VPN Troubleshooting Guide
Introduction
This guide will help you troubleshoot common issues with site-to-site VPN connections when using OpenStack's VPN as a Service (VPNaaS). VPNaaS enables secure tunnels between networks, such as an OpenStack cloud and an external location.
Step 1: Verify VPN Service Configuration
List VPN services:
openstack vpn service list
Inspect the VPN service:
openstack vpn service show <VPN_SERVICE_UUID>
- Note the router UUID and external IPv4 address.
Step 2: Check VPN Daemon
- Locate the running IPsec daemon:
ps aux | grep ipsec
- Look for
pluto
(LibreSwan) orcharon
(StrongSwan) processes.
Access the Neutron L3 container:
docker exec -u root -it neutron_l3_agent bash
Check the IPsec directory:
ls /var/lib/neutron/kolla/ipsec/<ROUTER_UUID>
Step 3: Check VPN Status
- For StrongSwan:
chroot /proc/$(cat /var/lib/neutron/kolla/ipsec/<ROUTER_UUID>/var/run/charon.pid)/cwd ipsec status
For LibreSwan:
ipsec --rundir /var/lib/neutron/kolla/ipsec/<ROUTER_UUID>/var/run/pluto whack --status
Look for:
- Security Associations: Status should be
ESTABLISHED
. - Routed Connections: Should show
ROUTED, TUNNEL
.
Step 4: Verify Connectivity
1.Identify the network namespace (netns):
ip netns ls | grep <ROUTER_UUID>
2.Ping a remote address or gateway:
ip netns exec <NETNS> ping <REMOTE_IP>
3.Check routing for a specific IP:
ip netns exec <NETNS> ip route get <TARGET_IP>
Step 5: Verify Traffic
- Check conntrack entries:
ip netns exec <NETNS> conntrack -L | grep <REMOTE_IP>
- Ensure traffic is being routed correctly through the tunnel.
Step 6: Check IPtables Rules
1.View current rules:
ip netns exec <NETNS> iptables-save
2.Ensure POSTROUTING rules exist for source/destination network pairs.
Step 7: Common Issues
No traffic crossing the VPN:
Check for misconfigured IPsec settings on both ends.
Verify connectivity with
ping
or routing checks.VPN status shows
INSTALLED
but notESTABLISHED
:Ensure the remote peer is reachable.
Verify shared secrets and tunnel configuration.
Need More Help?
If you are unable to resolve the issue, contact support with:
VPN service UUID
Router UUID
Any error messages or logs from the above steps.