1.1 准备

yum install openstack-neutron-vpn-agent libreswan -y  

vi /etc/sysctl

net.ipv4.ip_forward=1

net.ipv4.conf.default.send_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.default.rp_filter = 0

1.2添加vpn服务

vim /etc/neutron/neutron.conf

[DEFAULT]

service_plugins = router,vpnaas

[service_providers]

service_provider = VPN:Vpn:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default

1.3 配置vpnaas

vim /etc/neutron/vpn_agent.ini

[DEFAULT]

# VPN-Agent configuration file

# Note vpn-agent inherits l3-agent, so you can use configs on l3-agent also

interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver

[vpnagent]

vpn_device_driver=neutron.services.vpn.device_drivers.ipsec.OpenSwanDriver

[ipsec]

ipsec_status_check_interval=30

vi /usr/share/neutron/rootwrap/vpnaas.filters

[Filters]

ip: IpFilter, ip, root

ip_exec: IpNetnsExecFilter, ip, root

openswan: CommandFilter, ipsec, root

libreswan: CommandFilter, certutil, root

1.4 dashboard启用vpn

vim /etc/openstack-dashboard/local_settings

OPENSTACK_NEUTRON_NETWORK = {

        'enable_vpn': True,

        }

1.5 启动ipsec

chkconfig ipsec on

service ipsec start

2 修改代码

2.1

vi /usr/lib/python2.7/site-packages/neutron/services/vpn/device_drivers/ipsec.py

97行添加

        bcertutil = "certutil"

    114行添加

        NSS_FILES = [

         'cert8.db',

         'key3.db',

         'secmod.db'

     ]

    189行添加

        def _ensure_nss(self, nss_files):

            if not os.path.isfile(nss_files):

                #start nss database

                self._execute([self.bcertutil,

                        '-N',

                        '--empty-password',

                        '-d', self.ipsecd_dir,

                        ])

    204行添加

        for nss_file in self.NSS_FILES:

             nss_path = os.path.join(self.ipsecd_dir, nss_file)

             self._ensure_nss(nss_path)

    327行添加

        self.ipsecd_dir = os.path.join(

             self.etc_dir, 'ipsec.d')

    409、410行修改和删除

        修改 '--ipsecdir', self.etc_dir  成：  '--ipsecdir', self.ipsecd_dir

        删除 '--use-netkey',

    422行删除

        '--defaultroutenexthop', nexthop,

    470行添加

        pid_file = self.pid_path + '.pid'

        if os.path.exists(pid_file):

            os.remove(pid_file)

2.2

vi /usr/lib/python2.7/site-packages/neutron/services/vpn/device_drivers/template/openswan/ipsec.conf.template

    3行删除：nat_traversal=yes

    7行删除：keylife=60m 添加：salifetime=60m

    20行删除：leftnexthop=%defaultroute

    31行删除：rightnexthop=%defaultroute

    63行删除：lifetime={{ipsec_site_connection.ipsecpolicy.lifetime_value}}s 添加：salifetime={{ipsec_site_connection.ipsecpolicy.lifetime_value}}s

3. 重启服务

systemctl enable neutron-vpn-agent

service neutron-vpn-agent start

重启neutron所有服务

Centos7中直接yum安装的libswan版本是3.8.这个会造成ipsec报错:whack：Pluto is not running(no "/var/run/pluto/pluto.ctl")

原因是版本的问题，3.8中很多配置都变了

经过测试使用2.6.38后，不需要修改neutron的代码ipsec就可用,本博客只是在使用3.8的情况下需要修改的代码

巴特西

OpenStack-Neutron-VPNaaS-配置