The neutron-vpn-agent service typically runs on the network node, which in this environment is controller01.
Issue the following command on the controller node to install the VPN agent and its dependencies, including the strongSwan VPN software package:
# apt-get install neutron-vpn-agent
During the installation, you may notice the following message:
The following packages will be REMOVED: neutron-l3-agent
Here, the neutron-vpn-agent service replaces neutron-l3-agent but inherits all of its functionality and configuration.
Neutron stores the VPN agent configuration in the /etc/neutron/vpn_agent.ini file. The most common configuration options will be covered in the upcoming sections.
To manage a VPN service or device, the Neutron VPN agent must be configured to use a device driver that provides an interface between the Neutron API and programming of the service or device.
On the controller node, update the VPN agent configuration file and define the strongswan device driver, as follows:
[vpnagent] ... vpn_device_driver = neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver
In addition to configuring the VPN agent, Neutron must be configured to use a VPN service plugin and driver before the API can be utilized to create VPN objects.
Update the service_plugins configuration option found in the /etc/neutron/neutron.conf file on the controller by adding the vpnaas service plugin to the list of enabled plugins:
[DEFAULT]
...
service_plugins = router,lbaas,firewall,vpnaas
As of the Kilo release of OpenStack, many advanced service configuration options have moved out of the main Neutron configuration file into their own files. On the controller node, update or create the Neutron VPNaaS configuration file at /etc/neutron/neutron_vpnaas.conf and define the following generic IPsec service provider driver:
[service_providers] ... service_provider = VPN:vpnaas:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default
Restart the neutron-server service as follows:
# service neutron-server restart
AppArmor, the Linux kernel security module that confines programs to a particular set of resources, may interfere with the creation of IPSec tunnels when using strongSwan. To work around this, some IPSec-related AppArmor definitions must be removed from the kernel.
Use the following commands on the controller node to configure and restart the AppArmor service:
# sudo ln -sf /etc/apparmor.d/usr.lib.ipsec.charon /etc/apparmor.d/disable/ # sudo ln -sf /etc/apparmor.d/usr.lib.ipsec.stroke /etc/apparmor.d/disable/ # service apparmor restart
Due to an Ubuntu bug in the packaging of the Neutron VPN agent, neutron-vpn-netns-wrapper may not be included and could result in the failure to build VPN connections. More information on this bug can be found at the following link:
https://bugs.launchpad.net/neutron/+bug/1456335
To work around this issue, a small program must be created on the controller node. The following text should be entered and terminated with EOF to create the file and populate it accordingly:
cat >> /usr/bin/neutron-vpn-netns-wrapper << EOF #!/usr/bin/python2 import sys from neutron_vpnaas.services.vpn.common.netns_wrapper import main if __name__ == "__main__": sys.exit(main()) EOF
Set the appropriate permissions to allow the file to be executed with the following command:
# chmod 755 /usr/bin/neutron-vpn-netns-wrapper
The neutron-vpn-agent service must be restarted for the changes to take effect. Issue the following command on the controller node to restart the service:
# service neutron-vpn-agent restart
Verify whether the agent is running through the following command:
# service neutron-vpn-agent status
The service should return a similar output to the following:
root@lb-controller01:~# service neutron-vpn-agent status neutron-vpn-agent start/running, process 11308
If you encounter any issues, be sure to check the VPN agent log found at /var/log/neutron/vpn_agent.log before proceeding.