如何解决Openstack如何正确激活vpnaas日志?
我们有一个带有openstack ansible的openstack集群构建,我们对此非常满意。实际上,我正在尝试设置VPN。我们已经激活了所有必需的东西,并在openstack和sonicwall之间成功进行了尝试。不幸的是,我们正在尝试与客户建立连接,我正在寻找一些日志,但似乎什么都没有记录。
我们正在使用Openstack Ussuri和Ubuntu 20.04
我们激活了Strongswan
一些配置文件下面:
控制器节点: /etc/neutron/neutron.conf
[DEFAULT]
# Disable stderr logging
use_stderr = false
debug = true
publish_errors = true
fatal_deprecations = False
use_journal = True
## Rpc all
executor_thread_pool_size = 64
rpc_response_timeout = 60
transport_url = hide
# Domain to use for building hostnames
dns_domain = openstacklocal
# Agent
[agent]
polling_interval = 5
report_interval = 60
root_helper = sudo /openstack/venvs/neutron-21.0.0/bin/neutron-rootwrap
/etc/neutron/rootwrap.conf
root_helper_daemon = sudo /openstack/venvs/neutron-21.0.0/bin/neutron-
rootwrap-daemon /etc/neutron/rootwrap.conf
# Messaging
[oslo_messaging_rabbit]
ssl = True
rpc_conn_pool_size = 30
# Notifications
[oslo_messaging_notifications]
topics = notifications
driver = messagingv2
transport_url = hide
# Concurrency (locking mechanisms)
[oslo_concurrency]
lock_path = /var/lock/neutron
/etc/neutron/l3_agent.ini:
[DEFAULT]
debug = True
# Drivers
interface_driver = linuxbridge
agent_mode = legacy
# Conventional failover
allow_automatic_l3agent_failover = True
# HA failover
ha_confs_path = /var/lib/neutron/ha_confs
ha_vrrp_advert_int = 2
ha_vrrp_auth_password = hide
ha_vrrp_auth_type = PASS
# Metadata
enable_metadata_proxy = True
# L3 plugins
# VPNaaS
[vpnagent]
vpn_device_driver = neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver
[AGENT]
extensions = vpnaas
/etc/neutron/neutron_vpnaas.conf:
[service_providers]
service_provider = VPN:strongswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default
/etc/neutron/rootwrap.conf:
[DEFAULT]
# List of directories to load filter definitions from (separated by ',').
# These directories MUST all be only writeable by root !
# List of directories to search executables in,in case filters do not
# explicitely specify a full path (separated by ',')
# If not specified,defaults to system PATH environment variable.
# These directories MUST all be only writeable by root !
# Enable logging to syslog
# Default value is False
use_syslog = False
# Which syslog facility to use.
# Valid values include auth,authpriv,syslog,local0,local1...
# Default value is 'syslog'
syslog_log_facility = syslog
# Which messages to log.
# INFO means log all usage
# ERROR means only log unsuccessful attempts
syslog_log_level = ERROR
# Rootwrap daemon exits after this seconds of inactivity
daemon_timeout = 600
filters_path = /etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap
exec_dirs = /openstack/venvs/neutron- 21.0.0/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin
[xenapi]
# XenAPI configuration is only required by the L2 agent if it is to
# target a XenServer/XCP compute host's dom0.
xenapi_connection_url = <None>
xenapi_connection_username = root
xenapi_connection_password = <None>
/openstack/venvs/neutron-21.0.0/lib/python3.8/site-packages/neutron_vpnaas/services/vpn/device_drivers/template/strongswan/ipsec.conf.template:
# Configuration for {{vpnservice.id}}
config setup
charondebug="ike 4,knl 4,net 4,enc 4,chd 4,esp 4,cfg 2,dmn 4,mgr 4,asn 4"
conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
authby=psk
mobike=no
{% for ipsec_site_connection in vpnservice.ipsec_site_connections%}
conn {{ipsec_site_connection.id}}
keyexchange={{ipsec_site_connection.ikepolicy.ike_version}}
left={{ipsec_site_connection.external_ip}}
leftsubnet={{ipsec_site_connection['local_cidrs']|join(',')}}
leftid={{ipsec_site_connection.local_id}}
leftfirewall=yes
right={{ipsec_site_connection.peer_address}}
rightsubnet={{ipsec_site_connection['peer_cidrs']|join(',')}}
rightid={{ipsec_site_connection.peer_id}}
auto=route
dpdaction={{ipsec_site_connection.dpd_action}}
dpddelay={{ipsec_site_connection.dpd_interval}}s
dpdtimeout={{ipsec_site_connection.dpd_timeout}}s
ike={{ipsec_site_connection.ikepolicy.encryption_algorithm}}-{{ipsec_site_connection.ikepolicy.auth_algorithm}}-{{ipsec_site_connection.ikepolicy.pfs}}
ikelifetime={{ipsec_site_connection.ikepolicy.lifetime_value}}s
{%- if ipsec_site_connection.ipsecpolicy.transform_protocol == "ah" %}
ah={{ipsec_site_connection.ipsecpolicy.auth_algorithm}}-{{ipsec_site_connection.ipsecpolicy.pfs}}
{%- else %}
esp={{ipsec_site_connection.ipsecpolicy.encryption_algorithm}}-{{ipsec_site_connection.ipsecpolicy.auth_algorithm}}-{{ipsec_site_connection.ipsecpolicy.pfs}}
{%- endif %}
lifetime={{ipsec_site_connection.ipsecpolicy.lifetime_value}}s
type={{ipsec_site_connection.ipsecpolicy.encapsulation_mode}}
{% endfor %}
如果有人可以帮助我激活日志,那就太好了
谢谢
解决方法
这不是答案,但使其更具可读性。我们没有接触过charon的配置,但这是/etc/strongswan.d/charon-logging.conf
:
charon {
# Section to define file loggers,see LOGGER CONFIGURATION in
# strongswan.conf(5).
filelog {
# <filename> is the full path to the log file.
# <filename> {
# Loglevel for a specific subsystem.
# <subsystem> = <default>
# If this option is enabled log entries are appended to the existing
# file.
# append = yes
# Default loglevel.
# default = 1
# Enabling this option disables block buffering and enables line
# buffering.
# flush_line = no
# Prefix each log entry with the connection name and a unique
# numerical identifier for each IKE_SA.
# ike_name = no
# Prefix each log entry with a timestamp. The option accepts a
# format string as passed to strftime(3).
# time_format =
# }
}
# Section to define syslog loggers,see LOGGER CONFIGURATION in
# strongswan.conf(5).
syslog {
# Identifier for use with openlog(3).
# identifier =
# <facility> is one of the supported syslog facilities,see LOGGER
# CONFIGURATION in strongswan.conf(5).
# <facility> {
# Loglevel for a specific subsystem.
# <subsystem> = <default>
# Default loglevel.
# default = 1
# Prefix each log entry with the connection name and a unique
# numerical identifier for each IKE_SA.
# ike_name = no
# }
}
}
,
除了第一篇文章,我终于设法在配置下激活了日志: 在控制器上:
/etc/strongswan.d/charon-logging.conf
charon {
# Section to define file loggers,see LOGGER CONFIGURATION in
# strongswan.conf(5).
filelog {
# <name> may be the full path to the log file if it only contains
# characters permitted in section names. Is ignored if path is
# specified.
charon {
# Loglevel for a specific subsystem.
# <subsystem> = <default>
# If this option is enabled log entries are appended to the existing
# file.
append = no
# Default loglevel.
default = 3
# Enabling this option disables block buffering and enables line
# buffering.
flush_line = yes
# Prefix each log entry with the connection name and a unique
# numerical identifier for each IKE_SA.
ike_name = yes
# Optional path to the log file. Overrides the section name. Must be
# used if the path contains characters that aren't allowed in
# section names.
path = /var/log/charon-ike.log
# Adds the milliseconds within the current second after the
# timestamp (separated by a dot,so time_format should end with %S
# or %T).
time_add_ms = yes
# Prefix each log entry with a timestamp. The option accepts a
# format string as passed to strftime(3).
time_format = %b %e %T
}
}
# Section to define syslog loggers,see LOGGER CONFIGURATION in
# strongswan.conf(5).
syslog {
# Identifier for use with openlog(3).
# identifier = CHARON
# <facility> is one of the supported syslog facilities,see LOGGER
# CONFIGURATION in strongswan.conf(5).
# auth {
# Loglevel for a specific subsystem.
# <subsystem> = <default>
# Default loglevel.
# default = 2
# Prefix each log entry with the connection name and a unique
# numerical identifier for each IKE_SA.
# ike_name = yes
# }
}
}
最重要的是:
sudo apparmor_parser -R /etc/apparmor.d/usr.lib.ipsec.charon
使用此配置,您将在/var/log/charon-ike.log下有一个日志文件。 也许您需要重启中子
感谢您的帮助;)
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。