社区Liberty版本Neutron VPNaaS:创建

社区的VPNaaS服务应该相对简单些,因为是两年前的版本,没有endpoint-group这种方式,router也是集中式,下面就按自己的思路创建一下vpn服务,大概分这几步:

1:VPC的创建

2:ikepolicy,ipsecpolicy

3:vpn-service的创建,外网IP如何分配暂时未知,具体再分析

4:ipsec vpn的创建

详细如下,服务基本可以正常创建出来

租户network

lihui@l-openstack:~$ neutron net-create vpn-network-1
Created a new network:
+-----------------------+--------------------------------------+
| Field                 | Value                                |
+-----------------------+--------------------------------------+
| admin_state_up        | True                                 |
| id                    | cafca5c7-5f8f-41b9-9e69-502d94a6590f |
| mtu                   | 1450                                 |
| name                  | vpn-network-1                        |
| port_security_enabled | True                                 |
| router:external       | False                                |
| shared                | False                                |
| status                | ACTIVE                               |
| subnets               |                                      |
| tenant_id             | ba744b4c95da4c5b8bedf4b6c08dccb3     |
+-----------------------+--------------------------------------+

network里创建subnet

lihui@l-openstack:~$ neutron subnet-create --name vpn-subnet-1 vpn-network-1 2.3.4.0/24
Created a new subnet:
+-------------------+------------------------------------------+
| Field             | Value                                    |
+-------------------+------------------------------------------+
| allocation_pools  | {"start": "2.3.4.2", "end": "2.3.4.254"} |
| cidr              | 2.3.4.0/24                               |
| dns_nameservers   |                                          |
| enable_dhcp       | True                                     |
| gateway_ip        | 2.3.4.1                                  |
| host_routes       |                                          |
| id                | 27f52ab6-1afa-4b05-94f1-105a72121077     |
| ip_version        | 4                                        |
| ipv6_address_mode |                                          |
| ipv6_ra_mode      |                                          |
| name              | vpn-subnet-1                             |
| network_id        | cafca5c7-5f8f-41b9-9e69-502d94a6590f     |
| subnetpool_id     |                                          |
| tenant_id         | ba744b4c95da4c5b8bedf4b6c08dccb3         |
+-------------------+------------------------------------------+

集中式router

lihui@l-openstack:~$ neutron router-create vpn-router-1
Created a new router:
+-----------------------+--------------------------------------+
| Field                 | Value                                |
+-----------------------+--------------------------------------+
| admin_state_up        | True                                 |
| external_gateway_info |                                      |
| id                    | 1315b29a-9b47-47a9-847f-3636d0ebc89a |
| name                  | vpn-router-1                         |
| routes                |                                      |
| status                | ACTIVE                               |
| tenant_id             | ba744b4c95da4c5b8bedf4b6c08dccb3     |
+-----------------------+--------------------------------------+

subnet和gateway

lihui@l-openstack:~$ neutron router-interface-add vpn-router-1 vpn-subnet-1
Added interface 4a84b9a6-ca1f-423e-a075-a6873be74f95 to router vpn-router-1.
lihui@l-openstack:~$ neutron router-gateway-set vpn-router-1 public
Set gateway for router vpn-router-1

 ikepolicy

lihui@l-openstack:~$ neutron vpn-ikepolicy-create vpn-ikepolicy-1
Created a new ikepolicy:
+-------------------------+--------------------------------------+
| Field                   | Value                                |
+-------------------------+--------------------------------------+
| auth_algorithm          | sha1                                 |
| description             |                                      |
| encryption_algorithm    | aes-128                              |
| id                      | f3ff940c-cf1b-4777-9da6-f9641e653b41 |
| ike_version             | v1                                   |
| lifetime                | {"units": "seconds", "value": 3600}  |
| name                    | vpn-ikepolicy-1                      |
| pfs                     | group5                               |
| phase1_negotiation_mode | main                                 |
| tenant_id               | ba744b4c95da4c5b8bedf4b6c08dccb3     |
+-------------------------+--------------------------------------+

ipsecpolicy

lihui@l-openstack:~$ neutron vpn-ipsecpolicy-create vpn-ipsecpolicy-1
Created a new ipsecpolicy:
+----------------------+--------------------------------------+
| Field                | Value                                |
+----------------------+--------------------------------------+
| auth_algorithm       | sha1                                 |
| description          |                                      |
| encapsulation_mode   | tunnel                               |
| encryption_algorithm | aes-128                              |
| id                   | 8f4e0157-cd48-4342-8a60-89d6ef122668 |
| lifetime             | {"units": "seconds", "value": 3600}  |
| name                 | vpn-ipsecpolicy-1                    |
| pfs                  | group5                               |
| tenant_id            | ba744b4c95da4c5b8bedf4b6c08dccb3     |
| transform_protocol   | esp                                  |
+----------------------+--------------------------------------+

vpn-service,这里需要注意的是,分配的IP貌似是从router gateway所在的public网络中分配的

lihui@l-openstack:~$ neutron vpn-service-create vpn-router-1 vpn-subnet-1
Created a new vpnservice:
+----------------+--------------------------------------+
| Field          | Value                                |
+----------------+--------------------------------------+
| admin_state_up | True                                 |
| description    |                                      |
| external_v4_ip | 172.24.4.3                           |
| external_v6_ip |                                      |
| id             | 2a728147-436b-4fbf-a065-92e2d36bd9b2 |
| name           |                                      |
| router_id      | 1315b29a-9b47-47a9-847f-3636d0ebc89a |
| status         | PENDING_CREATE                       |
| subnet_id      | 27f52ab6-1afa-4b05-94f1-105a72121077 |
| tenant_id      | ba744b4c95da4c5b8bedf4b6c08dccb3     |
+----------------+--------------------------------------+

最后是ipsec-vpn,参数需要注意的是peer-address是对端ipsec vpn的出口网关,peer-id和peer-address一样即可,peer-cidr是对端私网,也就是vpc里需要与本端vpn通信的cidr,psk自己设定,两段保持一致

lihui@l-openstack:~$ neutron ipsec-site-connection-create --vpnservice-id 2a728147-436b-4fbf-a065-92e2d36bd9b2 \
> --ikepolicy-id f3ff940c-cf1b-4777-9da6-f9641e653b41 --ipsecpolicy-id 8f4e0157-cd48-4342-8a60-89d6ef122668 \
> --peer-address 172.24.4.4 --peer-id 172.24.4.4 --peer-cidr 4.3.2.0/24 --psk lihui_key
Created a new ipsec_site_connection:
+----------------+----------------------------------------------------+
| Field          | Value                                              |
+----------------+----------------------------------------------------+
| admin_state_up | True                                               |
| auth_mode      | psk                                                |
| description    |                                                    |
| dpd            | {"action": "hold", "interval": 30, "timeout": 120} |
| id             | f873f461-37b0-42d7-b547-c3a36142c6ae               |
| ikepolicy_id   | f3ff940c-cf1b-4777-9da6-f9641e653b41               |
| initiator      | bi-directional                                     |
| ipsecpolicy_id | 8f4e0157-cd48-4342-8a60-89d6ef122668               |
| mtu            | 1500                                               |
| name           |                                                    |
| peer_address   | 172.24.4.4                                         |
| peer_cidrs     | 4.3.2.0/24                                         |
| peer_id        | 172.24.4.4                                         |
| psk            | lihui_key                                          |
| route_mode     | static                                             |
| status         | PENDING_CREATE                                     |
| tenant_id      | ba744b4c95da4c5b8bedf4b6c08dccb3                   |
| vpnservice_id  | 2a728147-436b-4fbf-a065-92e2d36bd9b2               |
+----------------+----------------------------------------------------+

看上去就管理面API来说还比较顺利,没有出现创建失败,说明VPNaaS服务部署应该没问题,看看服务状态也很正常

lihui@l-openstack:~$ neutron vpn-service-list
+--------------------------------------+------+--------------------------------------+--------+
| id                                   | name | router_id                            | status |
+--------------------------------------+------+--------------------------------------+--------+
| 2a728147-436b-4fbf-a065-92e2d36bd9b2 |      | 1315b29a-9b47-47a9-847f-3636d0ebc89a | ACTIVE |
+--------------------------------------+------+--------------------------------------+--------+
lihui@l-openstack:~$
lihui@l-openstack:~$ neutron ipsec-site-connection-list
+--------------------------------------+------+--------------+--------------+------------+-----------+--------+
| id                                   | name | peer_address | peer_cidrs   | route_mode | auth_mode | status |
+--------------------------------------+------+--------------+--------------+------------+-----------+--------+
| f873f461-37b0-42d7-b547-c3a36142c6ae |      | 172.24.4.4   | "4.3.2.0/24" | static     | psk       | DOWN   |
+--------------------------------------+------+--------------+--------------+------------+-----------+--------+

API无问题,下面就是测试的问题的

发表评论