社区Liberty版本OpenStack VPNaaS:测试

先说一下测试思路,环境还是ALL-IN-ONE单节点openstack,两个不同的VPC,各自创建VPN服务,只需要各自VPC对应的VPN-Service里的出口网关IP地址能通即可;可vpn-service里出口IP默认是Router Gateway IP,而只需要将两个VPC的external网络都设置为同一网段,这样就能达到目标,详细步骤就是:

1:创建vpc-1和vpc-2

2:vpc-1和vpc-2都设置同一段external网络作为router-gateway

3:vpc-1和vpc-2各自创建vpn-service,对应出口网关在同一网段

4:各自创建ikepolicy,ipsecpolicy,ipsec-vpn

5:两个vpc分别创建vm,测试两者连通性

大概如下

测试步骤如下:

1:VPC1以及对应的ipsec vpn

neutron net-create vpn-network-1
neutron subnet-create --name vpn-subnet-1 vpn-network-1 2.3.4.0/24
neutron router-create vpn-router-1
neutron router-interface-add vpn-router-1 vpn-subnet-1
neutron router-gateway-set vpn-router-1 public
neutron vpn-ikepolicy-create vpn-ikepolicy-1
neutron vpn-ipsecpolicy-create vpn-ipsecpolicy-1
neutron vpn-service-create vpn-router-1 vpn-subnet-1
neutron ipsec-site-connection-create --vpnservice-id 2a728147-436b-4fbf-a065-92e2d36bd9b2 --ikepolicy-id f3ff940c-cf1b-4777-9da6-f9641e653b41 --ipsecpolicy-id 8f4e0157-cd48-4342-8a60-89d6ef122668 --peer-address 172.24.4.4 --peer-id 172.24.4.4 --peer-cidr 4.3.2.0/24 --psk lihui_key

2:VPC2以及对应的ipsec vpn

neutron net-create vpn-network-2
neutron subnet-create --name vpn-subnet-2 vpn-network-2 4.3.2.0/24
neutron router-create vpn-router-2
neutron router-interface-add vpn-router-2 vpn-subnet-2
neutron router-gateway-set vpn-router-2 public
neutron vpn-ikepolicy-create vpn-ikepolicy-2
neutron vpn-ipsecpolicy-create vpn-ipsecpolicy-2
neutron vpn-service-create vpn-router-2 vpn-subnet-2
neutron ipsec-site-connection-create --vpnservice-id 5ed48e6e-ec99-4149-808c-0a42e45c5dc2 --ikepolicy-id 7ffc882a-9dc4-4ec2-8cc0-ef3330ad3371 --ipsecpolicy-id b4228923-c4b2-47a9-ae6b-2b7b2ffe6aa8 --peer-address 172.24.4.3 --peer-id 172.24.4.3 --peer-cidr 2.3.4.0/24 --psk lihui_key

3:分别创建虚拟机

lihui@l-openstack:~$ nova list
+--------------------------------------+------+--------+------------+-------------+-----------------------+
| ID                                   | Name | Status | Task State | Power State | Networks              |
+--------------------------------------+------+--------+------------+-------------+-----------------------+
| cd84c43a-b05c-44a3-9c12-6174d0931a69 | vm-1 | ACTIVE | -          | Running     | vpn-network-1=2.3.4.4 |
| 2f27000a-c732-4976-a9fe-829394b28302 | vm-2 | ACTIVE | -          | Running     | vpn-network-2=4.3.2.3 |
+--------------------------------------+------+--------+------------+-------------+-----------------------+

4:开放ingress安全组

lihui@l-openstack:~$ neutron security-group-rule-create --direction ingress --remote-ip-prefix 0.0.0.0/0 bd9ececf-1849-4182-8579-dad13e6fa520
Created a new security_group_rule:
+-------------------+--------------------------------------+
| Field             | Value                                |
+-------------------+--------------------------------------+
| direction         | ingress                              |
| ethertype         | IPv4                                 |
| id                | 9b9b6ede-393c-42ae-84e9-2605d009d8a3 |
| port_range_max    |                                      |
| port_range_min    |                                      |
| protocol          |                                      |
| remote_group_id   |                                      |
| remote_ip_prefix  | 0.0.0.0/0                            |
| security_group_id | bd9ececf-1849-4182-8579-dad13e6fa520 |
| tenant_id         | ba744b4c95da4c5b8bedf4b6c08dccb3     |
+-------------------+--------------------------------------+

5:分别从qrouter namespace里ssh登陆虚拟机

lihui@l-openstack:~$ sudo ip netns exec qrouter-1315b29a-9b47-47a9-847f-3636d0ebc89a ssh cirros@2.3.4.4
The authenticity of host '2.3.4.4 (2.3.4.4)' can't be established.
RSA key fingerprint is 0b:f3:ae:b0:62:d5:f3:e8:40:e6:f2:e5:68:db:71:94.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '2.3.4.4' (RSA) to the list of known hosts.
cirros@2.3.4.4's password:
$ ip a
1: lo:  mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0:  mtu 1450 qdisc pfifo_fast qlen 1000
    link/ether fa:16:3e:86:fc:82 brd ff:ff:ff:ff:ff:ff
    inet 2.3.4.4/24 brd 2.3.4.255 scope global eth0
    inet6 fe80::f816:3eff:fe86:fc82/64 scope link
       valid_lft forever preferred_lft forever

6:vpc类子网连通性验证,vm1->vm2;一开始出现了首包ARP失败的问题,相互ping一下就ok了

$ ping 4.3.2.3
PING 4.3.2.3 (4.3.2.3): 56 data bytes
64 bytes from 4.3.2.3: seq=0 ttl=62 time=3.838 ms
64 bytes from 4.3.2.3: seq=1 ttl=62 time=1.678 ms
64 bytes from 4.3.2.3: seq=2 ttl=62 time=1.446 ms
64 bytes from 4.3.2.3: seq=3 ttl=62 time=1.574 ms
64 bytes from 4.3.2.3: seq=4 ttl=62 time=1.478 ms
64 bytes from 4.3.2.3: seq=5 ttl=62 time=1.349 ms
64 bytes from 4.3.2.3: seq=6 ttl=62 time=1.533 ms

7:如何确认ipsec流量呢,直接qr和qg口抓包

qr1口,上行还未封装,下行已经解封

lihui@l-openstack:~$ sudo ip netns exec qrouter-1315b29a-9b47-47a9-847f-3636d0ebc89a tshark -i qr-4a84b9a6-ca -f "icmp"
tshark: Lua: Error during loading:
 [string "/usr/share/wireshark/init.lua"]:46: dofile has been disabled due to running Wireshark as superuser. See http://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user.
Running as user "root" and group "root". This could be dangerous.
Capturing on 'qr-4a84b9a6-ca'
  1   0.000000      2.3.4.4 -> 4.3.2.3      ICMP 98 Echo (ping) request  id=0x7f01, seq=104/26624, ttl=64
  2   0.000664      4.3.2.3 -> 2.3.4.4      ICMP 98 Echo (ping) reply    id=0x7f01, seq=104/26624, ttl=62 (request in 1)
  3   1.001958      2.3.4.4 -> 4.3.2.3      ICMP 98 Echo (ping) request  id=0x7f01, seq=105/26880, ttl=64
  4   1.002515      4.3.2.3 -> 2.3.4.4      ICMP 98 Echo (ping) reply    id=0x7f01, seq=105/26880, ttl=62 (request in 3)
  5   2.004055      2.3.4.4 -> 4.3.2.3      ICMP 98 Echo (ping) request  id=0x7f01, seq=106/27136, ttl=64
  6   2.004716      4.3.2.3 -> 2.3.4.4      ICMP 98 Echo (ping) reply    id=0x7f01, seq=106/27136, ttl=62 (request in 5)
  7   3.006048      2.3.4.4 -> 4.3.2.3      ICMP 98 Echo (ping) request  id=0x7f01, seq=107/27392, ttl=64
  8   3.006639      4.3.2.3 -> 2.3.4.4      ICMP 98 Echo (ping) reply    id=0x7f01, seq=107/27392, ttl=62 (request in 7)
  9   4.008060      2.3.4.4 -> 4.3.2.3      ICMP 98 Echo (ping) request  id=0x7f01, seq=108/27648, ttl=64
 10   4.008706      4.3.2.3 -> 2.3.4.4      ICMP 98 Echo (ping) reply    id=0x7f01, seq=108/27648, ttl=62 (request in 9)

qg1口,ESP协议,加密相关,注意看第二个ESP和ICMP的时间戳,是一模一样的,不太清楚是否就和vxlan报文添加了vxlan header和udp头一个意思,是否ICMP就是ESP加密的payload,我的理解就是上行已封装成对外出口IP,下行两个包是一个解封装过程

lihui@l-openstack:~$ sudo ip netns exec qrouter-1315b29a-9b47-47a9-847f-3636d0ebc89a tshark -i qg-6deb7bb7-c8
tshark: Lua: Error during loading:
 [string "/usr/share/wireshark/init.lua"]:46: dofile has been disabled due to running Wireshark as superuser. See http://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user.
Running as user "root" and group "root". This could be dangerous.
Capturing on 'qg-6deb7bb7-c8'
  1   0.000000   172.24.4.3 -> 172.24.4.4   ESP 166 ESP (SPI=0x4ef282c7)
  2   0.000503   172.24.4.4 -> 172.24.4.3   ESP 166 ESP (SPI=0xc0029bdd)
  3   0.000503      4.3.2.3 -> 2.3.4.4      ICMP 98 Echo (ping) reply    id=0x7f01, seq=141/36096, ttl=63
  4   1.002210   172.24.4.3 -> 172.24.4.4   ESP 166 ESP (SPI=0x4ef282c7)
  5   1.002700   172.24.4.4 -> 172.24.4.3   ESP 166 ESP (SPI=0xc0029bdd)
  6   1.002700      4.3.2.3 -> 2.3.4.4      ICMP 98 Echo (ping) reply    id=0x7f01, seq=142/36352, ttl=63
  7   2.004328   172.24.4.3 -> 172.24.4.4   ESP 166 ESP (SPI=0x4ef282c7)
  8   2.004813   172.24.4.4 -> 172.24.4.3   ESP 166 ESP (SPI=0xc0029bdd)
  9   2.004813      4.3.2.3 -> 2.3.4.4      ICMP 98 Echo (ping) reply    id=0x7f01, seq=143/36608, ttl=63
 10   3.006449   172.24.4.3 -> 172.24.4.4   ESP 166 ESP (SPI=0x4ef282c7)
 11   3.006978   172.24.4.4 -> 172.24.4.3   ESP 166 ESP (SPI=0xc0029bdd)
 12   3.006978      4.3.2.3 -> 2.3.4.4      ICMP 98 Echo (ping) reply    id=0x7f01, seq=144/36864, ttl=63

qg2口,解封装,以及上行封装

lihui@l-openstack:~$ sudo ip netns exec qrouter-46aeb937-98b1-4b8c-a119-f8d29ba108e8 tshark -i qg-9f5f9982-99
tshark: Lua: Error during loading:
 [string "/usr/share/wireshark/init.lua"]:46: dofile has been disabled due to running Wireshark as superuser. See http://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user.
Running as user "root" and group "root". This could be dangerous.
Capturing on 'qg-9f5f9982-99'
  1   0.000000   172.24.4.3 -> 172.24.4.4   ESP 166 ESP (SPI=0x4ef282c7)
  2   0.000000      2.3.4.4 -> 4.3.2.3      ICMP 98 Echo (ping) request  id=0x7f01, seq=880/28675, ttl=63
  3   0.000539   172.24.4.4 -> 172.24.4.3   ESP 166 ESP (SPI=0xc0029bdd)
  4   1.001345   172.24.4.3 -> 172.24.4.4   ESP 166 ESP (SPI=0x4ef282c7)
  5   1.001345      2.3.4.4 -> 4.3.2.3      ICMP 98 Echo (ping) request  id=0x7f01, seq=881/28931, ttl=63
  6   1.001930   172.24.4.4 -> 172.24.4.3   ESP 166 ESP (SPI=0xc0029bdd)
  7   2.003556   172.24.4.3 -> 172.24.4.4   ESP 166 ESP (SPI=0x4ef282c7)
  8   2.003556      2.3.4.4 -> 4.3.2.3      ICMP 98 Echo (ping) request  id=0x7f01, seq=882/29187, ttl=63
  9   2.004166   172.24.4.4 -> 172.24.4.3   ESP 166 ESP (SPI=0xc0029bdd)
 10   3.005913   172.24.4.3 -> 172.24.4.4   ESP 166 ESP (SPI=0x4ef282c7)
 11   3.005913      2.3.4.4 -> 4.3.2.3      ICMP 98 Echo (ping) request  id=0x7f01, seq=883/29443, ttl=63
 12   3.006493   172.24.4.4 -> 172.24.4.3   ESP 166 ESP (SPI=0xc0029bdd)

qr2口,来和回

lihui@l-openstack:~$ sudo ip netns exec qrouter-46aeb937-98b1-4b8c-a119-f8d29ba108e8 tshark -i qr-5d202b73-21
tshark: Lua: Error during loading:
 [string "/usr/share/wireshark/init.lua"]:46: dofile has been disabled due to running Wireshark as superuser. See http://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user.
Running as user "root" and group "root". This could be dangerous.
Capturing on 'qr-5d202b73-21'
  1   0.000000      2.3.4.4 -> 4.3.2.3      ICMP 98 Echo (ping) request  id=0x7f01, seq=1034/2564, ttl=62
  2   0.000374      4.3.2.3 -> 2.3.4.4      ICMP 98 Echo (ping) reply    id=0x7f01, seq=1034/2564, ttl=64 (request in 1)
  3   1.002398      2.3.4.4 -> 4.3.2.3      ICMP 98 Echo (ping) request  id=0x7f01, seq=1035/2820, ttl=62
  4   1.002764      4.3.2.3 -> 2.3.4.4      ICMP 98 Echo (ping) reply    id=0x7f01, seq=1035/2820, ttl=64 (request in 3)
  5   2.004286      2.3.4.4 -> 4.3.2.3      ICMP 98 Echo (ping) request  id=0x7f01, seq=1036/3076, ttl=62
  6   2.004656      4.3.2.3 -> 2.3.4.4      ICMP 98 Echo (ping) reply    id=0x7f01, seq=1036/3076, ttl=64 (request in 5)
  7   3.006374      2.3.4.4 -> 4.3.2.3      ICMP 98 Echo (ping) request  id=0x7f01, seq=1037/3332, ttl=62
  8   3.006715      4.3.2.3 -> 2.3.4.4      ICMP 98 Echo (ping) reply    id=0x7f01, seq=1037/3332, ttl=64 (request in 7)
  9   4.007966      2.3.4.4 -> 4.3.2.3      ICMP 98 Echo (ping) request  id=0x7f01, seq=1038/3588, ttl=62
 10   4.008583      4.3.2.3 -> 2.3.4.4      ICMP 98 Echo (ping) reply    id=0x7f01, seq=1038/3588, ttl=64 (request in 9)
 11   5.009055      2.3.4.4 -> 4.3.2.3      ICMP 98 Echo (ping) request  id=0x7f01, seq=1039/3844, ttl=62
 12   5.009407      4.3.2.3 -> 2.3.4.4      ICMP 98 Echo (ping) reply    id=0x7f01, seq=1039/3844, ttl=64 (request in 11)

8:看看qrouter里,就添加了一条到对端vpc的路由,下一跳为本端vpn的出口网关ip

lihui@l-openstack:~$ sudo ip netns exec qrouter-1315b29a-9b47-47a9-847f-3636d0ebc89a ip r
default via 172.24.4.1 dev qg-6deb7bb7-c8
2.3.4.0/24 dev qr-4a84b9a6-ca  proto kernel  scope link  src 2.3.4.1
4.3.2.0/24 dev qg-6deb7bb7-c8  scope link  mtu 1500
172.24.4.0/24 dev qg-6deb7bb7-c8  proto kernel  scope link  src 172.24.4.3
lihui@l-openstack:~$
lihui@l-openstack:~$
lihui@l-openstack:~$ sudo ip netns exec qrouter-46aeb937-98b1-4b8c-a119-f8d29ba108e8 ip r
default via 172.24.4.1 dev qg-9f5f9982-99
2.3.4.0/24 dev qg-9f5f9982-99  scope link  mtu 1500
4.3.2.0/24 dev qr-5d202b73-21  proto kernel  scope link  src 4.3.2.1
172.24.4.0/24 dev qg-9f5f9982-99  proto kernel  scope link  src 172.24.4.4

将vpn删除,路由规则也删除了

lihui@l-openstack:~$ sudo ip netns exec qrouter-1315b29a-9b47-47a9-847f-3636d0ebc89a ip r
default via 172.24.4.1 dev qg-6deb7bb7-c8
2.3.4.0/24 dev qr-4a84b9a6-ca  proto kernel  scope link  src 2.3.4.1
172.24.4.0/24 dev qg-6deb7bb7-c8  proto kernel  scope link  src 172.24.4.3
lihui@l-openstack:~$
lihui@l-openstack:~$ sudo ip netns exec qrouter-46aeb937-98b1-4b8c-a119-f8d29ba108e8 ip r
default via 172.24.4.1 dev qg-9f5f9982-99
4.3.2.0/24 dev qr-5d202b73-21  proto kernel  scope link  src 4.3.2.1
172.24.4.0/24 dev qg-9f5f9982-99  proto kernel  scope link  src 172.24.4.4

看到这里也就明白了,vpn的作用,除了加密之外,还有就是将vpc与对端通信的流量路由到本端vpn的出口网关,达到能和对端vpn出口网关进行ipsec协商的目的

发表评论