[Swan] Adapting libreswan for Openstack VPNaaS Juno

Matias R. Cuenca del Rey maticue at gmail.com
Thu Feb 5 00:29:05 EET 2015


We could post it to the libreswan wiki. If you want, I can contact to the
redhat/openstack guy that you told me. It would be great fix the package!

Matías R. Cuenca del Rey

On Wed, Feb 4, 2015 at 12:14 PM, Paul Wouters <paul at nohats.ca> wrote:

> On Wed, 4 Feb 2015, Matias R. Cuenca del Rey wrote:
>
>  Yesterday I could modify openstack-neutron-vpn-agent-2014.2.1-1.el7.centos.noarch's
>> script and VPN just work :).
>>
>
> Does that mean the package will be fixed "upstream" ? Or should we take
> your write up below and post it to the libreswan wiki ?
>
> Paul
>
>
>
>  I don't know much about python but
>> I did my best. I'm sure it can be improved. These are all the steps I did
>> for enable VPNaaS on Openstack Juno con Centos 7 with
>> libreswan-3.8-6.el7_0.x86_64 (I only can use 'official repos')
>>
>> 1.- Install necessary packages:
>> # yum install openstack-neutron-vpn-agent libreswan -y
>>
>> 2.- Enable vpnaas plugin in neutron
>> # cat /etc/neutron/neutron.conf
>> ...
>> service_plugins = router,vpnaas
>> ...
>> service_provider=VPN:openswan:neutron.services.vpn.service_
>> drivers.ipsec.IPsecVPNDriver:default
>> ...
>>
>> 3.- Configure vpn plugin
>> # cat /etc/neutron/vpn_agent.ini
>>
>> [DEFAULT]
>> # VPN-Agent configuration file
>> # Note vpn-agent inherits l3-agent, so you can use configs on l3-agent
>> also
>> ##interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
>>
>> [vpnagent]
>> # vpn device drivers which vpn agent will use
>> # If we want to use multiple drivers,  we need to define this option
>> multiple times.
>> vpn_device_driver=neutron.services.vpn.device_drivers.
>> ipsec.OpenSwanDriver
>> # vpn_device_driver=neutron.services.vpn.device_drivers.cisco_ipsec.
>> CiscoCsrIPsecDriver
>> # vpn_device_driver=another_driver
>>
>> [ipsec]
>> # Status check interval
>> ipsec_status_check_interval=30
>>
>>
>> 4.- Here we start with the dirt :)
>> 4.1.- Add certutil command to vpnaas.filters, so it could be execute on
>> neutron rootwarps
>> # cat /usr/share/neutron/rootwrap/vpnaas.filters
>> # neutron-rootwrap command filters for nodes on which neutron is
>> # expected to control network
>> #
>> # This file should be owned by (and only-writeable by) the root user
>>
>> # format seems to be
>> # cmd-name: filter-name, raw-command, user, args
>>
>> [Filters]
>>
>> ip: IpFilter, ip, root
>> ip_exec: IpNetnsExecFilter, ip, root
>> openswan: CommandFilter, ipsec, root
>> libreswan: CommandFilter, certutil, root
>> 4.2.- Edit ipsec.py, which execute 'ipsec and (now) certutils' commands
>> 4.2.1.- If nss db does not exist, it is created on
>> /var/lib/neutron/ipsec/<uuid>/etc/ipsec.d
>> 4.2.2.- In 'ipsec pluto' execution:
>> 4.2.2.1.- Remove '--config' option, keep ctlbase (Thanks Paul!)
>> 4.2.2.2.- Change argument of '--ipsecdir' from
>> /var/lib/neutron/ipsec/<uuid>/etc/ to /var/lib/neutron/ipsec/<uuid>/
>> etc/ipsec.d
>> 4.2.2.3.- Remove --use-netkey because it is the default option
>> 4.2.3.- In 'ipsec addconn' execution:
>> 4.2.3.1.- Remove  '--defaultroutenexthop' because it is obsolete
>> The diff between original and modified file is:
>>
>> # diff  /usr/lib/python2.7/site-packages/neutron/services/vpn/
>> device_drivers/ipsec.py
>> /usr/lib/python2.7/site-packages/neutron/services/vpn/
>> device_drivers/ipsec.py.original
>> 97d96
>> <     bcertutil = "certutil"
>> 114,119d112
>> <     NSS_FILES = [
>> <         'cert8.db',
>> <         'key3.db',
>> <         'secmod.db'
>> <     ]
>> <
>> 189,197d181
>> <     def _ensure_nss(self, nss_files):
>> <         if not os.path.isfile(nss_files):
>> <             #start nss database
>> <             self._execute([self.bcertutil,
>> <                        '-N',
>> <                        '--empty-password',
>> <                        '-d', self.ipsecd_dir,
>> <                        ])
>> <
>> 199c183
>> <         """Create config directory and nss files if they does not
>> exist."""
>> ---
>> >         """Create config directory if it does not exist."""
>> 204,206d187
>> <         for nss_file in self.NSS_FILES:
>> <             nss_path = os.path.join(self.ipsecd_dir, nss_file)
>> <             self._ensure_nss(nss_path)
>> 327,328d307
>> <         self.ipsecd_dir = os.path.join(
>> <             self.etc_dir, 'ipsec.d')
>> 401c380,381
>> <                        '--ipsecdir', self.ipsecd_dir,
>> ---
>> >                        '--ipsecdir', self.etc_dir,
>> >                        '--use-netkey',
>> 412a393
>> >                            '--defaultroutenexthop', nexthop,
>>
>> 4.3.- Edit ipsec.conf.template, which is used to generate
>> /var/lib/neutron/ipsec/<uid>/ipsec.conf (necessary for ipsec addconn
>> command)
>> Just comment obsolete options. The diff between original and modified
>> file is:
>>
>> # diff /usr/lib/python2.7/site-packages/neutron/services/vpn/
>> device_drivers/template/openswan/ipsec.conf.template
>> /usr/lib/python2.7/site-packages/neutron/services/vpn/
>> device_drivers/template/openswan/ipsec.conf.template.original
>> 3c3
>> <     # nat_traversal=yes
>> ---
>> >     nat_traversal=yes
>> 7,8c7
>> <     # keylife=60m
>> <     salifetime=60m
>> ---
>> >     keylife=60m
>> 20c19
>> <     # leftnexthop=%defaultroute
>> ---
>> >     leftnexthop=%defaultroute
>> 31c30
>> <     # rightnexthop=%defaultroute
>> ---
>> >     rightnexthop=%defaultroute
>> 63,64c62
>> <     # lifetime={{ipsec_site_connection.ipsecpolicy.lifetime_value}}s
>> <     salifetime={{ipsec_site_connection.ipsecpolicy.lifetime_value}}s
>> ---
>> >     lifetime={{ipsec_site_connection.ipsecpolicy.lifetime_value}}s
>>
>> 5.- Enable and start von-agent
>> # systemctl enable neutron-vpn-agent
>> # systemctl start neutron-vpn-agent
>>
>>
>> Hope it could be useful to someone.
>>
>> Matías R. Cuenca del Rey
>>
>> On Tue, Feb 3, 2015 at 12:49 AM, Paul Wouters <paul at nohats.ca> wrote:
>>       On Mon, 2 Feb 2015, Matias R. Cuenca del Rey wrote:
>>
>>             Hello,I'm trying to run Openstack VPNaaS on Centos 7 with
>> libreswan-3.8-6.el7_0.x86_64. VPNaaS's scripts are for openswan,
>>             so there are some options that are different. I've been
>> working to adapt them, for example 'ipsec pluto' didn't work
>>             because there weren't nssdb,
>>             Right now, I have running pluto, but I'm not sure if it is
>> running like I want. The command that I execute to start pluto
>>             is:
>>
>>
>>       We put it a few fixes specifically for openstack and non-root
>> ownership
>>       of files and dropping capabilities later on. Please use
>> libreswan-3.12
>>       to ensure you haev all those fixes! You're mixing at least
>>       libreswan-3.9:
>>
>>       * pluto: Drop CAP_DAC_OVERRIDE privs later to support non-root dirs
>> [Paul]
>>
>>             # ipsec pluto --ctlbase /var/lib/neutron/ipsec/
>> 776a620a-9e26-436a-8efe-0736ef38d2cc/var/run/pluto --ipsecdir
>>             /var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.d
>> --config
>>             /var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.conf
>> --uniqueids --nat_traversal --secretsfile
>>             /var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.secrets
>> --virtual_private
>>             %v4:192.168.1.0/24,%v4:192.168.88.0/24
>>
>>             Although I execute ipsec pluto with --config option, when I
>> execute ipsec whack --status I read the default config file
>>             and directory:
>>
>>
>>       The order matters. If you specify --config and then --ctlbase, the
>>       ctlbase will override the configuration. if you specify --ctlbase
>>       before --config, the config file version will get used.
>>
>>             Cannot open logfile '(null)': Bad file descriptornss
>> directory plutomain:
>>             /var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-
>> 0736ef38d2cc/etc/ipsec.d
>>
>>
>>       Those might be the caused by the capabilities fix.
>>
>>       If this does not fix your issues, ping me on pwouters at redhat.com
>> and
>>       I'll bring you in contact with our redhat/openstack guy that was
>> part
>>       of fixing these issues.
>>
>>       Paul
>>
>>
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20150204/0f56d7aa/attachment-0001.html>


More information about the Swan mailing list