<div dir="ltr">Thank you Paul!<br>Yesterday I could modify openstack-neutron-vpn-agent-2014.2.1-1.el7.centos.noarch's script and VPN just work :). I don't know much about python but I did my best. I'm sure it can be improved. These are all the steps I did for enable VPNaaS on Openstack Juno con Centos 7 with libreswan-3.8-6.el7_0.x86_64 (I only can use 'official repos')<br><br>1.- Install necessary packages:<br><div># <span style="color:rgb(72,72,72);font-size:12px;background-color:rgb(250,250,250)">yum install openstack-neutron-vpn-agent libreswan -y</span></div><div><span style="color:rgb(72,72,72);font-size:12px;background-color:rgb(250,250,250)"><br></span></div><div><span style="color:rgb(72,72,72);font-size:12px;background-color:rgb(250,250,250)">2.- Enable vpnaas plugin in neutron</span></div><div><span style="color:rgb(72,72,72);font-size:12px;background-color:rgb(250,250,250)"># ca</span>t /etc/neutron/neutron.conf<br>...<br>service_plugins = router,vpnaas<br>...<br>service_provider=VPN:openswan:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default<br>...<br><br>3.- Configure vpn plugin<br># cat /etc/neutron/vpn_agent.ini<br><br>[DEFAULT]<br># VPN-Agent configuration file<br># Note vpn-agent inherits l3-agent, so you can use configs on l3-agent also<br>##interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver<br><br>[vpnagent]<br># vpn device drivers which vpn agent will use<br># If we want to use multiple drivers, we need to define this option multiple times.<br>vpn_device_driver=neutron.services.vpn.device_drivers.ipsec.OpenSwanDriver<br># vpn_device_driver=neutron.services.vpn.device_drivers.cisco_ipsec.CiscoCsrIPsecDriver<br># vpn_device_driver=another_driver<br><br>[ipsec]<br># Status check interval<br>ipsec_status_check_interval=30</div><div><br></div><div><br></div><div>4.- Here we start with the dirt :)</div><div>4.1.- Add certutil command to vpnaas.filters, so it could be execute on neutron rootwarps </div># cat /usr/share/neutron/rootwrap/vpnaas.filters<br># neutron-rootwrap command filters for nodes on which neutron is<br># expected to control network<br>#<br># This file should be owned by (and only-writeable by) the root user<br><br># format seems to be<br># cmd-name: filter-name, raw-command, user, args<br><br>[Filters]<br><br>ip: IpFilter, ip, root<br>ip_exec: IpNetnsExecFilter, ip, root<br>openswan: CommandFilter, ipsec, root<br>libreswan: CommandFilter, certutil, root<div><br></div><div>4.2.- Edit ipsec.py, which execute 'ipsec and (now) certutils' commands</div><div>4.2.1.- If nss db does not exist, it is created on /var/lib/neutron/ipsec/<uuid>/etc/ipsec.d</div><div>4.2.2.- In 'ipsec pluto' execution:</div><div>4.2.2.1.- Remove '--config' option, keep ctlbase (Thanks Paul!)</div><div>4.2.2.2.- Change argument of '--ipsecdir' from /var/lib/neutron/ipsec/<uuid>/etc/ to /var/lib/neutron/ipsec/<uuid>/etc/ipsec.d<br></div><div>4.2.2.3.- Remove --use-netkey because it is the default option</div><div>4.2.3.- In 'ipsec addconn' execution:<br>4.2.3.1.- Remove '--defaultroutenexthop' because it is obsolete<br>The diff between original and modified file is:<br><br># diff /usr/lib/python2.7/site-packages/neutron/services/vpn/device_drivers/ipsec.py /usr/lib/python2.7/site-packages/neutron/services/vpn/device_drivers/ipsec.py.original <br>97d96<br>< bcertutil = "certutil" <br>114,119d112<br>< NSS_FILES = [<br>< 'cert8.db',<br>< 'key3.db',<br>< 'secmod.db'<br>< ]<br>< <br>189,197d181<br>< def _ensure_nss(self, nss_files):<br>< if not os.path.isfile(nss_files):<br>< #start nss database<br>< self._execute([self.bcertutil,<br>< '-N',<br>< '--empty-password',<br>< '-d', self.ipsecd_dir,<br>< ])<br>< <br>199c183<br>< """Create config directory and nss files if they does not exist.""" <br>---<br>> """Create config directory if it does not exist.""" <br>204,206d187<br>< for nss_file in self.NSS_FILES:<br>< nss_path = os.path.join(self.ipsecd_dir, nss_file)<br>< self._ensure_nss(nss_path)<br>327,328d307<br>< self.ipsecd_dir = os.path.join(<br>< self.etc_dir, 'ipsec.d')<br>401c380,381<br>< '--ipsecdir', self.ipsecd_dir,<br>---<br>> '--ipsecdir', self.etc_dir,<br>> '--use-netkey',<br>412a393<br>> '--defaultroutenexthop', nexthop,<br><br></div><div><span style="color:rgb(72,72,72);font-size:12px;background-color:rgb(250,250,250)">4.3.- </span>Edit <span style="color:rgb(72,72,72);font-size:12px;background-color:rgb(250,250,250)">ipsec.conf.template</span>, which is used to generate /var/lib/neutron/ipsec/<uid>/ipsec.conf (necessary for ipsec addconn command)</div><div>Just comment obsolete options. The diff between original and modified file is:</div><div><br></div><div># diff /usr/lib/python2.7/site-packages/neutron/services/vpn/device_drivers/template/openswan/ipsec.conf.template /usr/lib/python2.7/site-packages/neutron/services/vpn/device_drivers/template/openswan/ipsec.conf.template.original <br>3c3<br>< # nat_traversal=yes<br>---<br>> nat_traversal=yes<br>7,8c7<br>< # keylife=60m<br>< salifetime=60m<br>---<br>> keylife=60m<br>20c19<br>< # leftnexthop=%defaultroute<br>---<br>> leftnexthop=%defaultroute<br>31c30<br>< # rightnexthop=%defaultroute<br>---<br>> rightnexthop=%defaultroute<br>63,64c62<br>< # lifetime={{ipsec_site_connection.ipsecpolicy.lifetime_value}}s<br>< salifetime={{ipsec_site_connection.ipsecpolicy.lifetime_value}}s<br>---<br>> lifetime={{ipsec_site_connection.ipsecpolicy.lifetime_value}}s</div><div><br></div><div>5.- Enable and start von-agent</div><div># systemctl enable neutron-vpn-agent<br># systemctl start neutron-vpn-agent</div><div><br></div><div><br></div><div>Hope it could be useful to someone. </div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature">Matías R. Cuenca del Rey</div></div>
<br><div class="gmail_quote">On Tue, Feb 3, 2015 at 12:49 AM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Mon, 2 Feb 2015, Matias R. Cuenca del Rey wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hello,I'm trying to run Openstack VPNaaS on Centos 7 with libreswan-3.8-6.el7_0.x86_64. VPNaaS's scripts are for openswan,<span class=""><br>
so there are some options that are different. I've been working to adapt them, for example 'ipsec pluto' didn't work<br>
because there weren't nssdb,<br>
Right now, I have running pluto, but I'm not sure if it is running like I want. The command that I execute to start pluto<br>
is:<br>
</span></blockquote>
<br>
We put it a few fixes specifically for openstack and non-root ownership<br>
of files and dropping capabilities later on. Please use libreswan-3.12<br>
to ensure you haev all those fixes! You're mixing at least<br>
libreswan-3.9:<br>
<br>
* pluto: Drop CAP_DAC_OVERRIDE privs later to support non-root dirs [Paul]<span class=""><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
# ipsec pluto --ctlbase /var/lib/neutron/ipsec/<u></u>776a620a-9e26-436a-8efe-<u></u>0736ef38d2cc/var/run/pluto --ipsecdir<br>
/var/lib/neutron/ipsec/<u></u>776a620a-9e26-436a-8efe-<u></u>0736ef38d2cc/etc/ipsec.d --config<br>
/var/lib/neutron/ipsec/<u></u>776a620a-9e26-436a-8efe-<u></u>0736ef38d2cc/etc/ipsec.conf --uniqueids --nat_traversal --secretsfile<br>
/var/lib/neutron/ipsec/<u></u>776a620a-9e26-436a-8efe-<u></u>0736ef38d2cc/etc/ipsec.secrets --virtual_private<br>
%v4:<a href="http://192.168.1.0/24,%v4:192.168.88.0/24" target="_blank">192.168.1.0/24,%v4:192.<u></u>168.88.0/24</a><br>
<br>
Although I execute ipsec pluto with --config option, when I execute ipsec whack --status I read the default config file<br>
and directory:<br>
</blockquote>
<br></span>
The order matters. If you specify --config and then --ctlbase, the<br>
ctlbase will override the configuration. if you specify --ctlbase<br>
before --config, the config file version will get used.<span class=""><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Cannot open logfile '(null)': Bad file descriptornss directory plutomain:<br>
/var/lib/neutron/ipsec/<u></u>776a620a-9e26-436a-8efe-<u></u>0736ef38d2cc/etc/ipsec.d<br>
</blockquote>
<br></span>
Those might be the caused by the capabilities fix.<br>
<br>
If this does not fix your issues, ping me on <a href="mailto:pwouters@redhat.com" target="_blank">pwouters@redhat.com</a> and<br>
I'll bring you in contact with our redhat/openstack guy that was part<br>
of fixing these issues.<span class="HOEnZb"><font color="#888888"><br>
<br>
Paul<br>
</font></span></blockquote></div><br></div>