1, use root account to add sudo access for common account.
STACK_USER=`whoami`
echo "$STACK_USER ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
2, configure correct locale
export LANGUAGE=en_US.UTF-8
export LANG=en_US.UTF-8
export LC_ALL=en_US.UTF-8
locale-gen en_US.UTF-8
sudo dpkg-reconfigure locales
3, install git
sudo apt-get install git
4, use common account to create rsa key if that was not generated before.
ssh-keygen -t rsa
5, for ubuntu 14.10 use 'sudo start apparmor ACTION=reload', for 14.04 use 'sudo service apparmor reload'
sudo ln -sf /etc/apparmor.d/usr.lib.ipsec.charon /etc/apparmor.d/disable/
sudo ln -sf /etc/apparmor.d/usr.lib.ipsec.stroke /etc/apparmor.d/disable/
# NOTE: Due to https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1387220
# one must use 'sudo start apparmor ACTION=reload' for Ubuntu 14.10
sudo service apparmor reload
6, use common account (NOTE: not root account) to run the following script
./run_vpn_demo.sh all
You can run strongswan vpn quickly with 5 minutes by just running this script './run_vpn_demo.sh all' in ubuntu 14.04.
$cat run_vpn_demo.sh
#!/bin/bash
function install_all_in_one_openstack_by_devstack
{
root_dir=`pwd`
git clone https://github.com/openstack-dev/devstack.git
cd ${root_dir}/devstack
rm -rf ${root_dir}/devstack/localrc
HOST_IP=172.16.1.1
SERVICE_HOST=$HOST_IP
DEST=$root_dir
cat >> ${root_dir}/devstack/localrc << EOF
#OFFLINE=True
DEST=$DEST
IPSEC_PACKAGE=strongswan
sudo route del -net 10.0.1.0/24 gw 192.168.101.3
sudo apt-get install openvswitch-switch qemu-kvm libvirt-bin
sudo ovs-vsctl -- --may-exist add-br br-phy
sudo ifconfig br-phy 172.16.1.1/24
ENABLED_SERVICES=rabbit,mysql,key,g-api,g-reg,tempest
ENABLED_SERVICES+=,n-api,n-crt,n-obj,n-cpu,n-cond,n-sch
ENABLED_SERVICES+=,cinder,c-api,c-vol,c-sch
ENABLED_SERVICES+=,q-svc,q-agt,q-dhcp,q-l3,q-meta,neutron,q-lbaas,q-fwaas,q-vpn
ENABLED_SERVICES+=,horizon
ENABLED_SERVICES+=,s-proxy,s-object,s-container,s-account
VOLUME_BACKING_FILE_SIZE=500M
SWIFT_HASH=66a3d6b56c1f479c8b4e70ab5c2000f5
SWIFT_REPLICAS=1
SWIFT_DATA_DIR=$DEST/data/swift
HOST_IP=$HOST_IP
SERVICE_HOST=$HOST_IP
MYSQL_HOST=$SERVICE_HOST
RABBIT_HOST=$SERVICE_HOST
GLANCE_HOSTPORT=$SERVICE_HOST:9292
Q_HOST=$SERVICE_HOST
FIXED_RANGE=10.0.1.0/24
FLOATING_RANGE=192.168.101.0/24
Q_FLOATING_ALLOCATION_POOL=start=192.168.101.3,end=192.168.101.100
PUBLIC_NETWORK_GATEWAY=192.168.101.1
NETWORK_GATEWAY=10.0.1.1
PUBLIC_BRIDGE=br-ex
# sudo ovs-vsctl add-port br-ex eth0
OVS_PHYSICAL_BRIDGE=br-phy
DATABASE_USER=root
DATABASE_PASSWORD=password
ADMIN_PASSWORD=password
SERVICE_PASSWORD=password
RABBIT_PASSWORD=password
SERVICE_TOKEN=ADMIN
LOGFILE=$DEST/logs/stack.log
ENABLE_DEBUG_LOG_LEVEL=False
SYSLOG=False
SCREEN_LOGDIR=$DEST/logs
LOG_COLOR=False
Q_USE_DEBUG_COMMAND=False
APACHE_ENABLED_SERVICES+=keystone
KEYSTONE_TOKEN_FORMAT=uuid
USE_SSL=False
disable_service tls-proxy
IMAGE_URLS+=",http://cdn.download.cirros-cloud.net/0.3.2/cirros-0.3.2-x86_64-disk.img"
EOF
sudo chmod +x ${root_dir}/devstack/localrc
FORCE=yes ${root_dir}/devstack/stack.sh
cat >> env << EOF
export OS_USERNAME=admin
export OS_PASSWORD=password
export OS_TENANT_NAME=demo
export OS_AUTH_URL=http://172.16.1.1:5000/v2.0
export OS_AUTH_STRATEGY=keystone
EOF
sudo chmod +x ${root_dir}/devstack/env
}
function create_network_staffs_on_east_and_west
{
source ${root_dir}/devstack/env
export TENANT_ID=$(keystone tenant-list |grep ' admin ' |awk '{print $2}')
export EXT_NET_ID=$(neutron net-list |grep ' public ' |awk '{print $2}')
neutron net-create vpn-net-east --provider:network_type vxlan --provider:segmentation_id 1012
neutron subnet-create --tenant_id $TENANT_ID --ip_version 4 --gateway 10.0.2.1 vpn-net-east 10.0.2.0/24
neutron router-create --tenant_id $TENANT_ID vpn-router-east
export EAST_ROUTER_ID=$(neutron router-list |grep ' vpn-router-east ' |awk '{print $2}')
export EAST_SUBNET_ID=$(neutron subnet-list |grep '10.0.2.0/24' |awk '{print $2}')
neutron router-interface-add $EAST_ROUTER_ID $EAST_SUBNET_ID
neutron router-gateway-set $EAST_ROUTER_ID $EXT_NET_ID
neutron net-create vpn-net-west --provider:network_type vxlan --provider:segmentation_id 1013
neutron subnet-create --tenant_id $TENANT_ID --ip_version 4 --gateway 10.0.3.1 vpn-net-west 10.0.3.0/24
neutron router-create --tenant_id $TENANT_ID vpn-router-west
export WEST_ROUTER_ID=$(neutron router-list |grep ' vpn-router-west ' |awk '{print $2}')
export WEST_SUBNET_ID=$(neutron subnet-list |grep '10.0.3.0/24' |awk '{print $2}')
neutron router-interface-add $WEST_ROUTER_ID $WEST_SUBNET_ID
neutron router-gateway-set $WEST_ROUTER_ID $EXT_NET_ID
}
function create_two_VMs_on_east_and_west
{
source ${root_dir}/devstack/env
nova keypair-add --pub_key ~/.ssh/id_rsa.pub mykey
export IMAGE_ID=$(nova image-list |grep 'cirros' |awk '{print $2}')
nova secgroup-add-rule default tcp 22 22 0.0.0.0/0
nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0
export EAST_NET_ID=$(neutron net-list |grep ' vpn-net-east ' |awk '{print $2}')
time nova boot --poll --key_name mykey --image $IMAGE_ID --flavor 1 --nic net-id=$EAST_NET_ID vpn-vm-east
export EAST_VM_ID=$(nova list |grep 'vpn-vm-east' |awk '{print $2}')
FLOATING_IP_EAST=$(nova floating-ip-create |grep ' public ' |awk '{print $4}')
nova add-floating-ip $EAST_VM_ID $FLOATING_IP_EAST
export WEST_NET_ID=$(neutron net-list |grep ' vpn-net-west ' |awk '{print $2}')
time nova boot --poll --key_name mykey --image $IMAGE_ID --flavor 1 --nic net-id=$WEST_NET_ID vpn-vm-west
export WEST_VM_ID=$(nova list |grep 'vpn-vm-west' |awk '{print $2}')
export FLOATING_IP_WEST=$(nova floating-ip-create |grep 'public' |awk '{print $4}')
nova add-floating-ip $WEST_VM_ID $FLOATING_IP_WEST
}
function create_vpn_staffs_on_east_and_west
{
source ${root_dir}/devstack/env
export EAST_EXT_IP=$(neutron router-show vpn-router-east |grep 'external_gateway_info' |grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}')
export WEST_EXT_IP=$(neutron router-show vpn-router-west |grep 'external_gateway_info' |grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}')
neutron vpn-ikepolicy-create ikepolicy1
neutron vpn-ipsecpolicy-create ipsecpolicy1
neutron vpn-service-create --name vpn-east --description "VPN EAST" $EAST_ROUTER_ID $EAST_SUBNET_ID
neutron ipsec-site-connection-create --name vpn_conn_east --vpnservice-id vpn-east --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address $WEST_EXT_IP --peer-id $WEST_EXT_IP --peer-cidr 10.0.3.0/24 --psk password
neutron vpn-service-create --name vpn-west --description "VPN WEST" $WEST_ROUTER_ID $WEST_SUBNET_ID
neutron ipsec-site-connection-create --name vpn_conn_west --vpnservice-id vpn-west --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address $EAST_EXT_IP --peer-id $EAST_EXT_IP --peer-cidr 10.0.2.0/24 --psk password
}
function install
{
install_all_in_one_openstack_by_devstack
create_network_staffs_on_east_and_west
create_two_VMs_on_east_and_west
create_vpn_staffs_on_east_and_west
}
function uninstall
{
root_dir=$1
${root_dir}/devstack/unstack.sh
}
function status
{
root_dir=$1
source ${root_dir}/devstack/env
neutron ipsec-site-connection-list
neutron vpn-service-list
}
function disable
{
root_dir=$1
source ${root_dir}/devstack/env
neutron vpn-service-update --admin_state_up=False `neutron vpn-service-list |grep 'vpn-east' |awk '{print $2}'`
}
function enable
{
root_dir=$1
source ${root_dir}/devstack/env
neutron vpn-service-update --admin_state_up=True `neutron vpn-service-list |grep 'vpn-east' |awk '{print $2}'`
}
function ping
{
FLOATING_IP_EAST=$(nova list |grep 'vpn-vm-east' |awk -F ',' '{print $2}' |awk '{print $1}')
VM_WEST_IP=$(nova list |grep 'vpn-vm-west' |awk -F '=' '{print $2}' |awk -F ',' '{print $1}')
ssh -o StrictHostKeyChecking=no -i mykey cirros@$FLOATING_IP_EAST ping $VM_WEST_IP
}
function debug
{
export EAST_ROUTER_ID=$(neutron router-list |grep ' vpn-router-east ' |awk '{print $2}')
export WEST_ROUTER_ID=$(neutron router-list |grep ' vpn-router-west ' |awk '{print $2}')
sudo ip netns exec qrouter-$EAST_ROUTER_ID iptables -nL -t nat |grep ipsec
sudo ip netns exec qrouter-$WEST_ROUTER_ID iptables -nL -t nat |grep ipsec
sudo ip netns exec qrouter-$EAST_ROUTER_ID ip route list table 220
sudo ip netns exec qrouter-$WEST_ROUTER_ID ip route list table 220
sudo /usr/local/bin/neutron-rootwrap /etc/neutron/rootwrap.conf ip netns exec qrouter-$EAST_ROUTER_ID neutron-vpn-netns-wrapper --mount_paths=/etc:/opt/stack/data/neutron/ipsec/$EAST_ROUTER_ID/etc,/var/run:/opt/stack/data/neutron/ipsec/$EAST_ROUTER_ID/var/run --cmd=ipsec,status
sudo /usr/local/bin/neutron-rootwrap /etc/neutron/rootwrap.conf ip netns exec qrouter-$WEST_ROUTER_ID neutron-vpn-netns-wrapper --mount_paths=/etc:/opt/stack/data/neutron/ipsec/$WEST_ROUTER_ID/etc,/var/run:/opt/stack/data/neutron/ipsec/$WEST_ROUTER_ID/var/run --cmd=ipsec,status
}
function usage
{
echo "Usage: ./run_demo.sh
echo "
echo "install: install all-in-one openstack env, and configure vpn env with two tunnels in two routers"
echo "uninstall: uninstall devstack"
echo "status: the status of vpnservice and ipsec-site-connection"
echo "disable disable a vpnservice"
echo "enable enable a vpnservice"
echo "ssh ssh into one vm"
echo "debug debug"
echo "all all"
}
ROOT_DIR=`pwd`
function all
{
install
status $ROOT_DIR
debug
ping
status $ROOT_DIR
debug
}
if [ ! -f ~/.ssh/id_rsa.pub ]; then
echo "your ~/.ssh/id_rsa.pub doesn't exsit, pls use 'ssh-keygen -t rsa' command to create it first, exit..."
exit
fi
case "$1" in
'install') install
;;
'uninstall') uninstall $ROOT_DIR
;;
'status') status $ROOT_DIR
;;
'disable') disable $ROOT_DIR
;;
'enable') enable $ROOT_DIR
;;
'ping') ping
;;
'debug') debug
;;
'all') all
;;
*) usage
;;
esac