diff --git a/doc/source/contributor/multiple-local-subnets.rst b/doc/source/contributor/multiple-local-subnets.rst index 3698de79a..1020ce0fa 100644 --- a/doc/source/contributor/multiple-local-subnets.rst +++ b/doc/source/contributor/multiple-local-subnets.rst @@ -44,13 +44,15 @@ Client CLI API -------------- The originally implemented client CLI APIs (which are still available -for backward compatibility) for an IPsec connection are:: +for backward compatibility) for an IPsec connection are: - neutron vpn-service-create ROUTER SUBNET - neutron ipsec-site-connection-create - --vpnservice-id VPNSERVICE - --ikepolicy-id IKEPOLICY - --ipsecpolicy-id IPSECPOLICY +.. code-block:: none + + openstack vpn service create --router ROUTER --subnet SUBNET NAME + openstack vpn ipsec site connection create + --vpnservice VPNSERVICE + --ikepolicy IKEPOLICY + --ipsecpolicy IPSECPOLICY --peer-address PEER_ADDRESS --peer-id PEER_ID --peer-cidr PEER_CIDRS @@ -58,34 +60,39 @@ for backward compatibility) for an IPsec connection are:: --initiator {bi-directional | response-only} --mtu MTU --psk PSK + VPN_IPSEC_SITE_CONNECTION_NAME Changes to the API, to support multiple local subnets, are shown in -**bold** text:: +**highlighted** text: - neutron vpn-service-create ROUTER - **neutron vpn-endpoint-groups-create** - **--name OPTIONAL-NAME** - **--description OPTIONAL-DESCRIPTION** - **--ep-type={subnet,cidr,network,vlan,router}** - **--ep-value=[list-of-endpoints-of-type]** - neutron ipsec-site-connection-create - --vpnservice-id VPNSERVICE - --ikepolicy-id IKEPOLICY - --ipsecpolicy-id IPSECPOLICY +.. code-block:: none + :emphasize-lines: 2-6,17-18 + + openstack vpn service create --router ROUTER NAME + openstack vpn endpoint group create + --description OPTIONAL-DESCRIPTION + --type={subnet,cidr,network,vlan,router} + --value=ENDPOINT-OF-TYPE[,--value=ENDPOINT-OF-TYPE,...] + ENDPOINT-GROUP-NAME + openstack vpn ipsec site connection create + --vpnservice VPNSERVICE + --ikepolicy IKEPOLICY + --ipsecpolicy IPSECPOLICY --peer-address PEER_ADDRESS --peer-id PEER_ID --dpd action=ACTION,interval=INTERVAL,timeout=TIMEOUT --initiator {bi-directional | response-only} --mtu MTU --psk PSK - **--local-endpoints ENDPOINT-GROUPS-UUID** - **--peer-endpoints ENDPOINT-GROUPS-UUID** + --local-endpoint-group ENDPOINT-GROUP-UUID + --peer-endpoint-group ENDPOINT-GROUP-UUID + VPN_IPSEC_SITE_CONNECTION_NAME The SUBNET in the original service API is optional, and will be used as an indicator of whether or not the multiple local subnets feature is active. See the 'Backward Compatibility' section, below, for details. -For the endpoint groups, the --ep-type value is a string, so that other +For the endpoint groups, the ``--type`` value is a string, so that other types can be supported in the future. The endpoint groups API would enforce that the endpoint values are all of @@ -102,58 +109,59 @@ specified, and the type would be 'network'. The ROUTER may also be able to be removed, in the future, and can be determined, when the connections are created. -Note: Using --ep-type, as --endpoint-type is already used elsewhere, and ---type is too generic. Using --ep-value, as --endpoint is already in use, ---end-point could be easily mistyped as --endpoint, and --value is too -generic. - Examples -------- The original APIs to create one side of an IPSec connection with -only one local and peer subnet:: +only one local and peer subnet: - neutron vpn-ikepolicy-create ikepolicy - neutron vpn-ipsecpolicy-create ipsecpolicy - neutron vpn-service-create --name myvpn router1 privateA - neutron ipsec-site-connection-create - --name vpnconnection1 - --vpnservice-id myvpn - --ikepolicy-id ikepolicy - --ipsecpolicy-id ipsecpolicy +.. code-block:: none + + openstack vpn ike policy create ikepolicy + openstack vpn ipsec policy create ipsecpolicy + openstack vpn service create --router router1 --subnet privateA myvpn + openstack vpn ipsec site connection create + --vpnservice myvpn + --ikepolicy ikepolicy + --ipsecpolicy ipsecpolicy --peer-address 172.24.4.13 --peer-id 172.24.4.13 --peer-cidr 10.3.0.0/24 --psk secret + vpnconnection1 The local CIDR is obtained from the subnet, privateA. In this example, that would be 10.1.0.0/24 (because that's how privateA was created). Using the multiple local subnet feature, the APIs (with changes shown -in **bold** below:: +in **highlighted** below: - neutron vpn-ikepolicy-create ikepolicy - neutron vpn-ipsecpolicy-create ipsecpolicy - neutron vpn-service-create --name myvpn router1 - **neutron vpn-endpoint-group-create** - **--name local-eps** - **--ep-type=subnet** - **--ep-value=privateA** - **--ep-value=privateB** - **neutron vpn-endpoint-group-create** - **--name peer-eps** - **--ep-type=cidr** - **--ep-vallue=10.3.0.0/24** - neutron ipsec-site-connection-create - --name vpnconnection1 - --vpnservice-id myvpn - --ikepolicy-id ikepolicy - --ipsecpolicy-id ipsecpolicy +.. code-block:: none + :emphasize-lines: 4-12,20-21 + + openstack vpn ike policy create ikepolicy + openstack vpn ipsec policy create ipsecpolicy + openstack vpn service create --router router1 myvpn + openstack vpn endpoint group create + --type=subnet + --value=privateA + --value=privateB + local-eps + openstack vpn endpoint group create + --type=cidr + --value=10.3.0.0/24 + peer-eps + openstack vpn ipsec site connection create + --vpnservice myvpn + --ikepolicy ikepolicy + --ipsecpolicy ipsecpolicy --peer-address 172.24.4.13 + --peer-id 172.24.4.13 --psk secret - **--local-endpoints local-eps** - **--peer-endpoints peer-eps** + --local-endpoint-group local-eps + --peer-endpoint-group peer-eps + vpnconnection1 The subnets privateA and privateB are used for local endpoints and the 10.3.0.0/24 CIDR is used for the peer endpoint. diff --git a/doc/source/contributor/testing-with-devstack.rst b/doc/source/contributor/testing-with-devstack.rst index 6abcd0ff4..cdc312724 100644 --- a/doc/source/contributor/testing-with-devstack.rst +++ b/doc/source/contributor/testing-with-devstack.rst @@ -99,27 +99,33 @@ On ``East`` .. code-block:: none - neutron vpn-ikepolicy-create ikepolicy1 - neutron vpn-ipsecpolicy-create ipsecpolicy1 - neutron vpn-service-create --name myvpn --description "My vpn service" router1 - neutron vpn-endpoint-group-create --name my-locals --type subnet --value mysubnet - neutron vpn-endpoint-group-create --name my-peers --type cidr --value 10.2.0.0/24 - neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn \ - --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address 172.24.4.233 \ - --peer-id 172.24.4.233 --local-ep-group my-locals --peer-ep-group my-peers --psk secret + openstack vpn ike policy create ikepolicy1 + openstack vpn ipsec policy create ipsecpolicy1 + openstack vpn service create --description "My vpn service" \ + --router router1 myvpn + openstack vpn endpoint group create --type subnet --value mysubnet my-locals + openstack vpn endpoint group create --type cidr --value 10.2.0.0/24 my-peers + openstack vpn ipsec site connection create --vpnservice myvpn \ + --ikepolicy ikepolicy1 --ipsecpolicy ipsecpolicy1 \ + --peer-address 172.24.4.233 --peer-id 172.24.4.233 \ + --local-endpoint-group my-locals --peer-endpoint-group my-peers \ + --psk secret vpnconnection1 On ``West`` .. code-block:: none - neutron vpn-ikepolicy-create ikepolicy1 - neutron vpn-ipsecpolicy-create ipsecpolicy1 - neutron vpn-service-create --name myvpn --description "My vpn service" router1 - neutron vpn-endpoint-group-create --name my-locals --type subnet --value mysubnet - neutron vpn-endpoint-group-create --name my-peers --type cidr --value 10.1.0.0/24 - neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn \ - --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address 172.24.4.226 \ - --peer-id 172.24.4.226 --local-ep-group my-locals --peer-ep-group my-peers --psk secret + openstack vpn ike policy create ikepolicy1 + openstack vpn ipsec policy create ipsecpolicy1 + openstack vpn service create --description "My vpn service" \ + --router router1 myvpn + openstack vpn endpoint group create --type subnet --value mysubnet my-locals + openstack vpn endpoint group create --type cidr --value 10.1.0.0/24 my-peers + openstack vpn ipsec site connection create --vpnservice myvpn \ + --ikepolicy ikepolicy1 --ipsecpolicy ipsecpolicy1 \ + --peer-address 172.24.4.226 --peer-id 172.24.4.226 \ + --local-endpoint-group my-locals --peer-endpoint-group my-peers \ + --psk secret vpnconnection1 .. note:: @@ -176,19 +182,21 @@ to be created, and a VM spun up in each private network. # Create second net, subnet, router source ~/devstack/openrc admin demo - neutron net-create privateB - neutron subnet-create --name subB privateB 10.2.0.0/24 --gateway 10.2.0.1 - neutron router-create routerB - neutron router-interface-add routerB subB - neutron router-gateway-set routerB public + openstack network create privateB + openstack subnet create --network privateB --subnet-range 10.2.0.0/24 --gateway 10.2.0.1 subB + openstack router create routerB + openstack router add subnet routerB subB + openstack router set --external-gateway public routerB # Start up a VM in the privateA subnet. - PRIVATE_NET=`neutron net-list | grep 'private ' | cut -f 2 -d' '` - nova boot --flavor 1 --image cirros-0.3.5-x86_64-uec --nic net-id=$PRIVATE_NET peter + PRIVATE_NET=`openstack network show private -c id -f value` + openstack server create --flavor 1 --image cirros-0.3.5-x86_64-uec \ + --nic net-id=$PRIVATE_NET peter # Start up a VM in the privateB subnet - PRIVATE_NETB=`neutron net-list | grep privateB | cut -f 2 -d' '` - nova boot --flavor 1 --image cirros-0.3.5-x86_64-uec --nic net-id=$PRIVATE_NETB paul + PRIVATE_NETB=`openstack network show privateB -c id -f value` + openstack server create --flavor 1 --image cirros-0.3.5-x86_64-uec \ + --nic net-id=$PRIVATE_NETB paul At this point, you can verify that you have basic connectivity. @@ -205,21 +213,27 @@ The following commands will create the IPsec connection: .. code-block:: none # Create VPN connections - neutron vpn-ikepolicy-create ikepolicy - neutron vpn-ipsecpolicy-create ipsecpolicy - neutron vpn-service-create --name myvpn --description "My vpn service" router1 - neutron vpn-endpoint-group-create --name my-localsA --type subnet --value privateA - neutron vpn-endpoint-group-create --name my-peersA --type cidr --value 10.2.0.0/24 - neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn \ - --ikepolicy-id ikepolicy --ipsecpolicy-id ipsecpolicy --peer-address 172.24.4.13 \ - --peer-id 172.24.4.13 --local-ep-group my-localsA --peer-ep-group my-peersA --psk secret + openstack vpn ike policy create ikepolicy + openstack vpn ipsec policy create ipsecpolicy + openstack vpn service create --router router1 \ + --description "My vpn service" myvpn + openstack vpn endpoint group create --type subnet --value privateA my-localsA + openstack vpn endpoint group create --type cidr --value 10.2.0.0/24 my-peersA + openstack vpn ipsec site connection create --vpnservice myvpn \ + --ikepolicy ikepolicy --ipsecpolicy ipsecpolicy \ + --peer-address 172.24.4.13 --peer-id 172.24.4.13 \ + --local-endpoint-group my-localsA --peer-endpoint-group my-peersA \ + --psk secret vpnconnection1 - neutron vpn-service-create --name myvpnB --description "My vpn serviceB" routerB - neutron vpn-endpoint-group-create --name my-localsB --type subnet --value subB - neutron vpn-endpoint-group-create --name my-peersB --type cidr --value 10.1.0.0/24 - neutron ipsec-site-connection-create --name vpnconnection2 --vpnservice-id myvpnB \ - --ikepolicy-id ikepolicy --ipsecpolicy-id ipsecpolicy --peer-address 172.24.4.11 \ - --peer-id 172.24.4.11 --local-ep-group my-localsB --peer-ep-group my-peersB --psk secret + openstack vpn service create --router routerB \ + --description "My vpn serviceB" myvpnB + openstack vpn endpoint group create --type subnet --value subB my-localsB + openstack vpn endpoint group create --type cidr --value 10.1.0.0/24 my-peersB + openstack vpn ipsec site connection create --vpnservice myvpnB \ + --ikepolicy ikepolicy --ipsecpolicy ipsecpolicy \ + --peer-address 172.24.4.11 --peer-id 172.24.4.11 \ + --local-endpoint-group my-localsB --peer-endpoint-group my-peersB \ + --psk secret vpnconnection2 At this point (once the connections become active - which can take up to 30 seconds or so), you should be able to ping from the VM in the privateA network, to the VM in the privateB @@ -252,17 +266,18 @@ of VPN, in the future. An example: .. code-block:: none # Create VPN connections - neutron vpn-ikepolicy-create ikepolicy - neutron vpn-ipsecpolicy-create ipsecpolicy - neutron vpn-service-create --name myvpnC --description "My vpn service" router1 + openstack vpn ike policy create ikepolicy + openstack vpn ipsec policy create ipsecpolicy + openstack vpn service create --router router1 \ + --description "My vpn service" myvpnC To prepare for an IPsec site-to-site, one would create an endpoint group for the local subnets, and an endpoint group for the peer CIDRs, like so: .. code-block:: none - neutron vpn-endpoint-group-create --name my-locals --type subnet --value privateA --value privateA2 - neutron vpn-endpoint-group-create --name my-peers --type cidr --value 10.2.0.0/24 --value 20.2.0.0/24 + openstack vpn endpoint group create --type subnet --value privateA --value privateA2 my-locals + openstack vpn endpoint group create --type cidr --value 10.2.0.0/24 --value 20.2.0.0/24 my-peers where privateA and privateA2 are two local (private) subnets, and 10.2.0.0/24 and 20.2.0.0/24 are two CIDRs representing peer (private) subnets that will be used by a connection. @@ -271,9 +286,11 @@ be specified, instead of the peer-cidrs attribute: .. code-block:: none - neutron ipsec-site-connection-create --name vpnconnection3 --vpnservice-id myvpnC \ - --ikepolicy-id ikepolicy --ipsecpolicy-id ipsecpolicy --peer-address 172.24.4.11 \ - --peer-id 172.24.4.11 --local-ep-group my-locals --peer-ep-group my-peers --psk secret + openstack vpn ipsec site connection create --vpnservice myvpnC \ + --ikepolicy ikepolicy --ipsecpolicy ipsecpolicy \ + --peer-address 172.24.4.11 --peer-id 172.24.4.11 \ + --local-endpoint-group my-locals --peer-endpoint-group my-peers \ + --psk secret vpnconnection3 .. note:: - The validation logic makes sure that endpoint groups and peer CIDRs are not intermixed. diff --git a/tools/test_script.sh b/tools/test_script.sh index 305d751c4..61fe0b702 100755 --- a/tools/test_script.sh +++ b/tools/test_script.sh @@ -1,52 +1,58 @@ #!/usr/bin/env bash -EXT_NW_ID=`neutron net-list | awk '/public/{print $2}'` +EXT_NW_ID=`openstack network show public -c id -f value` +EXTERNAL_SUBNET_IP_VERSION='v4' WEST_SUBNET='192.168.1.0/24' EAST_SUBNET='192.168.2.0/24' function setup_site(){ local site_name=$1 local cidr=$2 - neutron net-create net_$site_name - neutron subnet-create --name subnet_$site_name net_$site_name $2 - neutron router-create router_$site_name - neutron router-interface-add router_$site_name subnet_$site_name - neutron router-gateway-set router_$site_name $EXT_NW_ID - neutron vpn-service-create --name vpn_$site_name router_$site_name subnet_$site_name + openstack network create net_$site_name + openstack subnet create --network net_$site_name --subnet-range $2 subnet_$site_name + openstack router create router_$site_name + openstack router add subnet router_$site_name subnet_$site_name + openstack router set --external-gateway $EXT_NW_ID router_$site_name + openstack vpn service create --subnet subnet_$site_name --router router_$site_name vpn_$site_name } function get_external_ip(){ - local router_id=`neutron router-show $1 | awk '/ id /{print $4}'` - echo `neutron port-list -c fixed_ips -c device_id -c device_owner|grep router_gateway | awk '/'.$router_id.'/{print $5}' | sed 's/["}]//g'` + echo `openstack vpn service show $1 -c external_${EXTERNAL_SUBNET_IP_VERSION}_ip -f value` } function clean_site(){ local site_name=$1 - neutron ipsec-site-connection-delete conn_$site_name - neutron vpn-service-list | awk '/vpn_'$site_name'/{print "neutron vpn-service-delete " $2}' | bash - neutron router-gateway-clear router_$site_name - neutron router-interface-delete router_$site_name subnet_$site_name - neutron router-list | awk '/router_'$site_name'/{print "neutron router-delete " $2}' | bash - neutron subnet-list | awk '/subnet_'$site_name'/{print "neutron subnet-delete " $2}' | bash - neutron net-list | awk '/net_'$site_name'/{print "neutron net-delete " $2}' | bash + openstack vpn ipsec site connection delete conn_$site_name + openstack vpn service delete vpn_$site_name + openstack router unset --external-gateway router_$site_name + openstack router remove subnet router_$site_name subnet_$site_name + openstack router delete router_$site_name + openstack subnet delete subnet_$site_name + openstack network delete net_$site_name } function setup(){ - neutron vpn-ikepolicy-create ikepolicy1 - neutron vpn-ipsecpolicy-create ipsecpolicy1 + openstack vpn ike policy create ikepolicy1 + openstack vpn ipsec policy create ipsecpolicy1 setup_site west $WEST_SUBNET - WEST_IP=$(get_external_ip router_west) + WEST_IP=$(get_external_ip vpn_west) setup_site east $EAST_SUBNET - EAST_IP=$(get_external_ip router_east) - neutron ipsec-site-connection-create --name conn_east --vpnservice-id vpn_east --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address $WEST_IP --peer-id $WEST_IP --peer-cidr $WEST_SUBNET --psk secret - neutron ipsec-site-connection-create --name conn_west --vpnservice-id vpn_west --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address $EAST_IP --peer-id $EAST_IP --peer-cidr $EAST_SUBNET --psk secret + EAST_IP=$(get_external_ip vpn_east) + openstack vpn ipsec site connection create \ + --vpnservice vpn_east --ikepolicy ikepolicy1 --ipsecpolicy ipsecpolicy1 \ + --peer-address $WEST_IP --peer-id $WEST_IP --peer-cidr $WEST_SUBNET \ + --psk secret conn_east + openstack vpn ipsec site connection create \ + --vpnservice vpn_west --ikepolicy ikepolicy1 --ipsecpolicy ipsecpolicy1 \ + --peer-address $EAST_IP --peer-id $EAST_IP --peer-cidr $EAST_SUBNET \ + --psk secret conn_west } function cleanup(){ clean_site west clean_site east - neutron vpn-ikepolicy-delete ikepolicy1 - neutron vpn-ipsecpolicy-delete ipsecpolicy1 + openstack vpn ike policy delete ikepolicy1 + openstack vpn ipsec policy delete ipsecpolicy1 } cleanup