Cloudcomputing Kochbuch VPN as a Service (VPNaaS)

IMT:HilfeWiki - das Wiki
Wechseln zu: Navigation, Suche
Anleitung
Allgemeine Informationen
Informationen
Betriebssystem Alle
Service Cloudcomputing
Interessant für Angestellte, Studierende und Gäste
HilfeWiki des IMT der Uni Paderborn

Wichtiger Hinweis: Um diese Anleitung nutzen zu können wird ein Kommandozeilen-Client benötigt. Die Bespiele in diesem Kochbuch sind mit den OpenStack Command-line Clients 2.3.0 aus Ubuntu 16.04.1 LTS erzeugt. Neuere Clients können eine etwas andere Aufruf-Syntax haben.

Informationen zum Erzeugen der Kommandozeilen-Clients

Bis auf Ausnahmen lassen sich alle Einstellungen auch im Dashboard vornehmen. Beachten Sie bitte den Artikel Cloudcomputing Aktuelle Informationen.

Rezept IPSec Site to Site Tunnel Verbindung

Schritt 1: Zwei private Netze und Subnetze einrichten

Für dieses Kochbuch werden zwei Netze und Subnetze benötigt.

ubuntu@api-kochbuch-demo:~$ neutron net-create PrivatesNetzA
Created a new network:
+---------------------------+--------------------------------------+
| Field                     | Value                                |
+---------------------------+--------------------------------------+
| admin_state_up            | True                                 |
| availability_zone_hints   |                                      |
| availability_zones        |                                      |
| created_at                | 2016-09-25T08:43:20                  |
| description               |                                      |
| id                        | 0e0f9899-c081-443b-9e22-bd5b3b6a91e1 |
| ipv4_address_scope        |                                      |
| ipv6_address_scope        |                                      |
| mtu                       | 1450                                 |
| name                      | PrivatesNetzA                        |
| provider:network_type     | vxlan                                |
| provider:physical_network |                                      |
| provider:segmentation_id  | 83                                   |
| router:external           | False                                |
| shared                    | False                                |
| status                    | ACTIVE                               |
| subnets                   |                                      |
| tags                      |                                      |
| tenant_id                 | 3ceb7c480ede4680bb42be90b365375d     |
| updated_at                | 2016-09-25T08:43:20                  |
+---------------------------+--------------------------------------+
 
ubuntu@api-kochbuch-demo:~$ neutron subnet-create --name PrivatesSubNetzA PrivatesNetzA 10.1.0.0/24 --gateway 10.1.0.1
Created a new subnet:
+-------------------+--------------------------------------------+
| Field             | Value                                      |
+-------------------+--------------------------------------------+
| allocation_pools  | {"start": "10.1.0.2", "end": "10.1.0.254"} |
| cidr              | 10.1.0.0/24                                |
| created_at        | 2016-09-25T08:43:21                        |
| description       |                                            |
| dns_nameservers   |                                            |
| enable_dhcp       | True                                       |
| gateway_ip        | 10.1.0.1                                   |
| host_routes       |                                            |
| id                | 90c3009f-a103-487d-8989-2a10709c7dd2       |
| ip_version        | 4                                          |
| ipv6_address_mode |                                            |
| ipv6_ra_mode      |                                            |
| name              | PrivatesSubNetzA                           |
| network_id        | 0e0f9899-c081-443b-9e22-bd5b3b6a91e1       |
| subnetpool_id     |                                            |
| tenant_id         | 3ceb7c480ede4680bb42be90b365375d           |
| updated_at        | 2016-09-25T08:43:21                        |
+-------------------+--------------------------------------------+
 
ubuntu@api-kochbuch-demo:~$ neutron net-create PrivatesNetzB
Created a new network:
+---------------------------+--------------------------------------+
| Field                     | Value                                |
+---------------------------+--------------------------------------+
| admin_state_up            | True                                 |
| availability_zone_hints   |                                      |
| availability_zones        |                                      |
| created_at                | 2016-09-25T08:43:39                  |
| description               |                                      |
| id                        | 89f17224-2fdb-481f-b5f3-00d16b27beb5 |
| ipv4_address_scope        |                                      |
| ipv6_address_scope        |                                      |
| mtu                       | 1450                                 |
| name                      | PrivatesNetzB                        |
| provider:network_type     | vxlan                                |
| provider:physical_network |                                      |
| provider:segmentation_id  | 87                                   |
| router:external           | False                                |
| shared                    | False                                |
| status                    | ACTIVE                               |
| subnets                   |                                      |
| tags                      |                                      |
| tenant_id                 | 3ceb7c480ede4680bb42be90b365375d     |
| updated_at                | 2016-09-25T08:43:39                  |
+---------------------------+--------------------------------------+
 
ubuntu@api-kochbuch-demo:~$ neutron subnet-create --name PrivatesSubNetzB PrivatesNetzB 10.2.0.0/24 --gateway 10.2.0.1
Created a new subnet:
+-------------------+--------------------------------------------+
| Field             | Value                                      |
+-------------------+--------------------------------------------+
| allocation_pools  | {"start": "10.2.0.2", "end": "10.2.0.254"} |
| cidr              | 10.2.0.0/24                                |
| created_at        | 2016-09-25T08:43:40                        |
| description       |                                            |
| dns_nameservers   |                                            |
| enable_dhcp       | True                                       |
| gateway_ip        | 10.2.0.1                                   |
| host_routes       |                                            |
| id                | a530b974-76d6-43d0-8555-2fa7db43c821       |
| ip_version        | 4                                          |
| ipv6_address_mode |                                            |
| ipv6_ra_mode      |                                            |
| name              | PrivatesSubNetzB                           |
| network_id        | 89f17224-2fdb-481f-b5f3-00d16b27beb5       |
| subnetpool_id     |                                            |
| tenant_id         | 3ceb7c480ede4680bb42be90b365375d           |
| updated_at        | 2016-09-25T08:43:40                        |
+-------------------+--------------------------------------------+


Schritt 2: Router für beide private Netze einrichten

Beide Netze werden mit einem Router an ein externes Netz angebunden.

ubuntu@api-kochbuch-demo:~$ neutron router-create RouterA
Created a new router:
+-------------------------+--------------------------------------+
| Field                   | Value                                |
+-------------------------+--------------------------------------+
| admin_state_up          | True                                 |
| availability_zone_hints |                                      |
| availability_zones      |                                      |
| description             |                                      |
| distributed             | False                                |
| external_gateway_info   |                                      |
| ha                      | False                                |
| id                      | e2cd323b-ec42-45f0-9413-61a05beae9e8 |
| name                    | RouterA                              |
| routes                  |                                      |
| status                  | ACTIVE                               |
| tenant_id               | 3ceb7c480ede4680bb42be90b365375d     |
+-------------------------+--------------------------------------+
 
ubuntu@api-kochbuch-demo:~$ neutron router-interface-add RouterA PrivatesSubNetzA
Added interface dd78fba5-3143-4021-8e05-1c6997bddc5f to router RouterA.
 
ubuntu@api-kochbuch-demo:~$ neutron router-gateway-set RouterA physext_public_uni
Set gateway for router RouterA
 
ubuntu@api-kochbuch-demo:~$ neutron router-create RouterB
Created a new router:
+-------------------------+--------------------------------------+
| Field                   | Value                                |
+-------------------------+--------------------------------------+
| admin_state_up          | True                                 |
| availability_zone_hints |                                      |
| availability_zones      |                                      |
| description             |                                      |
| distributed             | False                                |
| external_gateway_info   |                                      |
| ha                      | False                                |
| id                      | bd32ce17-4efa-45a0-bd43-a9603b4add5b |
| name                    | RouterB                              |
| routes                  |                                      |
| status                  | ACTIVE                               |
| tenant_id               | 3ceb7c480ede4680bb42be90b365375d     |
+-------------------------+--------------------------------------+
 
ubuntu@api-kochbuch-demo:~$ neutron router-interface-add RouterB PrivatesSubNetzB
Added interface fb4b5585-c0f1-434d-8524-5cf5d870aebd to router RouterB.
 
ubuntu@api-kochbuch-demo:~$ neutron router-gateway-set RouterB physext_public_uni
Set gateway for router RouterB


Schritt 3: Instanzen in den beiden private Netze erzeugen

Des weiteren werden Instanzen in den beiden Netzen benötigt um die Funktion zu testen. Wir gehen hier davon aus, dass es eine Security Group SSH+ICMP gibt, die SSH und ICMP erlaubt. Dies ist später für den Funktionstest wichtig.

ubuntu@api-kochbuch-demo:~$ neutron net-list 
+--------------------------------------+-----------------------------+-------------------------------------------------------+
| id                                   | name                        | subnets                                               |
+--------------------------------------+-----------------------------+-------------------------------------------------------+
| 0e0f9899-c081-443b-9e22-bd5b3b6a91e1 | PrivatesNetzA               | 90c3009f-a103-487d-8989-2a10709c7dd2 10.1.0.0/24      |
| 89f17224-2fdb-481f-b5f3-00d16b27beb5 | PrivatesNetzB               | a530b974-76d6-43d0-8555-2fa7db43c821 10.2.0.0/24      |
+--------------------------------------+-----------------------------+-------------------------------------------------------+
 
ubuntu@api-kochbuch-demo:~$ openstack server create \
    --image CirrOS-Image-0.3.2 \
    --flavor m1.small \
    --security-group SSH+ICMP \
    --key-name mein-oeffentlicher-schluessel \
    --nic net-id=0e0f9899-c081-443b-9e22-bd5b3b6a91e1 \
    --wait \
    ServerA
+--------------------------------------+------------------------------------------------------------------+
| Field                                | Value                                                            |
+--------------------------------------+------------------------------------------------------------------+
| addresses                            | PrivatesNetzA=10.1.0.3                                           |
| id                                   | fa33d34a-0826-4024-a896-fba3929affae                             |
| image                                | CirrOS-Image-0.3.2 (5ec22335-1480-417a-b8b3-6eea8791dffe)        |
| key_name                             | mein-oeffentlicher-schluessel                                    |
| name                                 | ServerA                                                          |
| security_groups                      | [{u'name': u'SSH+ICMP'}]                                         |
+--------------------------------------+------------------------------------------------------------------+
 
ubuntu@api-kochbuch-demo:~$ openstack server create \
    --image CirrOS-Image-0.3.2 \
    --flavor m1.small \
    --security-group SSH+ICMP \
    --key-name mein-oeffentlicher-schluessel \
    --nic net-id=89f17224-2fdb-481f-b5f3-00d16b27beb5 \
    --wait \
    ServerB
+--------------------------------------+------------------------------------------------------------------+
| Field                                | Value                                                            |
+--------------------------------------+------------------------------------------------------------------+
| addresses                            | PrivatesNetzB=10.2.0.3                                           |
| id                                   | d6eeb241-d2f0-4c25-8d22-cc0eccaf48f4                             |
| image                                | CirrOS-Image-0.3.2 (5ec22335-1480-417a-b8b3-6eea8791dffe)        |
| key_name                             | mein-oeffentlicher-schluessel                                    |
| name                                 | ServerB                                                          |
| security_groups                      | [{u'name': u'SSH+ICMP'}]                                         |
+--------------------------------------+------------------------------------------------------------------+

Wenn nötig müssen an diesem Punkt noch Floating-IPs zugewiesen werden. In der Netzwerktopologie Übersicht im Dashboard sollte folgendes zu sehen sein:

Cloudcomputing VPN Setup.png


Schritt 4: IKE und IPsec Policy erzeugen

Im ersten Schritt müssen IKE und IPsec Policies erzeugt werden.

ubuntu@api-kochbuch-demo:~$ neutron vpn-ikepolicy-create ikepolicy
Created a new ikepolicy:
+-------------------------+--------------------------------------+
| Field                   | Value                                |
+-------------------------+--------------------------------------+
| auth_algorithm          | sha1                                 |
| description             |                                      |
| encryption_algorithm    | aes-128                              |
| id                      | b8a6fe30-d372-4d02-9381-5ffc57600f31 |
| ike_version             | v1                                   |
| lifetime                | {"units": "seconds", "value": 3600}  |
| name                    | ikepolicy                            |
| pfs                     | group5                               |
| phase1_negotiation_mode | main                                 |
| tenant_id               | 3ceb7c480ede4680bb42be90b365375d     |
+-------------------------+--------------------------------------+
 
ubuntu@api-kochbuch-demo:~$ neutron vpn-ipsecpolicy-create ipsecpolicy
Created a new ipsecpolicy:
+----------------------+--------------------------------------+
| Field                | Value                                |
+----------------------+--------------------------------------+
| auth_algorithm       | sha1                                 |
| description          |                                      |
| encapsulation_mode   | tunnel                               |
| encryption_algorithm | aes-128                              |
| id                   | a0df3078-a473-4f96-a03b-65280eacaee6 |
| lifetime             | {"units": "seconds", "value": 3600}  |
| name                 | ipsecpolicy                          |
| pfs                  | group5                               |
| tenant_id            | 3ceb7c480ede4680bb42be90b365375d     |
| transform_protocol   | esp                                  |
+----------------------+--------------------------------------+

Schritt 5: VPN Dienst an beiden Routern anhängen

Im nächsten Schritt brauchen beide Netze VPN Dienste um die Site-to-Site-Verbindung zu erzeugen.

ubuntu@api-kochbuch-demo:~$ neutron vpn-service-create --name VPNA --description "VPN Dienst A" RouterA PrivatesSubNetzA
Created a new vpnservice:
+----------------+--------------------------------------+
| Field          | Value                                |
+----------------+--------------------------------------+
| admin_state_up | True                                 |
| description    | VPN Dienst A                         |
| external_v4_ip | 192.26.184.60                        |
| external_v6_ip |                                      |
| id             | fe008405-4d85-4a36-8978-aff59f9ae7a0 |
| name           | VPNA                                 |
| router_id      | e2cd323b-ec42-45f0-9413-61a05beae9e8 |
| status         | PENDING_CREATE                       |
| subnet_id      | 90c3009f-a103-487d-8989-2a10709c7dd2 |
| tenant_id      | 3ceb7c480ede4680bb42be90b365375d     |
+----------------+--------------------------------------+
 
ubuntu@api-kochbuch-demo:~$ neutron vpn-service-create --name VPNB --description "VPN Dienst B" RouterB PrivatesSubNetzB
Created a new vpnservice:
+----------------+--------------------------------------+
| Field          | Value                                |
+----------------+--------------------------------------+
| admin_state_up | True                                 |
| description    | VPN Dienst B                         |
| external_v4_ip | 192.26.184.61                        |
| external_v6_ip |                                      |
| id             | 16f8dc01-44ba-4a28-8cd0-275422c3c8fd |
| name           | VPNB                                 |
| router_id      | bd32ce17-4efa-45a0-bd43-a9603b4add5b |
| status         | PENDING_CREATE                       |
| subnet_id      | a530b974-76d6-43d0-8555-2fa7db43c821 |
| tenant_id      | 3ceb7c480ede4680bb42be90b365375d     |
+----------------+--------------------------------------+

Schritt 6: IPsec Site-to-Site Verbindung konfigurieren

In beiden VPN Diensten werden die Parameter für die Verbindung erzeugt.

ubuntu@api-kochbuch-demo:~$ neutron ipsec-site-connection-create --name VPNConnectionA --vpnservice-id VPNA \
    --ikepolicy-id ikepolicy --ipsecpolicy-id ipsecpolicy --peer-address 192.26.184.61 \
    --peer-id 192.26.184.61 --peer-cidr 10.2.0.0/24 --psk secret
 
Created a new ipsec_site_connection:
+-------------------+----------------------------------------------------+
| Field             | Value                                              |
+-------------------+----------------------------------------------------+
| admin_state_up    | True                                               |
| auth_mode         | psk                                                |
| description       |                                                    |
| dpd               | {"action": "hold", "interval": 30, "timeout": 120} |
| id                | dee88828-e865-439c-b605-1ac06529a3ac               |
| ikepolicy_id      | b8a6fe30-d372-4d02-9381-5ffc57600f31               |
| initiator         | bi-directional                                     |
| ipsecpolicy_id    | a0df3078-a473-4f96-a03b-65280eacaee6               |
| local_ep_group_id |                                                    |
| mtu               | 1500                                               |
| name              | VPNConnectionA                                     |
| peer_address      | 192.26.184.61                                      |
| peer_cidrs        | 10.2.0.0/24                                        |
| peer_ep_group_id  |                                                    |
| peer_id           | 192.26.184.61                                      |
| psk               | secret                                             |
| route_mode        | static                                             |
| status            | PENDING_CREATE                                     |
| tenant_id         | 3ceb7c480ede4680bb42be90b365375d                   |
| vpnservice_id     | fe008405-4d85-4a36-8978-aff59f9ae7a0               |
+-------------------+----------------------------------------------------+
 
ubuntu@api-kochbuch-demo:~$ neutron ipsec-site-connection-create --name VPNConnectionB --vpnservice-id VPNB \
    --ikepolicy-id ikepolicy --ipsecpolicy-id ipsecpolicy --peer-address 192.26.184.60 \
    --peer-id 192.26.184.60 --peer-cidr 10.1.0.0/24 --psk secret
 
Created a new ipsec_site_connection:
+-------------------+----------------------------------------------------+
| Field             | Value                                              |
+-------------------+----------------------------------------------------+
| admin_state_up    | True                                               |
| auth_mode         | psk                                                |
| description       |                                                    |
| dpd               | {"action": "hold", "interval": 30, "timeout": 120} |
| id                | 5c995108-5721-488d-a6ae-d3fd7c43ba81               |
| ikepolicy_id      | b8a6fe30-d372-4d02-9381-5ffc57600f31               |
| initiator         | bi-directional                                     |
| ipsecpolicy_id    | a0df3078-a473-4f96-a03b-65280eacaee6               |
| local_ep_group_id |                                                    |
| mtu               | 1500                                               |
| name              | VPNConnectionB                                     |
| peer_address      | 192.26.184.60                                      |
| peer_cidrs        | 10.1.0.0/24                                        |
| peer_ep_group_id  |                                                    |
| peer_id           | 192.26.184.60                                      |
| psk               | secret                                             |
| route_mode        | static                                             |
| status            | PENDING_CREATE                                     |
| tenant_id         | 3ceb7c480ede4680bb42be90b365375d                   |
| vpnservice_id     | 16f8dc01-44ba-4a28-8cd0-275422c3c8fd               |
+-------------------+----------------------------------------------------+

Ist alles konfiguriert, wird die Verbindung aufgebaut. Verbindungen starten im Zustand PENDING_CREATE.

ubuntu@api-kochbuch-demo:~$ neutron ipsec-site-connection-list
+--------------------------------------+----------------+----------------+-----------+----------------+
| id                                   | name           | peer_address   | auth_mode | status         |
+--------------------------------------+----------------+----------------+-----------+----------------+
| dee88828-e865-439c-b605-1ac06529a3ac | VPNConnectionA | 192.26.184.61  | psk       | PENDING_CREATE |
| 5c995108-5721-488d-a6ae-d3fd7c43ba81 | VPNConnectionB | 192.26.184.60  | psk       | PENDING_CREATE |
+--------------------------------------+----------------+----------------+-----------+----------------+

Die Verbindungen brauchen 30-50 Sekunden um ACTIVE zu werden.

ubuntu@api-kochbuch-demo:~$ neutron ipsec-site-connection-list
+--------------------------------------+----------------+----------------+-----------+--------+
| id                                   | name           | peer_address   | auth_mode | status |
+--------------------------------------+----------------+----------------+-----------+--------+
| dee88828-e865-439c-b605-1ac06529a3ac | VPNConnectionA | 192.26.184.61  | psk       | ACTIVE |
| 5c995108-5721-488d-a6ae-d3fd7c43ba81 | VPNConnectionB | 192.26.184.60  | psk       | ACTIVE |
+--------------------------------------+----------------+----------------+-----------+--------+

Schritt 7: Funktionstest

Ein kurzer Funktionstest besteht hier aus gegenseitigem Ping von Subnetz zu Subnetz. Dabei laufen die Pakete für beide VPN Dienste.

ServerA:

ubuntu@api-kochbuch-demo:~$ ssh cirros@[ServerA]
$ hostname
servera
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether fa:16:3e:d4:73:10 brd ff:ff:ff:ff:ff:ff
    inet 10.1.0.3/24 brd 10.1.0.255 scope global eth0
    inet6 fe80::f816:3eff:fed4:7310/64 scope link 
       valid_lft forever preferred_lft forever
$ ping 10.2.0.3
PING 10.2.0.3 (10.2.0.3): 56 data bytes
64 bytes from 10.2.0.3: seq=0 ttl=62 time=2.439 ms
64 bytes from 10.2.0.3: seq=1 ttl=62 time=1.046 ms
^C
--- 10.2.0.3 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 1.046/1.742/2.439 ms

ServerB:

ubuntu@api-kochbuch-demo:~$ ssh cirros@[ServerB]
$ hostname
serverb
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether fa:16:3e:dc:9c:93 brd ff:ff:ff:ff:ff:ff
    inet 10.2.0.3/24 brd 10.2.0.255 scope global eth0
    inet6 fe80::f816:3eff:fedc:9c93/64 scope link 
       valid_lft forever preferred_lft forever
$ ping 10.1.0.3
PING 10.1.0.3 (10.1.0.3): 56 data bytes
64 bytes from 10.1.0.3: seq=0 ttl=62 time=2.645 ms
64 bytes from 10.1.0.3: seq=1 ttl=62 time=1.095 ms
^C
--- 10.1.0.3 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 1.095/1.870/2.645 ms
$

Bei Fragen oder Problemen wenden Sie sich bitte an die IMT:Benutzerberatung

Notebook-Café BI1.111 IMT:ServicePoint N5.345 Tel.: +49 (5251) 60-5544 E-Mail: imt@uni-paderborn.de