社区的VPNaaS服务应该相对简单些,因为是两年前的版本,没有endpoint-group这种方式,router也是集中式,下面就按自己的思路创建一下vpn服务,大概分这几步:
1:VPC的创建
2:ikepolicy,ipsecpolicy
3:vpn-service的创建,外网IP如何分配暂时未知,具体再分析
4:ipsec vpn的创建
详细如下,服务基本可以正常创建出来
租户network
lihui@l-openstack:~$ neutron net-create vpn-network-1 Created a new network: +-----------------------+--------------------------------------+ | Field | Value | +-----------------------+--------------------------------------+ | admin_state_up | True | | id | cafca5c7-5f8f-41b9-9e69-502d94a6590f | | mtu | 1450 | | name | vpn-network-1 | | port_security_enabled | True | | router:external | False | | shared | False | | status | ACTIVE | | subnets | | | tenant_id | ba744b4c95da4c5b8bedf4b6c08dccb3 | +-----------------------+--------------------------------------+
network里创建subnet
lihui@l-openstack:~$ neutron subnet-create --name vpn-subnet-1 vpn-network-1 2.3.4.0/24
Created a new subnet:
+-------------------+------------------------------------------+
| Field | Value |
+-------------------+------------------------------------------+
| allocation_pools | {"start": "2.3.4.2", "end": "2.3.4.254"} |
| cidr | 2.3.4.0/24 |
| dns_nameservers | |
| enable_dhcp | True |
| gateway_ip | 2.3.4.1 |
| host_routes | |
| id | 27f52ab6-1afa-4b05-94f1-105a72121077 |
| ip_version | 4 |
| ipv6_address_mode | |
| ipv6_ra_mode | |
| name | vpn-subnet-1 |
| network_id | cafca5c7-5f8f-41b9-9e69-502d94a6590f |
| subnetpool_id | |
| tenant_id | ba744b4c95da4c5b8bedf4b6c08dccb3 |
+-------------------+------------------------------------------+
集中式router
lihui@l-openstack:~$ neutron router-create vpn-router-1 Created a new router: +-----------------------+--------------------------------------+ | Field | Value | +-----------------------+--------------------------------------+ | admin_state_up | True | | external_gateway_info | | | id | 1315b29a-9b47-47a9-847f-3636d0ebc89a | | name | vpn-router-1 | | routes | | | status | ACTIVE | | tenant_id | ba744b4c95da4c5b8bedf4b6c08dccb3 | +-----------------------+--------------------------------------+
subnet和gateway
lihui@l-openstack:~$ neutron router-interface-add vpn-router-1 vpn-subnet-1 Added interface 4a84b9a6-ca1f-423e-a075-a6873be74f95 to router vpn-router-1. lihui@l-openstack:~$ neutron router-gateway-set vpn-router-1 public Set gateway for router vpn-router-1
ikepolicy
lihui@l-openstack:~$ neutron vpn-ikepolicy-create vpn-ikepolicy-1
Created a new ikepolicy:
+-------------------------+--------------------------------------+
| Field | Value |
+-------------------------+--------------------------------------+
| auth_algorithm | sha1 |
| description | |
| encryption_algorithm | aes-128 |
| id | f3ff940c-cf1b-4777-9da6-f9641e653b41 |
| ike_version | v1 |
| lifetime | {"units": "seconds", "value": 3600} |
| name | vpn-ikepolicy-1 |
| pfs | group5 |
| phase1_negotiation_mode | main |
| tenant_id | ba744b4c95da4c5b8bedf4b6c08dccb3 |
+-------------------------+--------------------------------------+
ipsecpolicy
lihui@l-openstack:~$ neutron vpn-ipsecpolicy-create vpn-ipsecpolicy-1
Created a new ipsecpolicy:
+----------------------+--------------------------------------+
| Field | Value |
+----------------------+--------------------------------------+
| auth_algorithm | sha1 |
| description | |
| encapsulation_mode | tunnel |
| encryption_algorithm | aes-128 |
| id | 8f4e0157-cd48-4342-8a60-89d6ef122668 |
| lifetime | {"units": "seconds", "value": 3600} |
| name | vpn-ipsecpolicy-1 |
| pfs | group5 |
| tenant_id | ba744b4c95da4c5b8bedf4b6c08dccb3 |
| transform_protocol | esp |
+----------------------+--------------------------------------+
vpn-service,这里需要注意的是,分配的IP貌似是从router gateway所在的public网络中分配的
lihui@l-openstack:~$ neutron vpn-service-create vpn-router-1 vpn-subnet-1 Created a new vpnservice: +----------------+--------------------------------------+ | Field | Value | +----------------+--------------------------------------+ | admin_state_up | True | | description | | | external_v4_ip | 172.24.4.3 | | external_v6_ip | | | id | 2a728147-436b-4fbf-a065-92e2d36bd9b2 | | name | | | router_id | 1315b29a-9b47-47a9-847f-3636d0ebc89a | | status | PENDING_CREATE | | subnet_id | 27f52ab6-1afa-4b05-94f1-105a72121077 | | tenant_id | ba744b4c95da4c5b8bedf4b6c08dccb3 | +----------------+--------------------------------------+
最后是ipsec-vpn,参数需要注意的是peer-address是对端ipsec vpn的出口网关,peer-id和peer-address一样即可,peer-cidr是对端私网,也就是vpc里需要与本端vpn通信的cidr,psk自己设定,两段保持一致
lihui@l-openstack:~$ neutron ipsec-site-connection-create --vpnservice-id 2a728147-436b-4fbf-a065-92e2d36bd9b2 \
> --ikepolicy-id f3ff940c-cf1b-4777-9da6-f9641e653b41 --ipsecpolicy-id 8f4e0157-cd48-4342-8a60-89d6ef122668 \
> --peer-address 172.24.4.4 --peer-id 172.24.4.4 --peer-cidr 4.3.2.0/24 --psk lihui_key
Created a new ipsec_site_connection:
+----------------+----------------------------------------------------+
| Field | Value |
+----------------+----------------------------------------------------+
| admin_state_up | True |
| auth_mode | psk |
| description | |
| dpd | {"action": "hold", "interval": 30, "timeout": 120} |
| id | f873f461-37b0-42d7-b547-c3a36142c6ae |
| ikepolicy_id | f3ff940c-cf1b-4777-9da6-f9641e653b41 |
| initiator | bi-directional |
| ipsecpolicy_id | 8f4e0157-cd48-4342-8a60-89d6ef122668 |
| mtu | 1500 |
| name | |
| peer_address | 172.24.4.4 |
| peer_cidrs | 4.3.2.0/24 |
| peer_id | 172.24.4.4 |
| psk | lihui_key |
| route_mode | static |
| status | PENDING_CREATE |
| tenant_id | ba744b4c95da4c5b8bedf4b6c08dccb3 |
| vpnservice_id | 2a728147-436b-4fbf-a065-92e2d36bd9b2 |
+----------------+----------------------------------------------------+
看上去就管理面API来说还比较顺利,没有出现创建失败,说明VPNaaS服务部署应该没问题,看看服务状态也很正常
lihui@l-openstack:~$ neutron vpn-service-list +--------------------------------------+------+--------------------------------------+--------+ | id | name | router_id | status | +--------------------------------------+------+--------------------------------------+--------+ | 2a728147-436b-4fbf-a065-92e2d36bd9b2 | | 1315b29a-9b47-47a9-847f-3636d0ebc89a | ACTIVE | +--------------------------------------+------+--------------------------------------+--------+ lihui@l-openstack:~$ lihui@l-openstack:~$ neutron ipsec-site-connection-list +--------------------------------------+------+--------------+--------------+------------+-----------+--------+ | id | name | peer_address | peer_cidrs | route_mode | auth_mode | status | +--------------------------------------+------+--------------+--------------+------------+-----------+--------+ | f873f461-37b0-42d7-b547-c3a36142c6ae | | 172.24.4.4 | "4.3.2.0/24" | static | psk | DOWN | +--------------------------------------+------+--------------+--------------+------------+-----------+--------+
API无问题,下面就是测试的问题的
