neutron.services.vpn.device_drivers.ipsec [-] Failed to enable vpn process on router 5ae62a29-90f1-45ea-82f4-0b26c80ecce3
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec     raise RuntimeError(m)
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec RuntimeError:
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-5ae62a29-90f1-45ea-82f4-0b26c80ecce3', 'ipsec', 'pluto', '--ctlbase', '/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/var/run/pluto', '--ipsecdir', '/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/etc/ipsec.secrets', '--virtual_private', '%v4:192.168.10.0/24,%v4:10.21.0.0/16']
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec Exit code: 10
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec Stdout: ''
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec Stderr: 'adjusting ipsec.d to /var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/etc\npluto: lock file "/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/var/run/pluto.pid" already exists\n'
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec

Does anyone have any experience with this kind of setup?

++++++++++++++++++++++++++++++++++++++++++++++++

EDIT: Made some progress. Now I can establish Phase 1 however Phase 2 is not playing ball (192.168.10.150 is the neutron router where VPNaaS is running):

16:30:36.130221 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I ident
16:30:36.130259 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I ident
16:30:36.130899 IP 192.168.10.150.isakmp > ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp: isakmp: phase 1 R ident
16:30:36.130911 IP 192.168.10.150.isakmp > ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp: isakmp: phase 1 R ident
16:30:36.476008 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I inf
16:30:36.476040 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I inf
16:30:46.486848 IP 192.168.10.150.isakmp > ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp: isakmp: phase 1 R ident
16:30:46.487304 IP 192.168.10.150.isakmp > ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp: isakmp: phase 1 R ident
16:30:46.697906 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I inf
16:30:46.698444 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I inf
16:30:53.699180 IP 192.168.10.150.isakmp > ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp: isakmp: parent_sa ikev2_init[I]
16:30:53.699206 IP 192.168.10.150.isakmp > ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp: isakmp: parent_sa ikev2_init[I]
16:30:53.913204 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: parent_sa ikev2_init[R]
16:30:53.913240 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: parent_sa ikev2_init[R]
16:31:04.882425 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I ident
16:31:04.882728 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I ident
16:31:04.882800 IP 192.168.10.150 > ec2-54-x-x-x.us-west-2.compute.amazonaws.com: ICMP 192.168.10.150 udp port isakmp unreachable, length 556
16:31:04.883477 IP 192.168.10.150 > ec2-54-x-x-x.us-west-2.compute.amazonaws.com: ICMP 192.168.10.150 udp port isakmp unreachable, length 556
16:31:15.184537 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I ident
16:31:15.184812 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I ident
16:31:15.184881 IP 192.168.10.150 > ec2-54-x-x-x.us-west-2.compute.amazonaws.com: ICMP 192.168.10.150 udp port isakmp unreachable, length 556
16:31:15.185401 IP 192.168.10.150 > ec2-54-x-x-x.us-west-2.compute.amazonaws.com: ICMP 192.168.10.150 udp port isakmp unreachable, length 556
16:31:34.417928 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I ident
16:31:34.418332 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I ident
16:31:34.418458 IP 192.168.10.150 > ec2-54-x-x-x.us-west-2.compute.amazonaws.com: ICMP 192.168.10.150 udp port isakmp unreachable, length 556
16:31:34.419349 IP 192.168.10.150 > ec2-54-x-x-x.us-west-2.compute.amazonaws.com: ICMP 192.168.10.150 udp port isakmp unreachable, length 556

This is the ipsec status on the AWS box:

000 "AWS2LocalConnection/1x1":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "AWS2LocalConnection/1x1":   policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 16,16; interface: eth0;
000 "AWS2LocalConnection/1x1":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "AWS2LocalConnection/1x1":   aliases: AWS2LocalConnection
000
000 #1: "AWS2LocalConnection/1x1":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 36s; nodpd; idle; import:admin initiate
000 #1: pending Phase 2 for "AWS2LocalConnection/1x1" replacing #0

How to create an IPSec tunnel using VPNaaS and port forwarding?

I'm running Icehouse on 3x ubuntu 14.04 nodes (controller/network/compute) behind a physical router/firewall and I'm trying to use VPNaaS to connect my local Openstack to AWS:

Floating IP Subnet (192.168.x.x)  <--> (192.168.x.x) router (203.x.x.x)<-------->(54.x.x.x AWS 
Elastic IP)OpenSwan(10.x.x.x) <--> AWS VPC Subnets (10.x.x.x)

I used this guide to setup OpenSwan on AWS http://rbgeek.wordpress.com/2014/04/26/site-to-site-vpn-between-aws-vpc-and-customer-site-using-linux/ and I configured my external router to forward the ports 500 UDP and 4500 TCP/UDP to the network node however the VPN does not come up:

root@stack-controller:~# neutron ipsec-site-connection-list
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+
| id                                   | name | peer_address  | peer_cidrs     | route_mode | auth_mode | status |
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+
| 676eb804-d6b6-4886-8f46-a53b4ab06d61 | AWS  | 54.x.x.x | "10.x.0.0/16" | static     | psk       | DOWN   |
+--------------------------------------+------+---------------+----------------+------------+-----------+--------+

I'm having a hard time to find guides or tutorials about VPNaaS and I'm not sure if forwarding the ports to the network node is the correct way to do it. I'm also not sure what logs to look for troubleshooting. I found this on the /var/log/neutron/vpn_agent.log:

2014-06-27 12:04:08.224 14862 ERROR neutron.services.vpn.device_drivers.ipsec [-] Failed to enable vpn process on router 5ae62a29-90f1-45ea-82f4-0b26c80ecce3
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec     raise RuntimeError(m)
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec RuntimeError:
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-5ae62a29-90f1-45ea-82f4-0b26c80ecce3', 'ipsec', 'pluto', '--ctlbase', '/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/var/run/pluto', '--ipsecdir', '/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', '/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/etc/ipsec.secrets', '--virtual_private', '%v4:192.168.10.0/24,%v4:10.21.0.0/16']
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec Exit code: 10
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec Stdout: ''
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec Stderr: 'adjusting ipsec.d to /var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/etc\npluto: lock file "/var/lib/neutron/ipsec/5ae62a29-90f1-45ea-82f4-0b26c80ecce3/var/run/pluto.pid" already exists\n'
2014-06-27 12:04:08.224 14862 TRACE neutron.services.vpn.device_drivers.ipsec

Does anyone have any experience with this kind of setup?

++++++++++++++++++++++++++++++++++++++++++++++++

EDIT: Made some progress. Now I can establish Phase 1 however Phase 2 is not playing ball (192.168.10.150 is the neutron router where VPNaaS is running):

16:30:36.130221 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I ident
16:30:36.130259 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I ident
16:30:36.130899 IP 192.168.10.150.isakmp > ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp: isakmp: phase 1 R ident
16:30:36.130911 IP 192.168.10.150.isakmp > ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp: isakmp: phase 1 R ident
16:30:36.476008 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I inf
16:30:36.476040 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I inf
16:30:46.486848 IP 192.168.10.150.isakmp > ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp: isakmp: phase 1 R ident
16:30:46.487304 IP 192.168.10.150.isakmp > ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp: isakmp: phase 1 R ident
16:30:46.697906 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I inf
16:30:46.698444 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I inf
16:30:53.699180 IP 192.168.10.150.isakmp > ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp: isakmp: parent_sa ikev2_init[I]
16:30:53.699206 IP 192.168.10.150.isakmp > ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp: isakmp: parent_sa ikev2_init[I]
16:30:53.913204 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: parent_sa ikev2_init[R]
16:30:53.913240 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: parent_sa ikev2_init[R]
16:31:04.882425 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I ident
16:31:04.882728 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I ident
16:31:04.882800 IP 192.168.10.150 > ec2-54-x-x-x.us-west-2.compute.amazonaws.com: ICMP 192.168.10.150 udp port isakmp unreachable, length 556
16:31:04.883477 IP 192.168.10.150 > ec2-54-x-x-x.us-west-2.compute.amazonaws.com: ICMP 192.168.10.150 udp port isakmp unreachable, length 556
16:31:15.184537 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I ident
16:31:15.184812 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I ident
16:31:15.184881 IP 192.168.10.150 > ec2-54-x-x-x.us-west-2.compute.amazonaws.com: ICMP 192.168.10.150 udp port isakmp unreachable, length 556
16:31:15.185401 IP 192.168.10.150 > ec2-54-x-x-x.us-west-2.compute.amazonaws.com: ICMP 192.168.10.150 udp port isakmp unreachable, length 556
16:31:34.417928 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I ident
16:31:34.418332 IP ec2-54-x-x-x.us-west-2.compute.amazonaws.com.isakmp > 192.168.10.150.isakmp: isakmp: phase 1 I ident
16:31:34.418458 IP 192.168.10.150 > ec2-54-x-x-x.us-west-2.compute.amazonaws.com: ICMP 192.168.10.150 udp port isakmp unreachable, length 556
16:31:34.419349 IP 192.168.10.150 > ec2-54-x-x-x.us-west-2.compute.amazonaws.com: ICMP 192.168.10.150 udp port isakmp unreachable, length 556

This is the ipsec status on the AWS box:

000 "AWS2LocalConnection/1x1":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "AWS2LocalConnection/1x1":   policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 16,16; interface: eth0;
000 "AWS2LocalConnection/1x1":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "AWS2LocalConnection/1x1":   aliases: AWS2LocalConnection
000
000 #1: "AWS2LocalConnection/1x1":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 36s; nodpd; idle; import:admin initiate
000 #1: pending Phase 2 for "AWS2LocalConnection/1x1" replacing #0