← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1459423] [NEW] VPNaaS: Allow multiple local subnets for IPSec

 

Public bug reported:

Currently, VPNaaS IPsec site to site connections may be created with one
or more peer (right side) subnets specified (as CIDRs). However, for the
local (left) side, only a single subnet can be specified.

The reference OpenSwan/StrongSwan implementations will support multiple
subnets on the local side, and this RFE is proposing to provide that
support.  This requires the following changes:

REST API
=======
Modify the API to not specify the local subnet on the VPN service create API, and instead, require the local subnet(s) to be specified on the IPSec connection API, in a similar fashion to what is done for remote CIDRs.

Validation can make sure that there is at least one local CIDR, and all
subnets in the connection are using the same IP version.

This involves a backward incompatible API change, so will go to v2.0,
and provide support for 1.0 in the code base.


NEUTRON CLIENT
==============

The CLI client could change from:
neutron vpn-service-create ROUTER SUBNET
neutron ipsec-site-connection-create ...
                                            --vpnservice-id VPNSERVICE
                                            --ikepolicy-id IKEPOLICY
                                            --ipsecpolicy-id IPSECPOLICY
                                            --peer-address PEER_ADDRESS
                                            --peer-id PEER_ID
                                            --peer-cidr PEER_CIDRS
                                            --psk PSK

to:
neutron vpn-service-create ROUTER
neutron ipsec-site-connection-create ...
                                            --vpnservice-id VPNSERVICE
                                            --ikepolicy-id IKEPOLICY
                                            --ipsecpolicy-id IPSECPOLICY
                                            --peer-address PEER_ADDRESS
                                            --peer-id PEER_ID
                                            --peer-cidr PEER_CIDRS
                                            --local-cidr LOCAL_CIDRS
                                            --psk PSK
                                           


DATABASE
=========
The local CIDRs could be added to the IPSec connection table. Migration needed for this change.


DRIVER
======
Besides passing the local CIDR information from service to device driver (along with existing info), the device driver needs to apply this information to the *Swan template in the same manner as is done for peer CIDR information.


DOCS
====
Update the API reference pages for VPN service create and IPSec connection create. Update existing Wiki how-to pages.

** Affects: neutron
     Importance: Undecided
         Status: New


** Tags: rfe vpnaas

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1459423

Title:
  VPNaaS: Allow multiple local subnets for IPSec

Status in OpenStack Neutron (virtual network service):
  New

Bug description:
  Currently, VPNaaS IPsec site to site connections may be created with
  one or more peer (right side) subnets specified (as CIDRs). However,
  for the local (left) side, only a single subnet can be specified.

  The reference OpenSwan/StrongSwan implementations will support
  multiple subnets on the local side, and this RFE is proposing to
  provide that support.  This requires the following changes:

  REST API
  =======
  Modify the API to not specify the local subnet on the VPN service create API, and instead, require the local subnet(s) to be specified on the IPSec connection API, in a similar fashion to what is done for remote CIDRs.

  Validation can make sure that there is at least one local CIDR, and
  all subnets in the connection are using the same IP version.

  This involves a backward incompatible API change, so will go to v2.0,
  and provide support for 1.0 in the code base.

  
  NEUTRON CLIENT
  ==============

  The CLI client could change from:
  neutron vpn-service-create ROUTER SUBNET
  neutron ipsec-site-connection-create ...
                                              --vpnservice-id VPNSERVICE
                                              --ikepolicy-id IKEPOLICY
                                              --ipsecpolicy-id IPSECPOLICY
                                              --peer-address PEER_ADDRESS
                                              --peer-id PEER_ID
                                              --peer-cidr PEER_CIDRS
                                              --psk PSK

  to:
  neutron vpn-service-create ROUTER
  neutron ipsec-site-connection-create ...
                                              --vpnservice-id VPNSERVICE
                                              --ikepolicy-id IKEPOLICY
                                              --ipsecpolicy-id IPSECPOLICY
                                              --peer-address PEER_ADDRESS
                                              --peer-id PEER_ID
                                              --peer-cidr PEER_CIDRS
                                              --local-cidr LOCAL_CIDRS
                                              --psk PSK
                                             

  
  DATABASE
  =========
  The local CIDRs could be added to the IPSec connection table. Migration needed for this change.

  
  DRIVER
  ======
  Besides passing the local CIDR information from service to device driver (along with existing info), the device driver needs to apply this information to the *Swan template in the same manner as is done for peer CIDR information.

  
  DOCS
  ====
  Update the API reference pages for VPN service create and IPSec connection create. Update existing Wiki how-to pages.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1459423/+subscriptions


Follow ups

References