[Swan] Adapting libreswan for Openstack VPNaaS Juno

Matias R. Cuenca del Rey maticue at gmail.com
Wed Feb 4 06:30:04 EET 2015

Thank you Paul!
Yesterday I could modify
openstack-neutron-vpn-agent-2014.2.1-1.el7.centos.noarch's script and VPN
just work :). I don't know much about python but I did my best. I'm sure it
can be improved. These are all the steps I did for enable VPNaaS on
Openstack Juno con Centos 7 with libreswan-3.8-6.el7_0.x86_64 (I only can
use 'official repos')

1.- Install necessary packages:
# yum install openstack-neutron-vpn-agent libreswan -y

2.- Enable vpnaas plugin in neutron
# cat /etc/neutron/neutron.conf
service_plugins = router,vpnaas

3.- Configure vpn plugin
# cat /etc/neutron/vpn_agent.ini

# VPN-Agent configuration file
# Note vpn-agent inherits l3-agent, so you can use configs on l3-agent also
##interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver

# vpn device drivers which vpn agent will use
# If we want to use multiple drivers,  we need to define this option
multiple times.
# vpn_device_driver=another_driver

# Status check interval

4.- Here we start with the dirt :)
4.1.- Add certutil command to vpnaas.filters, so it could be execute on
neutron rootwarps
# cat /usr/share/neutron/rootwrap/vpnaas.filters
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
# This file should be owned by (and only-writeable by) the root user

# format seems to be
# cmd-name: filter-name, raw-command, user, args


ip: IpFilter, ip, root
ip_exec: IpNetnsExecFilter, ip, root
openswan: CommandFilter, ipsec, root
libreswan: CommandFilter, certutil, root

4.2.- Edit ipsec.py, which execute 'ipsec and (now) certutils' commands
4.2.1.- If nss db does not exist, it is created on
4.2.2.- In 'ipsec pluto' execution: Remove '--config' option, keep ctlbase (Thanks Paul!) Change argument of '--ipsecdir' from
/var/lib/neutron/ipsec/<uuid>/etc/ to
/var/lib/neutron/ipsec/<uuid>/etc/ipsec.d Remove --use-netkey because it is the default option
4.2.3.- In 'ipsec addconn' execution: Remove  '--defaultroutenexthop' because it is obsolete
The diff between original and modified file is:

# diff

<     bcertutil = "certutil"
<     NSS_FILES = [
<         'cert8.db',
<         'key3.db',
<         'secmod.db'
<     ]
<     def _ensure_nss(self, nss_files):
<         if not os.path.isfile(nss_files):
<             #start nss database
<             self._execute([self.bcertutil,
<                        '-N',
<                        '--empty-password',
<                        '-d', self.ipsecd_dir,
<                        ])
<         """Create config directory and nss files if they does not
>         """Create config directory if it does not exist."""
<         for nss_file in self.NSS_FILES:
<             nss_path = os.path.join(self.ipsecd_dir, nss_file)
<             self._ensure_nss(nss_path)
<         self.ipsecd_dir = os.path.join(
<             self.etc_dir, 'ipsec.d')
<                        '--ipsecdir', self.ipsecd_dir,
>                        '--ipsecdir', self.etc_dir,
>                        '--use-netkey',
>                            '--defaultroutenexthop', nexthop,

4.3.- Edit ipsec.conf.template, which is used to generate
/var/lib/neutron/ipsec/<uid>/ipsec.conf (necessary for ipsec addconn
Just comment obsolete options. The diff between original and modified file

# diff

<     # nat_traversal=yes
>     nat_traversal=yes
<     # keylife=60m
<     salifetime=60m
>     keylife=60m
<     # leftnexthop=%defaultroute
>     leftnexthop=%defaultroute
<     # rightnexthop=%defaultroute
>     rightnexthop=%defaultroute
<     # lifetime={{ipsec_site_connection.ipsecpolicy.lifetime_value}}s
<     salifetime={{ipsec_site_connection.ipsecpolicy.lifetime_value}}s
>     lifetime={{ipsec_site_connection.ipsecpolicy.lifetime_value}}s

5.- Enable and start von-agent
# systemctl enable neutron-vpn-agent
# systemctl start neutron-vpn-agent

Hope it could be useful to someone.

Matías R. Cuenca del Rey

On Tue, Feb 3, 2015 at 12:49 AM, Paul Wouters <paul at nohats.ca> wrote:

> On Mon, 2 Feb 2015, Matias R. Cuenca del Rey wrote:
>  Hello,I'm trying to run Openstack VPNaaS on Centos 7 with
>> libreswan-3.8-6.el7_0.x86_64. VPNaaS's scripts are for openswan,
>> so there are some options that are different. I've been working to adapt
>> them, for example 'ipsec pluto' didn't work
>> because there weren't nssdb,
>> Right now, I have running pluto, but I'm not sure if it is running like I
>> want. The command that I execute to start pluto
>> is:
> We put it a few fixes specifically for openstack and non-root ownership
> of files and dropping capabilities later on. Please use libreswan-3.12
> to ensure you haev all those fixes! You're mixing at least
> libreswan-3.9:
> * pluto: Drop CAP_DAC_OVERRIDE privs later to support non-root dirs [Paul]
>  # ipsec pluto --ctlbase /var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/var/run/pluto
>> --ipsecdir
>> /var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.d
>> --config
>> /var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.conf
>> --uniqueids --nat_traversal --secretsfile
>> /var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.secrets
>> --virtual_private
>> %v4:,%v4:
>> Although I execute ipsec pluto with --config option, when I execute ipsec
>> whack --status I read the default config file
>> and directory:
> The order matters. If you specify --config and then --ctlbase, the
> ctlbase will override the configuration. if you specify --ctlbase
> before --config, the config file version will get used.
>  Cannot open logfile '(null)': Bad file descriptornss directory plutomain:
>> /var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.d
> Those might be the caused by the capabilities fix.
> If this does not fix your issues, ping me on pwouters at redhat.com and
> I'll bring you in contact with our redhat/openstack guy that was part
> of fixing these issues.
> Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20150204/cfbd0279/attachment-0001.html>

More information about the Swan mailing list