-
openstack security-group-create VPN_traffic \
--description "For permitting VPN traffic" - On all ports, enable ingress for protocol numbers 50 and 51 for ESP and AH protocols, respectively, which IPsec uses for transmission of data:
openstack security group rule create VPN_traffic \
--ingress --protocol 50 --dst-port -1:-1+-------------------+-------------------+
| Field | Value |+-------------------+-------------------+| direction | ingress || ethertype | IPv4 || headers | || id | <ID> || port_range_max | 65535 || port_range_min | 1 || project_id | <ID> || protocol | 50 || remote_group_id | None || remote_ip_prefix | 0.0.0.0/0 || security_group_id | <ID> |+-------------------+-------------------+$ openstack security group rule create VPN_traffic \
--ingress --protocol 51 --dst-port -1:-1+-------------------+-------------------+
| Field | Value |+-------------------+-------------------+| direction | ingress || ethertype | IPv4 || headers | || id | <ID> || port_range_max | 65535 || port_range_min | 1 || project_id | <ID> || protocol | 51 || remote_group_id | None || remote_ip_prefix | 0.0.0.0/0 || security_group_id | <ID> |+-------------------+-------------------+ - Enable ingress on UDP port 500 for Internet Security Association and Key Management Protocol (isakmp), which provides authentication and key exchange:
openstack security group rule create VPN_traffic \
--ingress --protocol UDP --dst-port 500:500+-------------------+-------------------+
| Field | Value |+-------------------+-------------------+| direction | ingress || ethertype | IPv4 || headers | || id | <ID> || port_range_max | 500 || port_range_min | 500 || project_id | <ID> || protocol | udp || remote_group_id | None || remote_ip_prefix | 0.0.0.0/0 || security_group_id | <ID> |+-------------------+-------------------+ - Enable ingress on UDP port 4500 for IPsecNAT-T traversal:
$ openstack security group rule create VPN_traffic \
--ingress --protocol UDP --dst-port 4500:4500+-------------------+-------------------+
| Field | Value |+-------------------+-------------------+| direction | ingress || ethertype | IPv4 || headers | || id | <ID> || port_range_max | 4500 || port_range_min | 4500 || project_id | <ID> || protocol | udp || remote_group_id | None || remote_ip_prefix | 0.0.0.0/0 || security_group_id | <ID> |+-------------------+-------------------+ - Add the security group to the instance to which you will connect VPN tunnel:
openstack server add security group \
<instance_name> VPN_traffic
For more information working with security groups, see Configuring Access and Security for Instances with CLI.
Allow the IPsec VPN Instance to Source Packets from the Remote Network
Specify the allowed address pair of the remote network on the IPsec VPN instance, so that it will accept traffic from that network.
NOTES: You must have Metacloud administrative permissions and use the neutron client to run this command. Also, the allowed-address-pairs attribute is not additive, so you must list all networks with every update. Use the entire command when adding networks.
- Locate the UUID of the neutron (network) port for your IPsec VPN instance. In the Networks tab of the Dashboard, click the name of the tenant network. Scroll down to the PORTS area and find the network port by its fixed IP. Click the hyperinked port name to view its UUID.
- Update the port with the allowed networks:
neutron port-update <neutron_port_UUID> \
--allowed-address-pairs type=dict \
list=true ip_address=172.16.0.0/24
Create Security Groups for VMs on Each Side of the VPN Tunnel
VMs in the tenant network must be able to reference VMs in the remote network and vice versa. Configure a security group for tenant VMs to reference VMs in the remote network. Then configure a security group for remote VMs to reference VMs in the tenant network.
In the following example, the security group will simply allow ingress on all ports, but you can include more granular rules as your security needs dictate.
- Create a group with a name and description that indicate that it is for permitting remote network ingress:
openstack security-group-create remote_ingress \
--description "For permitting remote network ingress" - On all ports, enable ingress for all nodes in the remote network address:
openstack security group rule create remote_ingress \
--ingress --dst-port -1:-1 --remote-ip 172.16.0.0/24+-------------------+-------------------+
| Field | Value |+-------------------+-------------------+| direction | ingress || ethertype | IPv4 || headers | || id | <ID> || port_range_max | 65535 || port_range_min | 1 || project_id | <ID> || protocol | tcp || remote_group_id | None || remote_ip_prefix | 172.16.0.0/24 || security_group_id | <ID> |+-------------------+-------------------+ - Add the security group to each instance in the tenant network:
openstack server add security group \
<instance_name> remote_ingress - Perform the preceding steps for VMs in the remote network, this time allowing ingress for the tenant network.
NOTE: Your IPsec endpoint will not be the IP address of the originator of communication, so you must configure your remote network as an ACL as you would for any external resource directly, using its IP address and range.
