In this post We detail how to use the VPN Service within openstack liberty using UKFast ECloud Flex.
To start you will requrie a login to the horizion dashboard and navigate to the VPN Section of the dashboard.
We start by setting up a IKE Policie - The config I used in this example is below:
Name: MyFirstVPN Description: MyFirstVPNDescription Authorization algorithm: sha1 Encryption algorithm: aes-128 IKE version: v2 Lifetime units for IKE keys: seconds Lifetime value for IKE Secrecy: 1200 Perfect Forward Secercy: group14 IKE Phase1 negotiation mode: main
We then Create an IPSec Policy - The config I used in this example is below:
Name: MyFirstVPNIPSecPolicy Description: MyFirstVPNIPSecPolicyDescription Authorization algorithm: sha1 Encapsulation mode: tunnel Encryption algorithm: aes-128 Lifetime units: seconds Lifetime value for IKE keys: 1200 Perfect Forward Secercy: group14 Transform Protocol: esp
We then Create a VPN Service - The config I used in this example is below:
Name: MyFirstVPNService Description: MyFirstVPNServiceDescription Router: 1986 (This should be the router you want the VPN to run within) Subnet: 10.0.0.0/8 (This should be the subnet you want the VPN to run within) Admin State: up
Finally We Create an IPSec Site Connection - The config I used in this example is below:
Name: MyFirstVPNService Description: MyFirstVPNServiceDescription VPN Service associated with this connection: MyFirstVPNService IKE Policy associated with this connection: MyFirstVPNService IPSec Policy associated with this connection: MyFirstVPNIPSecPolicy Peer gateway public IPv4/IPv6 Address or FQDN: 1.2.3.4 Peer router identity for authentication (Peer ID): 1.2.3.4 Pre-Shared Key (PSK) string: MyReallySecurePSKHASH
Now our VPN Service is setup and we can configure the remote side to connect - The below is taken from StrongSwan running on a remote linux server, This should apply similarly to Openswan. Other VPN gateway software may require different configeration
/etc/ipsec.conf conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn openstack left=1.2.3.4 leftsubnet=172.31.255.0/24 leftid=1.2.3.4 right=$REMOVED rightsubnet=10.0.0.0/8 rightid=$REMOVED auto=add authby=secret /etc/ipsec.secrets: PSK "MyReallySecurePSKHASH"