Public bug reported:
Currently, VPNaaS IPsec site to site connections may be created with one
or more peer (right side) subnets specified (as CIDRs). However, for the
local (left) side, only a single subnet can be specified.
The reference OpenSwan/StrongSwan implementations will support multiple
subnets on the local side, and this RFE is proposing to provide that
support. This requires the following changes:
REST API
=======
Modify the API to not specify the local subnet on the VPN service create API,
and instead, require the local subnet(s) to be specified on the IPSec
connection API, in a similar fashion to what is done for remote CIDRs.
Validation can make sure that there is at least one local CIDR, and all
subnets in the connection are using the same IP version.
This involves a backward incompatible API change, so will go to v2.0,
and provide support for 1.0 in the code base.
NEUTRON CLIENT
==============
The CLI client could change from:
neutron vpn-service-create ROUTER SUBNET
neutron ipsec-site-connection-create ...
--vpnservice-id VPNSERVICE
--ikepolicy-id IKEPOLICY
--ipsecpolicy-id IPSECPOLICY
--peer-address PEER_ADDRESS
--peer-id PEER_ID
--peer-cidr PEER_CIDRS
--psk PSK
to:
neutron vpn-service-create ROUTER
neutron ipsec-site-connection-create ...
--vpnservice-id VPNSERVICE
--ikepolicy-id IKEPOLICY
--ipsecpolicy-id IPSECPOLICY
--peer-address PEER_ADDRESS
--peer-id PEER_ID
--peer-cidr PEER_CIDRS
--local-cidr LOCAL_CIDRS
--psk PSK
DATABASE
=========
The local CIDRs could be added to the IPSec connection table. Migration needed
for this change.
DRIVER
======
Besides passing the local CIDR information from service to device driver (along
with existing info), the device driver needs to apply this information to the
*Swan template in the same manner as is done for peer CIDR information.
DOCS
====
Update the API reference pages for VPN service create and IPSec connection
create. Update existing Wiki how-to pages.
** Affects: neutron
Importance: Undecided
Status: New
** Tags: rfe vpnaas
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1459423
Title:
VPNaaS: Allow multiple local subnets for IPSec
Status in OpenStack Neutron (virtual network service):
New
Bug description:
Currently, VPNaaS IPsec site to site connections may be created with
one or more peer (right side) subnets specified (as CIDRs). However,
for the local (left) side, only a single subnet can be specified.
The reference OpenSwan/StrongSwan implementations will support
multiple subnets on the local side, and this RFE is proposing to
provide that support. This requires the following changes:
REST API
=======
Modify the API to not specify the local subnet on the VPN service create API,
and instead, require the local subnet(s) to be specified on the IPSec
connection API, in a similar fashion to what is done for remote CIDRs.
Validation can make sure that there is at least one local CIDR, and
all subnets in the connection are using the same IP version.
This involves a backward incompatible API change, so will go to v2.0,
and provide support for 1.0 in the code base.
NEUTRON CLIENT
==============
The CLI client could change from:
neutron vpn-service-create ROUTER SUBNET
neutron ipsec-site-connection-create ...
--vpnservice-id VPNSERVICE
--ikepolicy-id IKEPOLICY
--ipsecpolicy-id IPSECPOLICY
--peer-address PEER_ADDRESS
--peer-id PEER_ID
--peer-cidr PEER_CIDRS
--psk PSK
to:
neutron vpn-service-create ROUTER
neutron ipsec-site-connection-create ...
--vpnservice-id VPNSERVICE
--ikepolicy-id IKEPOLICY
--ipsecpolicy-id IPSECPOLICY
--peer-address PEER_ADDRESS
--peer-id PEER_ID
--peer-cidr PEER_CIDRS
--local-cidr LOCAL_CIDRS
--psk PSK
DATABASE
=========
The local CIDRs could be added to the IPSec connection table. Migration
needed for this change.
DRIVER
======
Besides passing the local CIDR information from service to device driver
(along with existing info), the device driver needs to apply this information
to the *Swan template in the same manner as is done for peer CIDR information.
DOCS
====
Update the API reference pages for VPN service create and IPSec connection
create. Update existing Wiki how-to pages.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1459423/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
