Configuring an IPSec connection with VTI

The OpenStack VPN-as-a-Service (VPNaaS) is enabled in IBM® Cloud Manager with OpenStack. VPNaaS is optional. For more information about VPNaaS, see the OpenStack community documentation.

About this task

This service is used to create the Internet Protocol Security (IPSec) virtual private network (VPN) connection between the VPN gateway and OpenStack. This connection allows the private network in OpenStack to connect to the remote private network behind the opposite VPN gateway.

For example, assume the IP address for the private network on OpenStack is 192.168.100.0/24. Then, there is a private network in another OpenStack or Vyatka with the subnet 10.6.12.0/24. After you use VPNaaS to establish a VPN connection, those two subnets can connect to each other.

However, the existing OpenStack VPNaaS does not support IPSec VPN with virtual tunnel interface (VTI). Therefore, you must enable it for IBM Cloud Manager with OpenStack if the remote private network's VPN gateway is set up to use VTI. If the remote private network's gateway is using a policy-based configuration, you can use the standard OpenStack VPNaaS.

To enable this feature, complete the following steps.
Note: For example purposes only, assume the IBM Cloud Manager with OpenStack private network is using 172.16.100.0/24, the public network is 119.81.184.128/26, and the opposite VPN gateway IP address is 119.81.177.236 on a private subnet that uses 10.6.12.0/24. This example establishes a VPN connection between 172.16. 100.0/24 and 10.6.12.0/24. Remember to use your network information when you complete these steps.

Procedure

  1. Create an external network and private network. Run the following commands: 
       neutron net-create ext --router:external
   neutron subnet-create ext 119.81.184.128/26
   neutron net-create private
   neutron subnet-create private 172.16.100.0/24
  2. Create a router. Run the following command. 
    neutron router-create router1
  3. Add the router to the private subnet and set the gateway router. Run the following commands. 
       neutron router-interface-add router1 private_subnet_id
   neutron router-gateway-set router1 ext_net_id
  4. Install strongswan. 
    yum install -y strongswan
  5. Configure IPsec.conf and IPsec.secrets.
    IPsec.secrets contains the password. This value must be the same as the corresponding VPN gateway's password. IPsec.conf contains the IPSec connection configurations. Except for the right, left and mark attributes, the other attributes must be the same as the opposite VPN gateway's IPSec configurations. Here is an example.
    (qg-xx port in qrouter-router_id network namespace is the snat port)

conn vyatta
    right=119.81.177.236      ---------------------- opposite VPN gateway IP address
    left=119.81.184.173       ---------------------- qg-xx IP address
    leftsubnet=0.0.0.0/0
    rightsubnet=0.0.0.0/0
    ike=aes128-sha1-modp1536,3des-sha1-modp1536!
    ikelifetime=3600s
    esp=aes128-sha1-modp1536,3des-sha1-modp1536!
    keylife=1800s
    rekeymargin=540s
    type=tunnel
    pfs=yes
    compress=no
    authby=secret
    mark=100                  ---------------------- The key of VTI
    auto=start
    keyingtries=%forever
  6. Enter the qrouterxxxx network namespace. 
    ip netns exec qrouter-routerid bash
  7. Create a VTI. Assume 100 as the VTI key, and its name is vit_0.
    Note: The values in this sample are for example purposes only. Use the data that is relevant to your environment.
       ip link add vti_0 type vti key 100 remote 119.81.177.236 local 119.81.184.173
   ip link set vti_0 up
   ip addr add 192.168.100.200/24 remote 192.168.100.100/24 dev vti_0
  8. Restart the strongswan service. 
    strongswan restart
  9. Configure the VTI port and private subnet gateway port. For example purposes only, assume that this port name is qr-xx. 
       echo 0 > /proc/sys/net/ipv4/conf/vti_0/rp_filter
   echo 1 > /proc/sys/net/ipv4/conf/vti_0/disable_policy
   echo 1 > /proc/sys/net/ipv4/conf/qr-xx/disable_xfrm
   echo 1 > /proc/sys/net/ipv4/conf/qr-xx/disable_policy
  10. Delete the route table 220. 
    ip route delete table 220
  11. Check the Red Hat Enterprise Linux kernel version. Run uname -r. If the version is older than 3.10.0-123.el7.x86_64, then an IP tables rule must be added. 
    iptables -t mangle -I PREROUTING -p esp -s 119.81.177.236 -d  119.81.184.173  -j MARK --set-mark 100
  12. Add a static rule. 
    ip route add 10.6.12.0/24 via 192.168.100.200