[Swan] Adapting libreswan for Openstack VPNaaS Juno

Paul Wouters paul at nohats.ca
Wed Feb 4 17:14:34 EET 2015


On Wed, 4 Feb 2015, Matias R. Cuenca del Rey wrote:

> Yesterday I could modify openstack-neutron-vpn-agent-2014.2.1-1.el7.centos.noarch's script and VPN just work :).

Does that mean the package will be fixed "upstream" ? Or should we take
your write up below and post it to the libreswan wiki ?

Paul


> I don't know much about python but
> I did my best. I'm sure it can be improved. These are all the steps I did for enable VPNaaS on Openstack Juno con Centos 7 with
> libreswan-3.8-6.el7_0.x86_64 (I only can use 'official repos')
> 
> 1.- Install necessary packages:
> # yum install openstack-neutron-vpn-agent libreswan -y
> 
> 2.- Enable vpnaas plugin in neutron
> # cat /etc/neutron/neutron.conf
> ...
> service_plugins = router,vpnaas
> ...
> service_provider=VPN:openswan:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default
> ...
> 
> 3.- Configure vpn plugin
> # cat /etc/neutron/vpn_agent.ini
> 
> [DEFAULT]
> # VPN-Agent configuration file
> # Note vpn-agent inherits l3-agent, so you can use configs on l3-agent also
> ##interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
> 
> [vpnagent]
> # vpn device drivers which vpn agent will use
> # If we want to use multiple drivers,  we need to define this option multiple times.
> vpn_device_driver=neutron.services.vpn.device_drivers.ipsec.OpenSwanDriver
> # vpn_device_driver=neutron.services.vpn.device_drivers.cisco_ipsec.CiscoCsrIPsecDriver
> # vpn_device_driver=another_driver
> 
> [ipsec]
> # Status check interval
> ipsec_status_check_interval=30
> 
> 
> 4.- Here we start with the dirt :)
> 4.1.- Add certutil command to vpnaas.filters, so it could be execute on neutron rootwarps 
> # cat /usr/share/neutron/rootwrap/vpnaas.filters
> # neutron-rootwrap command filters for nodes on which neutron is
> # expected to control network
> #
> # This file should be owned by (and only-writeable by) the root user
> 
> # format seems to be
> # cmd-name: filter-name, raw-command, user, args
> 
> [Filters]
> 
> ip: IpFilter, ip, root
> ip_exec: IpNetnsExecFilter, ip, root
> openswan: CommandFilter, ipsec, root
> libreswan: CommandFilter, certutil, root
> 4.2.- Edit ipsec.py, which execute 'ipsec and (now) certutils' commands
> 4.2.1.- If nss db does not exist, it is created on /var/lib/neutron/ipsec/<uuid>/etc/ipsec.d
> 4.2.2.- In 'ipsec pluto' execution:
> 4.2.2.1.- Remove '--config' option, keep ctlbase (Thanks Paul!)
> 4.2.2.2.- Change argument of '--ipsecdir' from /var/lib/neutron/ipsec/<uuid>/etc/ to /var/lib/neutron/ipsec/<uuid>/etc/ipsec.d
> 4.2.2.3.- Remove --use-netkey because it is the default option
> 4.2.3.- In 'ipsec addconn' execution:
> 4.2.3.1.- Remove  '--defaultroutenexthop' because it is obsolete
> The diff between original and modified file is:
> 
> # diff  /usr/lib/python2.7/site-packages/neutron/services/vpn/device_drivers/ipsec.py
> /usr/lib/python2.7/site-packages/neutron/services/vpn/device_drivers/ipsec.py.original
> 97d96
> <     bcertutil = "certutil"
> 114,119d112
> <     NSS_FILES = [
> <         'cert8.db',
> <         'key3.db',
> <         'secmod.db'
> <     ]
> <
> 189,197d181
> <     def _ensure_nss(self, nss_files):
> <         if not os.path.isfile(nss_files):
> <             #start nss database
> <             self._execute([self.bcertutil,
> <                        '-N',
> <                        '--empty-password',
> <                        '-d', self.ipsecd_dir,
> <                        ])
> <
> 199c183
> <         """Create config directory and nss files if they does not exist."""
> ---
> >         """Create config directory if it does not exist."""
> 204,206d187
> <         for nss_file in self.NSS_FILES:
> <             nss_path = os.path.join(self.ipsecd_dir, nss_file)
> <             self._ensure_nss(nss_path)
> 327,328d307
> <         self.ipsecd_dir = os.path.join(
> <             self.etc_dir, 'ipsec.d')
> 401c380,381
> <                        '--ipsecdir', self.ipsecd_dir,
> ---
> >                        '--ipsecdir', self.etc_dir,
> >                        '--use-netkey',
> 412a393
> >                            '--defaultroutenexthop', nexthop,
> 
> 4.3.- Edit ipsec.conf.template, which is used to generate /var/lib/neutron/ipsec/<uid>/ipsec.conf (necessary for ipsec addconn command)
> Just comment obsolete options. The diff between original and modified file is:
> 
> # diff /usr/lib/python2.7/site-packages/neutron/services/vpn/device_drivers/template/openswan/ipsec.conf.template
> /usr/lib/python2.7/site-packages/neutron/services/vpn/device_drivers/template/openswan/ipsec.conf.template.original
> 3c3
> <     # nat_traversal=yes
> ---
> >     nat_traversal=yes
> 7,8c7
> <     # keylife=60m
> <     salifetime=60m
> ---
> >     keylife=60m
> 20c19
> <     # leftnexthop=%defaultroute
> ---
> >     leftnexthop=%defaultroute
> 31c30
> <     # rightnexthop=%defaultroute
> ---
> >     rightnexthop=%defaultroute
> 63,64c62
> <     # lifetime={{ipsec_site_connection.ipsecpolicy.lifetime_value}}s
> <     salifetime={{ipsec_site_connection.ipsecpolicy.lifetime_value}}s
> ---
> >     lifetime={{ipsec_site_connection.ipsecpolicy.lifetime_value}}s
> 
> 5.- Enable and start von-agent
> # systemctl enable neutron-vpn-agent
> # systemctl start neutron-vpn-agent
> 
> 
> Hope it could be useful to someone. 
> 
> Matías R. Cuenca del Rey
> 
> On Tue, Feb 3, 2015 at 12:49 AM, Paul Wouters <paul at nohats.ca> wrote:
>       On Mon, 2 Feb 2015, Matias R. Cuenca del Rey wrote:
>
>             Hello,I'm trying to run Openstack VPNaaS on Centos 7 with libreswan-3.8-6.el7_0.x86_64. VPNaaS's scripts are for openswan,
>             so there are some options that are different. I've been working to adapt them, for example 'ipsec pluto' didn't work
>             because there weren't nssdb,
>             Right now, I have running pluto, but I'm not sure if it is running like I want. The command that I execute to start pluto
>             is:
> 
>
>       We put it a few fixes specifically for openstack and non-root ownership
>       of files and dropping capabilities later on. Please use libreswan-3.12
>       to ensure you haev all those fixes! You're mixing at least
>       libreswan-3.9:
>
>       * pluto: Drop CAP_DAC_OVERRIDE privs later to support non-root dirs [Paul]
>
>             # ipsec pluto --ctlbase /var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/var/run/pluto --ipsecdir
>             /var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.d --config
>             /var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.conf --uniqueids --nat_traversal --secretsfile
>             /var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.secrets --virtual_private
>             %v4:192.168.1.0/24,%v4:192.168.88.0/24
>
>             Although I execute ipsec pluto with --config option, when I execute ipsec whack --status I read the default config file
>             and directory:
> 
>
>       The order matters. If you specify --config and then --ctlbase, the
>       ctlbase will override the configuration. if you specify --ctlbase
>       before --config, the config file version will get used.
>
>             Cannot open logfile '(null)': Bad file descriptornss directory plutomain:
>             /var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.d
> 
>
>       Those might be the caused by the capabilities fix.
>
>       If this does not fix your issues, ping me on pwouters at redhat.com and
>       I'll bring you in contact with our redhat/openstack guy that was part
>       of fixing these issues.
>
>       Paul
> 
> 
> 
>


More information about the Swan mailing list