Hi all - When using neutron's VPNaaS with the Strongswan back-end, has anyone come up against the seemingly needless limitation whereby the 'Add VPN Service' configuration pane in Horizon only allows you to add one subnet, even if you have several subnets attached to the router which will host the VPN endpoint at the openstack end?
The IPSEC VPN works well, but only allows you to route to the one openstack subnet behind the router, through the VPN tunnel. However... on the openstack network node (where the neutron-vpn-agent and strongswan are running) I can manually edit the Strongswan configuration file generated from the horizon input (/var/lib/neutron/ipsec/<router-id>/etc/strongswan/ipsec.conf). I can add the other openstack subnet addresses to the 'leftsubnet' statement (comma-separated), save the file, and send a HUP to the /usr/libexec/strongswan/starter process to force charon to re-read the config. After adding the subnets to the 'rightsubnet' statement in my strongswan VPN client config and bringing up the VPN tunnel, all of the openstack subnets are then routable through the VPN tunnel. Shouldn't the horizon GUI config allow you to select multiple subnets, if more than one is available on the chosen router? cheers Iain -- _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
