thanks for your answer :)
Oleg > Le 11 avr. 2016 à 13:54, Paul Michali <p...@michali.net> a écrit : > > VPNaaS in OpenStack is a site-to-site VPN using IPSec. It is designed for the > case when you have two clouds and want to interconnect them. So, one > openstack cloud on each end, and an interconnecting network. It's not defined > for a road warrier case, where you have a computer wanting to connect to a > cloud, for example. > > Note: the underlying VPN mechanism (Strongswan/Openswan) support many > different configurations, but the one targeted for Openstack, is that of > cloud to cloud VPN connection in a point to point manner, using basic > pre-shared keys. In addition, it is point to point (versus a hub/spoke or > other connection). > > Here's an example from Strongswan doc: > https://www.strongswan.org/uml/testresults/ikev1/net2net-psk/ > <https://www.strongswan.org/uml/testresults/ikev1/net2net-psk/> > > So, it's sort of apples to oranges comparison. > > Regards, > > Paul Michali (pcm) > > On Mon, Apr 11, 2016 at 7:20 AM Oleg Lodygensky <oleg.lodygen...@lal.in2p3.fr > <mailto:oleg.lodygen...@lal.in2p3.fr>> wrote: > dear all, > I am trying to compare OpenVPN and VPNaaS usage in OpenStack. > > > I want to be able to create a VPN between VMs deployed in a single Openstack > cloud to ensure communication privacy and security. > I also want to be able to connect with my PC to the VPN. > > > To use OpenVPN, post install scripts work well : > -A- I can see 2 interaces on each VM: the public one and the one associated > to the VPN > -B- my own PC can easily join > > > > I want to do the same using VPNaaS (the script is below) > But: > -1- VPN is created but its status is « DOWN » > -2- I don’t see any VPN interface inside VMs > -3- I don’t undersand how my PC could join the VPN > > > > Any help welcome, > Oleg Lodygensky > > > > > > > > usage() { > echo "Usage: $0 [start | stop | status] <configName>" > exit 1 > } > > writeVariable() { > echo $* >> ${CONFIG_FILE} > } > > start() { > CONFIG_NAME=$2 > CONFIG_FILE=$2 > if [ -f ${CONFIG_FILE} ] ; then > echo "VPNAAS error : config already exist. Cowardingly refusing > to overwrite it" > exit 1 > fi > > touch ${CONFIG_FILE} > > KEY="NET1" > NET1="${CONFIG_NAME}_net1" > VALUE="${NET1}" > neutron net-create ${NET1} && writeVariable "${KEY}=${VALUE}" > KEY="SUBNET1" > SUBNET1="${CONFIG_NAME}_subnet1" > VALUE="${SUBNET1}" > neutron subnet-create --name ${SUBNET1} ${NET1} 10.100.0.0/24 > <http://10.100.0.0/24> --gateway 10.100.0.1 && writeVariable "${KEY}=${VALUE}" > KEY="ROUTER1" > ROUTER1="${CONFIG_NAME}_router1" > VALUE="${ROUTER1}" > neutron router-create ${ROUTER1} && writeVariable "${KEY}=${VALUE}" > neutron router-interface-add ${ROUTER1} ${SUBNET1} > neutron router-gateway-set ${ROUTER1} public > > KEY="NET2" > NET2="${CONFIG_NAME}_net2" > VALUE="${NET2}" > neutron net-create ${NET2} && writeVariable "${KEY}=${VALUE}" > KEY="SUBNET2" > SUBNET2="${CONFIG_NAME}_subnet2" > VALUE="${SUBNET2}" > neutron subnet-create --name ${SUBNET2} ${NET2} 20.200.0.0/24 > <http://20.200.0.0/24> --gateway 20.200.0.2 && writeVariable "${KEY}=${VALUE}" > KEY="ROUTER2" > ROUTER2="${CONFIG_NAME}_router2" > VALUE="${ROUTER2}" > neutron router-create ${ROUTER2} && writeVariable "${KEY}=${VALUE}" > neutron router-interface-add ${ROUTER2} ${SUBNET2} > neutron router-gateway-set ${ROUTER2} public > > PRIVATE_NET1=`neutron net-list | grep "${NET1}" | cut -f 2 -d' '` > KEY="VM1" > VM1="${CONFIG_NAME}_vm1" > VALUE="${VM1}" > nova boot --key-name os-77345-demo --flavor 2 --image ubuntu14 --nic > net-id=${PRIVATE_NET1} ${VM1} && writeVariable "${KEY}=${VALUE}" > FLOATINGIP1=`nova floating-ip-create | grep -vE 'Pool|--'| cut -d ' ' > -f 4` > KEY="FLOATINGIP1" > VALUE="${FLOATINGIP1}" > nova add-floating-ip ${VM1} $FLOATINGIP1 && writeVariable > "${KEY}=${VALUE}" > > PRIVATE_NET2=`neutron net-list | grep "${NET2}" | cut -f 2 -d' '` > KEY="VM2" > VM2="${CONFIG_NAME}_vm2" > VALUE="${VM2}" > nova boot --key-name os-77345-demo --flavor 2 --image ubuntu14 --nic > net-id=${PRIVATE_NET2} ${VM2} && writeVariable "${KEY}=${VALUE}" > FLOATINGIP2=`nova floating-ip-create | grep -vE 'Pool|--'| cut -d ' ' > -f 4` > KEY="FLOATINGIP2" > VALUE="${FLOATINGIP2}" > nova add-floating-ip ${VM2} $FLOATINGIP2 && writeVariable > "${KEY}=${VALUE}" > > #Create VPN connections > KEY="IKEPOLICY" > IKEPOLICY="${CONFIG_NAME}_ikepolicy" > VALUE="${IKEPOLICY}" > neutron vpn-ikepolicy-create ${IKEPOLICY} && writeVariable > "${KEY}=${VALUE}" > KEY="IPSECPOLICY" > IPSECPOLICY="${CONFIG_NAME}_ipsecpolicy" > VALUE="${IPSECPOLICY}" > neutron vpn-ipsecpolicy-create ${IPSECPOLICY} && writeVariable > "${KEY}=${VALUE}" > KEY="VPNSERVICE" > VPNSERVICE="${CONFIG_NAME}_vpnservice" > VALUE="${VPNSERVICE}" > neutron vpn-service-create --name ${VPNSERVICE} --description "Mon > service VPN1" ${ROUTER1} ${SUBNET1} && writeVariable "${KEY}=${VALUE}" > > KEY="CONNECTION" > CONNECTION="${CONFIG_NAME}_connection" > VALUE="${CONNECTION}" > # neutron ipsec-site-connection-create --name ${CONNECTION} > --vpnservice-id ${VPNSERVICE} \ > # --ikepolicy-id ${IKEPOLICY} --ipsecpolicy-id ${IPSECPOLICY} > --peer-address 172.24.4.227 \ > # --peer-id 172.24.4.227 --peer-cidr 10.100.0.0/24 > <http://10.100.0.0/24> --psk secret && writeVariable "${KEY}=${VALUE}" > > [ ! -s ${CONFIG_FILE} ] && rm -f ${CONFIG_FILE} > } > > stop() { > CONFIG_FILE=$2 > if [ ! -f ${CONFIG_FILE} ] ; then > echo "VPNAAS \"${CONFIG_FILE}\" error : config not found" > exit 1 > fi > > . ${CONFIG_FILE} > > nova delete ${VM1} > nova delete ${VM2} > > nova floating-ip-delete ${FLOATINGIP1} > nova floating-ip-delete ${FLOATINGIP2} > > neutron ipsec-site-connection-delete ${CONNECTION} > neutron vpn-service-delete ${VPNSERVICE} > > neutron vpn-ipsecpolicy-delete ${IPSECPOLICY} > neutron vpn-ikepolicy-delete ${IKEPOLICY} > > for i in `neutron port-list | grep -vE 'fixed_ips|--' | cut -f 2 -d' '` > ; do neutron port-delete $i ; done > > neutron router-interface-delete ${ROUTER2} ${SUBNET2} > neutron router-delete ${ROUTER2} > neutron net-delete ${NET2} > > neutron router-interface-delete ${ROUTER1} ${SUBNET1} > neutron router-delete ${ROUTER1} > neutron net-delete ${NET1} > > rm -f ${CONFIG_FILE} > } > > status() { > CONFIG_FILE=$2 > if [ ! -f ${CONFIG_FILE} ] ; then > echo "VPNAAS \"${CONFIG_FILE}\" error : config not found" > exit 1 > fi > > echo "VNPAAS \"${CONFIG_FILE}\": started" > cat ${CONFIG_FILE} > } > > [ $# -ne 2 ] && usage > > case $1 in > "start" ) > start $* > ;; > "stop" ) > stop $* > ;; > "status" ) > status $* > ;; > esac > > > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack> > Post to : openstack@lists.openstack.org > <mailto:openstack@lists.openstack.org> > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack>
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
