<div dir="ltr">We could post it to the libreswan wiki. If you want, I can<span style="font-size:13px"> contact to the redhat/openstack guy that you told me. It would be great fix the package!</span></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature">Matías R. Cuenca del Rey</div></div>
<br><div class="gmail_quote">On Wed, Feb 4, 2015 at 12:14 PM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Wed, 4 Feb 2015, Matias R. Cuenca del Rey wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Yesterday I could modify openstack-neutron-vpn-agent-<u></u>2014.2.1-1.el7.centos.noarch's script and VPN just work :).<br>
</blockquote>
<br></span>
Does that mean the package will be fixed "upstream" ? Or should we take<br>
your write up below and post it to the libreswan wiki ?<span class="HOEnZb"><font color="#888888"><br>
<br>
Paul</font></span><div class="HOEnZb"><div class="h5"><br>
<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I don't know much about python but<br>
I did my best. I'm sure it can be improved. These are all the steps I did for enable VPNaaS on Openstack Juno con Centos 7 with<br>
libreswan-3.8-6.el7_0.x86_64 (I only can use 'official repos')<br>
<br>
1.- Install necessary packages:<br>
# yum install openstack-neutron-vpn-agent libreswan -y<br>
<br>
2.- Enable vpnaas plugin in neutron<br>
# cat /etc/neutron/neutron.conf<br>
...<br>
service_plugins = router,vpnaas<br>
...<br>
service_provider=VPN:openswan:<u></u>neutron.services.vpn.service_<u></u>drivers.ipsec.IPsecVPNDriver:<u></u>default<br>
...<br>
<br>
3.- Configure vpn plugin<br>
# cat /etc/neutron/vpn_agent.ini<br>
<br>
[DEFAULT]<br>
# VPN-Agent configuration file<br>
# Note vpn-agent inherits l3-agent, so you can use configs on l3-agent also<br>
##interface_driver = neutron.agent.linux.interface.<u></u>OVSInterfaceDriver<br>
<br>
[vpnagent]<br>
# vpn device drivers which vpn agent will use<br>
# If we want to use multiple drivers, we need to define this option multiple times.<br>
vpn_device_driver=neutron.<u></u>services.vpn.device_drivers.<u></u>ipsec.OpenSwanDriver<br>
# vpn_device_driver=neutron.<u></u>services.vpn.device_drivers.<u></u>cisco_ipsec.<u></u>CiscoCsrIPsecDriver<br>
# vpn_device_driver=another_<u></u>driver<br>
<br>
[ipsec]<br>
# Status check interval<br>
ipsec_status_check_interval=30<br>
<br>
<br>
4.- Here we start with the dirt :)<br>
4.1.- Add certutil command to vpnaas.filters, so it could be execute on neutron rootwarps <br>
# cat /usr/share/neutron/rootwrap/<u></u>vpnaas.filters<br>
# neutron-rootwrap command filters for nodes on which neutron is<br>
# expected to control network<br>
#<br>
# This file should be owned by (and only-writeable by) the root user<br>
<br>
# format seems to be<br>
# cmd-name: filter-name, raw-command, user, args<br>
<br>
[Filters]<br>
<br>
ip: IpFilter, ip, root<br>
ip_exec: IpNetnsExecFilter, ip, root<br>
openswan: CommandFilter, ipsec, root<br>
libreswan: CommandFilter, certutil, root<br>
4.2.- Edit ipsec.py, which execute 'ipsec and (now) certutils' commands<br>
4.2.1.- If nss db does not exist, it is created on /var/lib/neutron/ipsec/<uuid>/<u></u>etc/ipsec.d<br>
4.2.2.- In 'ipsec pluto' execution:<br>
4.2.2.1.- Remove '--config' option, keep ctlbase (Thanks Paul!)<br>
4.2.2.2.- Change argument of '--ipsecdir' from /var/lib/neutron/ipsec/<uuid>/<u></u>etc/ to /var/lib/neutron/ipsec/<uuid>/<u></u>etc/ipsec.d<br>
4.2.2.3.- Remove --use-netkey because it is the default option<br>
4.2.3.- In 'ipsec addconn' execution:<br>
4.2.3.1.- Remove '--defaultroutenexthop' because it is obsolete<br>
The diff between original and modified file is:<br>
<br>
# diff /usr/lib/python2.7/site-<u></u>packages/neutron/services/vpn/<u></u>device_drivers/ipsec.py<br>
/usr/lib/python2.7/site-<u></u>packages/neutron/services/vpn/<u></u>device_drivers/ipsec.py.<u></u>original<br>
97d96<br>
< bcertutil = "certutil"<br>
114,119d112<br>
< NSS_FILES = [<br>
< 'cert8.db',<br>
< 'key3.db',<br>
< 'secmod.db'<br>
< ]<br>
<<br>
189,197d181<br>
< def _ensure_nss(self, nss_files):<br>
< if not os.path.isfile(nss_files):<br>
< #start nss database<br>
< self._execute([self.bcertutil,<br>
< '-N',<br>
< '--empty-password',<br>
< '-d', self.ipsecd_dir,<br>
< ])<br>
<<br>
199c183<br>
< """Create config directory and nss files if they does not exist."""<br>
---<br>
> """Create config directory if it does not exist."""<br>
204,206d187<br>
< for nss_file in self.NSS_FILES:<br>
< nss_path = os.path.join(self.ipsecd_dir, nss_file)<br>
< self._ensure_nss(nss_path)<br>
327,328d307<br>
< self.ipsecd_dir = os.path.join(<br>
< self.etc_dir, 'ipsec.d')<br>
401c380,381<br>
< '--ipsecdir', self.ipsecd_dir,<br>
---<br>
> '--ipsecdir', self.etc_dir,<br>
> '--use-netkey',<br>
412a393<br>
> '--defaultroutenexthop', nexthop,<br>
<br>
4.3.- Edit ipsec.conf.<u></u>template, which is used to generate /var/lib/neutron/ipsec/<uid>/<u></u>ipsec.conf (necessary for ipsec addconn command)<br>
Just comment obsolete options. The diff between original and modified file is:<br>
<br>
# diff /usr/lib/python2.7/site-<u></u>packages/neutron/services/vpn/<u></u>device_drivers/template/<u></u>openswan/ipsec.conf.template<br>
/usr/lib/python2.7/site-<u></u>packages/neutron/services/vpn/<u></u>device_drivers/template/<u></u>openswan/ipsec.conf.template.<u></u>original<br>
3c3<br>
< # nat_traversal=yes<br>
---<br>
> nat_traversal=yes<br>
7,8c7<br>
< # keylife=60m<br>
< salifetime=60m<br>
---<br>
> keylife=60m<br>
20c19<br>
< # leftnexthop=%defaultroute<br>
---<br>
> leftnexthop=%defaultroute<br>
31c30<br>
< # rightnexthop=%defaultroute<br>
---<br>
> rightnexthop=%defaultroute<br>
63,64c62<br>
< # lifetime={{ipsec_site_<u></u>connection.ipsecpolicy.<u></u>lifetime_value}}s<br>
< salifetime={{ipsec_site_<u></u>connection.ipsecpolicy.<u></u>lifetime_value}}s<br>
---<br>
> lifetime={{ipsec_site_<u></u>connection.ipsecpolicy.<u></u>lifetime_value}}s<br>
<br>
5.- Enable and start von-agent<br>
# systemctl enable neutron-vpn-agent<br>
# systemctl start neutron-vpn-agent<br>
<br>
<br>
Hope it could be useful to someone. <br>
<br>
Matías R. Cuenca del Rey<br>
<br>
On Tue, Feb 3, 2015 at 12:49 AM, Paul Wouters <<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>> wrote:<br>
On Mon, 2 Feb 2015, Matias R. Cuenca del Rey wrote:<br>
<br>
Hello,I'm trying to run Openstack VPNaaS on Centos 7 with libreswan-3.8-6.el7_0.x86_64. VPNaaS's scripts are for openswan,<br>
so there are some options that are different. I've been working to adapt them, for example 'ipsec pluto' didn't work<br>
because there weren't nssdb,<br>
Right now, I have running pluto, but I'm not sure if it is running like I want. The command that I execute to start pluto<br>
is:<br>
<br>
<br>
We put it a few fixes specifically for openstack and non-root ownership<br>
of files and dropping capabilities later on. Please use libreswan-3.12<br>
to ensure you haev all those fixes! You're mixing at least<br>
libreswan-3.9:<br>
<br>
* pluto: Drop CAP_DAC_OVERRIDE privs later to support non-root dirs [Paul]<br>
<br>
# ipsec pluto --ctlbase /var/lib/neutron/ipsec/<u></u>776a620a-9e26-436a-8efe-<u></u>0736ef38d2cc/var/run/pluto --ipsecdir<br>
/var/lib/neutron/ipsec/<u></u>776a620a-9e26-436a-8efe-<u></u>0736ef38d2cc/etc/ipsec.d --config<br>
/var/lib/neutron/ipsec/<u></u>776a620a-9e26-436a-8efe-<u></u>0736ef38d2cc/etc/ipsec.conf --uniqueids --nat_traversal --secretsfile<br>
/var/lib/neutron/ipsec/<u></u>776a620a-9e26-436a-8efe-<u></u>0736ef38d2cc/etc/ipsec.secrets --virtual_private<br>
%v4:<a href="http://192.168.1.0/24,%v4:192.168.88.0/24" target="_blank">192.168.1.0/24,%v4:192.<u></u>168.88.0/24</a><br>
<br>
Although I execute ipsec pluto with --config option, when I execute ipsec whack --status I read the default config file<br>
and directory:<br>
<br>
<br>
The order matters. If you specify --config and then --ctlbase, the<br>
ctlbase will override the configuration. if you specify --ctlbase<br>
before --config, the config file version will get used.<br>
<br>
Cannot open logfile '(null)': Bad file descriptornss directory plutomain:<br>
/var/lib/neutron/ipsec/<u></u>776a620a-9e26-436a-8efe-<u></u>0736ef38d2cc/etc/ipsec.d<br>
<br>
<br>
Those might be the caused by the capabilities fix.<br>
<br>
If this does not fix your issues, ping me on <a href="mailto:pwouters@redhat.com" target="_blank">pwouters@redhat.com</a> and<br>
I'll bring you in contact with our redhat/openstack guy that was part<br>
of fixing these issues.<br>
<br>
Paul<br>
<br>
<br>
<br>
<br>
</blockquote>
</div></div></blockquote></div><br></div>