Hi Erik, I had the same issue. I think is because there aren't nss db files. You could try executing the following commands:
1.- On network node add certutil command to rootwarp 2.1.- Root user # echo "libreswan: CommandFilter, certutil, root" >> /usr/share/neutron/rootwrap/vpnaas.filters # systemctl restart neutron-vpn-agent 2.- On controller node create connection # neutron ipsec-site-connection-create --vpnservice-id demo-vpn-vpnservice --ikepolicy-id demo-vpn-ikepolicy --ipsecpolicy-id demo-vpn-ipsecpolicy --peer-address YYY.YYY.YYY.YYY --peer-id YYY.YYY.YYY.YYY --peer-cidr 192.168.88.0/24 --psk motorolag --name demo-vpn-ipsecsiteconnection 3.- On network node like neutron user execute the following commands # su - -s /bin/bash neutron ##Comment: Start new nss db $ sudo /bin/neutron-rootwrap /etc/neutron/rootwrap.conf ip netns exec qrouter-<uid> certutil -N -d /var/lib/neutron/ipsec/<uid>/etc/ipsec.d/ --empty-password ##Comment: Start ipsec process $ sudo /bin/neutron-rootwrap /etc/neutron/rootwrap.conf ip netns exec qrouter-<uid> ipsec pluto --ctlbase /var/lib/neutron/ipsec/<uid>/var/run/pluto --ipsecdir /var/lib/neutron/ipsec/<uid>/etc/ipsec.d --config /var/lib/neutron/ipsec/<uid>/etc/ipsec.conf --uniqueids --nat_traversal --secretsfile /var/lib/neutron/ipsec/<uid>/etc/ipsec.secrets --virtual_private %v4:192.168.1.0/24,%v4:192.168.88.0/24 ##Comment: Now, PID file should exist and you should see pluto state $ ls /var/lib/neutron/ipsec/<uid>/var/run/ pluto pluto.ctl pluto.pid $ sudo /bin/neutron-rootwrap /etc/neutron/rootwrap.conf ip netns exec qrouter-<uid> ipsec whack --ctlbase /var/lib/neutron/ipsec/<uid>/var/run/pluto --status Matías R. Cuenca del Rey On Wed, Feb 4, 2015 at 9:49 AM, Erik McCormick <emccorm...@cirrusseven.com> wrote: > Matias, > > This is great stuff! Thanks for sharing. I came up with something similar > this past weekend, but I then ran into the issue where the PID file was > left behind whenever Pluto gets restarted (which happens constantly). Did > you run into that issue? > > Thanks, > Erik > On Feb 3, 2015 11:37 PM, "Matias R. Cuenca del Rey" <mati...@gmail.com> > wrote: > >> Packages: >> * openstack-neutron-vpn-agent-2014.2.1-1.el7.centos.noarch >> * libreswan-3.8-6.el7_0.x86_64 >> >> Yesterday I modified some openstack-neutron-vpn-agent's script to make >> VPN work :). I don't know much about python. I'm sure it can be improved. >> These are all the steps I did to enable VPNaaS on Openstack Juno con Centos >> 7 with libreswan >> >> 1.- Install necessary packages: >> # yum install openstack-neutron-vpn-agent libreswan -y >> >> 2.- Enable vpnaas plugin in neutron >> # cat /etc/neutron/neutron.conf >> ... >> service_plugins = router,vpnaas >> ... >> >> service_provider=VPN:openswan:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default >> ... >> >> 3.- Configure vpn plugin >> # cat /etc/neutron/vpn_agent.ini >> >> [DEFAULT] >> # VPN-Agent configuration file >> # Note vpn-agent inherits l3-agent, so you can use configs on l3-agent >> also >> ##interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver >> >> [vpnagent] >> # vpn device drivers which vpn agent will use >> # If we want to use multiple drivers, we need to define this option >> multiple times. >> vpn_device_driver=neutron.services.vpn.device_drivers.ipsec.OpenSwanDriver >> # >> vpn_device_driver=neutron.services.vpn.device_drivers.cisco_ipsec.CiscoCsrIPsecDriver >> # vpn_device_driver=another_driver >> >> [ipsec] >> # Status check interval >> ipsec_status_check_interval=30 >> >> >> 4.- Here we start with the dirty part :) >> 4.1.- Add certutil command to vpnaas.filters, so it could be execute on >> neutron rootwarps >> # cat /usr/share/neutron/rootwrap/vpnaas.filters >> # neutron-rootwrap command filters for nodes on which neutron is >> # expected to control network >> # >> # This file should be owned by (and only-writeable by) the root user >> >> # format seems to be >> # cmd-name: filter-name, raw-command, user, args >> >> [Filters] >> >> ip: IpFilter, ip, root >> ip_exec: IpNetnsExecFilter, ip, root >> openswan: CommandFilter, ipsec, root >> libreswan: CommandFilter, certutil, root >> >> 4.2.- Edit ipsec.py, which execute 'ipsec and (now) certutils' commands >> 4.2.1.- If nss db does not exist, it is created on >> /var/lib/neutron/ipsec/<uuid>/etc/ipsec.d >> 4.2.2.- In 'ipsec pluto' execution: >> 4.2.2.1.- Remove '--config' option, keep ctlbase (Thanks Paul!) >> 4.2.2.2.- Change argument of '--ipsecdir' from >> /var/lib/neutron/ipsec/<uuid>/etc/ to >> /var/lib/neutron/ipsec/<uuid>/etc/ipsec.d >> 4.2.2.3.- Remove --use-netkey because it is the default option >> 4.2.3.- In 'ipsec addconn' execution: >> 4.2.3.1.- Remove '--defaultroutenexthop' because it is obsolete >> The diff between original and modified file is: >> >> # diff >> >> /usr/lib/python2.7/site-packages/neutron/services/vpn/device_drivers/ipsec.py >> /usr/lib/python2.7/site-packages/neutron/services/vpn/device_drivers/ipsec.py.original >> 97d96 >> < bcertutil = "certutil" >> 114,119d112 >> < NSS_FILES = [ >> < 'cert8.db', >> < 'key3.db', >> < 'secmod.db' >> < ] >> < >> 189,197d181 >> < def _ensure_nss(self, nss_files): >> < if not os.path.isfile(nss_files): >> < #start nss database >> < self._execute([self.bcertutil, >> < '-N', >> < '--empty-password', >> < '-d', self.ipsecd_dir, >> < ]) >> < >> 199c183 >> < """Create config directory and nss files if they does not >> exist.""" >> --- >> > """Create config directory if it does not exist.""" >> 204,206d187 >> < for nss_file in self.NSS_FILES: >> < nss_path = os.path.join(self.ipsecd_dir, nss_file) >> < self._ensure_nss(nss_path) >> 327,328d307 >> < self.ipsecd_dir = os.path.join( >> < self.etc_dir, 'ipsec.d') >> 401c380,381 >> < '--ipsecdir', self.ipsecd_dir, >> --- >> > '--ipsecdir', self.etc_dir, >> > '--use-netkey', >> 412a393 >> > '--defaultroutenexthop', nexthop, >> >> 4.3.- Edit ipsec.conf.template, which is used to generate >> /var/lib/neutron/ipsec/<uid>/ipsec.conf (necessary for ipsec addconn >> command) >> Just comment obsolete options. The diff between original and modified >> file is: >> >> # diff >> /usr/lib/python2.7/site-packages/neutron/services/vpn/device_drivers/template/openswan/ipsec.conf.template >> /usr/lib/python2.7/site-packages/neutron/services/vpn/device_drivers/template/openswan/ipsec.conf.template.original >> 3c3 >> < # nat_traversal=yes >> --- >> > nat_traversal=yes >> 7,8c7 >> < # keylife=60m >> < salifetime=60m >> --- >> > keylife=60m >> 20c19 >> < # leftnexthop=%defaultroute >> --- >> > leftnexthop=%defaultroute >> 31c30 >> < # rightnexthop=%defaultroute >> --- >> > rightnexthop=%defaultroute >> 63,64c62 >> < # lifetime={{ipsec_site_connection.ipsecpolicy.lifetime_value}}s >> < salifetime={{ipsec_site_connection.ipsecpolicy.lifetime_value}}s >> --- >> > lifetime={{ipsec_site_connection.ipsecpolicy.lifetime_value}}s >> >> 5.- Enable and start von-agent >> # systemctl enable neutron-vpn-agent >> # systemctl start neutron-vpn-agent >> >> >> Hope it could be useful to someone. >> >> Matías R. Cuenca del Rey >> >> _______________________________________________ >> OpenStack-operators mailing list >> OpenStack-operators@lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators >> >>
_______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators