Add basic docs for neutron-vpnaas

Change-Id: I2b456b1626875d863f896ad7fc6c0024f5ed110f
2016-11-24 11:56:59 +00:00 · 2016-11-24 11:56:59 +00:00 · ef4069a1d3
commit ef4069a1d3
parent df375fcb87
3 changed files with 124 additions and 0 deletions
--- a/doc/networking-guide.rst
+++ b/doc/networking-guide.rst
@ -87,3 +87,65 @@ to the following link:
 For the source code, please refer to the following link:

    https://github.com/openstack/networking-sfc
+
+Neutron VPNaaS (VPN-as-a-Service)
+================================
+
+Preparation and deployment
+--------------------------
+
+Modify the configuration file ``/etc/kolla/globals.yml`` and change
+the following:
+
+::
+
+    enable_neutron_vpnaas: "yes"
+
+Verification
+------------
+
+VPNaaS is a complex subject, hence this document provides directions for a
+simple smoke test to verify the service is up and running.
+
+On the network node(s), the ``neutron_vpnaas_agent`` should be up (image naming
+and versioning may differ depending on deploy configuration):
+
+::
+
+    docker ps --filter name=neutron_vpnaas_agent
+    CONTAINER ID        IMAGE
+    COMMAND             CREATED             STATUS              PORTS
+    NAMES
+    97d25657d55e
+    operator:5000/kolla/oraclelinux-source-neutron-vpnaas-agent:4.0.0
+    "kolla_start"       44 minutes ago      Up 44 minutes
+    neutron_vpnaas_agent
+
+kolla-ansible includes a small script that can be used in tandem with
+``tools/init-runonce`` to verify the VPN using two routers and two Nova VMs:
+
+::
+
+    tools/init-runonce
+    tools/init-vpn
+
+Verify both VPN services are active:
+
+::
+
+    neutron vpn-service-list
+    +--------------------------------------+----------+--------------------------------------+--------+
+    | id                                   | name     | router_id                            | status |
+    +--------------------------------------+----------+--------------------------------------+--------+
+    | ad941ec4-5f3d-4a30-aae2-1ab3f4347eb1 | vpn_west | 051f7ce3-4301-43cc-bfbd-7ffd59af539e | ACTIVE |
+    | edce15db-696f-46d8-9bad-03d087f1f682 | vpn_east | 058842e0-1d01-4230-af8d-0ba6d0da8b1f | ACTIVE |
+    +--------------------------------------+----------+--------------------------------------+--------+
+
+Two VMs can now be booted, one on vpn_east, the other on vpn_west, and
+encrypted ping packets observed being sent from one to the other.
+
+For more information on this and VPNaaS in Neutron refer to the VPNaaS area on
+the OpenStack wiki:
+
+    https://wiki.openstack.org/wiki/Neutron/VPNaaS/HowToInstall
+    https://wiki.openstack.org/wiki/Neutron/VPNaaS
--- a/setup.cfg
+++ b/setup.cfg
@ -33,6 +33,7 @@ data_files =
    share/kolla/doc = doc/*
    share/kolla/etc_examples = etc/*
    share/kolla = tools/init-runonce
+    share/kolla = tools/init-vpn
    share/kolla = tools/openrc-example
    share/kolla = setup.cfg

--- a/tools/init-vpn
+++ b/tools/init-vpn
@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+
+# Script originally copied from https://wiki.openstack.org/wiki/Neutron/VPNaaS/HowToInstall
+
+EXT_NW_ID=`neutron net-list | awk '/public/{print $2}'`
+WEST_SUBNET='192.168.1.0/24'
+EAST_SUBNET='192.168.2.0/24'
+
+function setup_site(){
+    local site_name=$1
+    local cidr=$2
+    neutron net-create net_$site_name
+    neutron subnet-create --name subnet_$site_name net_$site_name $2
+    neutron router-create router_$site_name
+    neutron router-interface-add router_$site_name subnet_$site_name
+    neutron router-gateway-set router_$site_name $EXT_NW_ID
+    neutron vpn-service-create --name vpn_$site_name router_$site_name subnet_$site_name
+}
+
+function get_external_ip(){
+    local router_id=`neutron router-show $1 | awk '/ id /{print $4}'`
+    echo `neutron port-list -c fixed_ips -c device_id -c device_owner|grep router_gateway | awk
+'/'.$router_id.'/{print $5}' | sed 's/["}]//g'`
+}
+
+function clean_site(){
+    local site_name=$1
+    neutron ipsec-site-connection-delete conn_$site_name
+    neutron vpn-service-list | awk '/vpn_'$site_name'/{print "neutron vpn-service-delete " $2}' |
+bash
+    neutron router-gateway-clear router_$site_name
+    neutron router-interface-delete router_$site_name subnet_$site_name
+    neutron router-list | awk '/router_'$site_name'/{print "neutron router-delete " $2}' | bash
+    neutron subnet-list | awk '/subnet_'$site_name'/{print "neutron subnet-delete " $2}' | bash
+    neutron net-list | awk '/net_'$site_name'/{print "neutron net-delete " $2}' | bash
+}
+
+function setup(){
+    neutron vpn-ikepolicy-create ikepolicy1
+    neutron vpn-ipsecpolicy-create ipsecpolicy1
+    setup_site west $WEST_SUBNET
+    WEST_IP=$(get_external_ip router_west)
+    setup_site east $EAST_SUBNET
+    EAST_IP=$(get_external_ip router_east)
+    neutron ipsec-site-connection-create --name conn_east --vpnservice-id vpn_east --ikepolicy-id
+ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address $WEST_IP --peer-id $WEST_IP --peer-cidr
+$WEST_SUBNET --psk secret
+    neutron ipsec-site-connection-create --name conn_west --vpnservice-id vpn_west --ikepolicy-id
+ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address $EAST_IP --peer-id $EAST_IP --peer-cidr
+$EAST_SUBNET --psk secret
+}
+
+function cleanup(){
+    clean_site west
+    clean_site east
+    neutron vpn-ikepolicy-delete ikepolicy1
+    neutron vpn-ipsecpolicy-delete ipsecpolicy1
+}
+
+cleanup
+setup