Ramblings of Linux openstack & ceph

OpenStack - Using VPNAAS

| Comments

In this post We detail how to use the VPN Service within openstack liberty using UKFast ECloud Flex.

To start you will requrie a login to the horizion dashboard and navigate to the VPN Section of the dashboard.

We start by setting up a IKE Policie - The config I used in this example is below:

Name:				MyFirstVPN
Description:			MyFirstVPNDescription
Authorization algorithm:	sha1
Encryption algorithm:		aes-128
IKE version:			v2
Lifetime units for IKE keys:	seconds
Lifetime value for IKE Secrecy:	1200
Perfect Forward Secercy:	group14
IKE Phase1 negotiation mode:	main

We then Create an IPSec Policy - The config I used in this example is below:

Name:				MyFirstVPNIPSecPolicy
Description:			MyFirstVPNIPSecPolicyDescription
Authorization algorithm:	sha1
Encapsulation mode:		tunnel
Encryption algorithm:		aes-128
Lifetime units:			seconds
Lifetime value for IKE keys:	1200
Perfect Forward Secercy:        group14
Transform Protocol:		esp

We then Create a VPN Service - The config I used in this example is below:

Name:				MyFirstVPNService
Description:			MyFirstVPNServiceDescription
Router:				1986 (This should be the router you want the VPN to run within)
Subnet:				10.0.0.0/8 (This should be the subnet you want the VPN to run within)
Admin State:			up

Finally We Create an IPSec Site Connection - The config I used in this example is below:

Name:							MyFirstVPNService
Description:						MyFirstVPNServiceDescription
VPN Service associated with this connection:		MyFirstVPNService
IKE Policy associated with this connection:		MyFirstVPNService	
IPSec Policy associated with this connection:		MyFirstVPNIPSecPolicy
Peer gateway public IPv4/IPv6 Address or FQDN:		1.2.3.4
Peer router identity for authentication (Peer ID):	1.2.3.4
Pre-Shared Key (PSK) string:				MyReallySecurePSKHASH

Now our VPN Service is setup and we can configure the remote side to connect - The below is taken from StrongSwan running on a remote linux server, This should apply similarly to Openswan. Other VPN gateway software may require different configeration

/etc/ipsec.conf
conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2

conn openstack
        left=1.2.3.4
        leftsubnet=172.31.255.0/24
        leftid=1.2.3.4
        right=$REMOVED
        rightsubnet=10.0.0.0/8
        rightid=$REMOVED
        auto=add
        authby=secret

/etc/ipsec.secrets
  : PSK "MyReallySecurePSKHASH"

Comments