On Wed, 4 Feb 2015, Matias R. Cuenca del Rey wrote:
Yesterday I could modify
openstack-neutron-vpn-agent-2014.2.1-1.el7.centos.noarch's script and VPN just
work :).
Does that mean the package will be fixed "upstream" ? Or should we take
your write up below and post it to the libreswan wiki ?
Paul
I don't know much about python but
I did my best. I'm sure it can be improved. These are all the steps I did for
enable VPNaaS on Openstack Juno con Centos 7 with
libreswan-3.8-6.el7_0.x86_64 (I only can use 'official repos')
1.- Install necessary packages:
# yum install openstack-neutron-vpn-agent libreswan -y
2.- Enable vpnaas plugin in neutron
# cat /etc/neutron/neutron.conf
...
service_plugins = router,vpnaas
...
service_provider=VPN:openswan:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default
...
3.- Configure vpn plugin
# cat /etc/neutron/vpn_agent.ini
[DEFAULT]
# VPN-Agent configuration file
# Note vpn-agent inherits l3-agent, so you can use configs on l3-agent also
##interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
[vpnagent]
# vpn device drivers which vpn agent will use
# If we want to use multiple drivers, we need to define this option multiple
times.
vpn_device_driver=neutron.services.vpn.device_drivers.ipsec.OpenSwanDriver
#
vpn_device_driver=neutron.services.vpn.device_drivers.cisco_ipsec.CiscoCsrIPsecDriver
# vpn_device_driver=another_driver
[ipsec]
# Status check interval
ipsec_status_check_interval=30
4.- Here we start with the dirt :)
4.1.- Add certutil command to vpnaas.filters, so it could be execute on neutron
rootwarps
# cat /usr/share/neutron/rootwrap/vpnaas.filters
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
ip: IpFilter, ip, root
ip_exec: IpNetnsExecFilter, ip, root
openswan: CommandFilter, ipsec, root
libreswan: CommandFilter, certutil, root
4.2.- Edit ipsec.py, which execute 'ipsec and (now) certutils' commands
4.2.1.- If nss db does not exist, it is created on
/var/lib/neutron/ipsec/<uuid>/etc/ipsec.d
4.2.2.- In 'ipsec pluto' execution:
4.2.2.1.- Remove '--config' option, keep ctlbase (Thanks Paul!)
4.2.2.2.- Change argument of '--ipsecdir' from /var/lib/neutron/ipsec/<uuid>/etc/ to
/var/lib/neutron/ipsec/<uuid>/etc/ipsec.d
4.2.2.3.- Remove --use-netkey because it is the default option
4.2.3.- In 'ipsec addconn' execution:
4.2.3.1.- Remove '--defaultroutenexthop' because it is obsolete
The diff between original and modified file is:
# diff
/usr/lib/python2.7/site-packages/neutron/services/vpn/device_drivers/ipsec.py
/usr/lib/python2.7/site-packages/neutron/services/vpn/device_drivers/ipsec.py.original
97d96
< bcertutil = "certutil"
114,119d112
< NSS_FILES = [
< 'cert8.db',
< 'key3.db',
< 'secmod.db'
< ]
<
189,197d181
< def _ensure_nss(self, nss_files):
< if not os.path.isfile(nss_files):
< #start nss database
< self._execute([self.bcertutil,
< '-N',
< '--empty-password',
< '-d', self.ipsecd_dir,
< ])
<
199c183
< """Create config directory and nss files if they does not exist."""
---
> """Create config directory if it does not exist."""
204,206d187
< for nss_file in self.NSS_FILES:
< nss_path = os.path.join(self.ipsecd_dir, nss_file)
< self._ensure_nss(nss_path)
327,328d307
< self.ipsecd_dir = os.path.join(
< self.etc_dir, 'ipsec.d')
401c380,381
< '--ipsecdir', self.ipsecd_dir,
---
> '--ipsecdir', self.etc_dir,
> '--use-netkey',
412a393
> '--defaultroutenexthop', nexthop,
4.3.- Edit ipsec.conf.template, which is used to generate
/var/lib/neutron/ipsec/<uid>/ipsec.conf (necessary for ipsec addconn command)
Just comment obsolete options. The diff between original and modified file is:
# diff
/usr/lib/python2.7/site-packages/neutron/services/vpn/device_drivers/template/openswan/ipsec.conf.template
/usr/lib/python2.7/site-packages/neutron/services/vpn/device_drivers/template/openswan/ipsec.conf.template.original
3c3
< # nat_traversal=yes
---
> nat_traversal=yes
7,8c7
< # keylife=60m
< salifetime=60m
---
> keylife=60m
20c19
< # leftnexthop=%defaultroute
---
> leftnexthop=%defaultroute
31c30
< # rightnexthop=%defaultroute
---
> rightnexthop=%defaultroute
63,64c62
< # lifetime={{ipsec_site_connection.ipsecpolicy.lifetime_value}}s
< salifetime={{ipsec_site_connection.ipsecpolicy.lifetime_value}}s
---
> lifetime={{ipsec_site_connection.ipsecpolicy.lifetime_value}}s
5.- Enable and start von-agent
# systemctl enable neutron-vpn-agent
# systemctl start neutron-vpn-agent
Hope it could be useful to someone.
Matías R. Cuenca del Rey
On Tue, Feb 3, 2015 at 12:49 AM, Paul Wouters <[email protected]> wrote:
On Mon, 2 Feb 2015, Matias R. Cuenca del Rey wrote:
Hello,I'm trying to run Openstack VPNaaS on Centos 7 with
libreswan-3.8-6.el7_0.x86_64. VPNaaS's scripts are for openswan,
so there are some options that are different. I've been working to
adapt them, for example 'ipsec pluto' didn't work
because there weren't nssdb,
Right now, I have running pluto, but I'm not sure if it is running
like I want. The command that I execute to start pluto
is:
We put it a few fixes specifically for openstack and non-root ownership
of files and dropping capabilities later on. Please use libreswan-3.12
to ensure you haev all those fixes! You're mixing at least
libreswan-3.9:
* pluto: Drop CAP_DAC_OVERRIDE privs later to support non-root dirs [Paul]
# ipsec pluto --ctlbase
/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/var/run/pluto
--ipsecdir
/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.d --config
/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.conf
--uniqueids --nat_traversal --secretsfile
/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.secrets
--virtual_private
%v4:192.168.1.0/24,%v4:192.168.88.0/24
Although I execute ipsec pluto with --config option, when I execute
ipsec whack --status I read the default config file
and directory:
The order matters. If you specify --config and then --ctlbase, the
ctlbase will override the configuration. if you specify --ctlbase
before --config, the config file version will get used.
Cannot open logfile '(null)': Bad file descriptornss directory
plutomain:
/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.d
Those might be the caused by the capabilities fix.
If this does not fix your issues, ping me on [email protected] and
I'll bring you in contact with our redhat/openstack guy that was part
of fixing these issues.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
