Difference between revisions of "Neutron/VPNaaS"
(updated link for API reference) |
|||
(66 intermediate revisions by 5 users not shown) | |||
Line 1: | Line 1: | ||
+ | {{warning|REASON=The api document is now in official api document. Please see http://developer.openstack.org/api-ref-networking-v2-ext.html#vpnaas-v2.0}} | ||
+ | |||
+ | This wiki page is for development discussion | ||
+ | |||
= Overview = | = Overview = | ||
− | VPNaaS (VPN-as-a-Service) is a | + | VPNaaS (VPN-as-a-Service) is a Neutron extension that introduces VPN feature set. |
The following is the proposed plan for design and implementation of the VPN as a Service feature in OpenStack Networking for the Havana release. While our long term goal for VPNaaS is to make it very feature rich and to support multiple tunneling,security protocols that supports both static and dynamic routing, but for the short term we would want to deliver a basic experimental reference implementation based on opensource for IPsec based VPNs using just static routing that will allow us to evaluate the API, resource model and usability of this feature. This will allow us to gather feedback, and make enhancements if required. | The following is the proposed plan for design and implementation of the VPN as a Service feature in OpenStack Networking for the Havana release. While our long term goal for VPNaaS is to make it very feature rich and to support multiple tunneling,security protocols that supports both static and dynamic routing, but for the short term we would want to deliver a basic experimental reference implementation based on opensource for IPsec based VPNs using just static routing that will allow us to evaluate the API, resource model and usability of this feature. This will allow us to gather feedback, and make enhancements if required. | ||
Line 10: | Line 14: | ||
== DataModel == | == DataModel == | ||
− | ===VPNServices | + | ===VPNServices Resource=== |
{| class="wikitable" | {| class="wikitable" | ||
Line 23: | Line 27: | ||
|- | |- | ||
| description||string||no||CRU||None||N/A||Description of the VPN Service | | description||string||no||CRU||None||N/A||Description of the VPN Service | ||
− | |||
− | |||
|- | |- | ||
| status||string||N/A||R||N/A||N/A||Indicates whether ipsec vpnservice is currently operational. Possible values include: | | status||string||N/A||R||N/A||N/A||Indicates whether ipsec vpnservice is currently operational. Possible values include: | ||
Line 34: | Line 36: | ||
| admin_state_up||bool||N/A||CRU||TRUE||true/false||Administrative state of vpnservice. If false (down), port does not forward packets | | admin_state_up||bool||N/A||CRU||TRUE||true/false||Administrative state of vpnservice. If false (down), port does not forward packets | ||
|- | |- | ||
− | |subnet_id||uuid||yes*( subnet_id | + | |subnet_id||uuid||yes*( subnet_id is needed)||CR||N/A||Valid subnet id||Subnet id in which the tenant wants the vpn service |
|- | |- | ||
|router_id||uuid||yes||CR||N/A||Valid router id||Router id to which the vpn service is inserted | |router_id||uuid||yes||CR||N/A||Valid router id||Router id to which the vpn service is inserted | ||
− | |||
− | |||
|} | |} | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | === | + | ===IKEPolicies Resource=== |
Line 68: | Line 52: | ||
| tenant_id||uuid-str||Yes||CR||None||valid tenant_id||UUID for owner of the vpn service | | tenant_id||uuid-str||Yes||CR||None||valid tenant_id||UUID for owner of the vpn service | ||
|- | |- | ||
− | | name||string|| | + | | name||string||yes||CRU||None||N/A||friendly name for the ikepolicy |
|- | |- | ||
| description||string||no||CRU||None||N/A||Description of the ikepolicy | | description||string||no||CRU||None||N/A||Description of the ikepolicy | ||
|- | |- | ||
− | | auth_algorithm||string|| | + | | auth_algorithm||string||no||CRU||sha1||N/A||Authentication Hash algorithms“sha1”. |
|- | |- | ||
− | | encryption_algorithm||string|| | + | | encryption_algorithm||string||no||CRU||aes-128||N/A||Encryption Algorithms 3des, aes-128, aes-256, aes-192 etc., |
|- | |- | ||
− | | phase1_negotiation_mode||string|| | + | | phase1_negotiation_mode||string||no||CRU||Main Mode||N/A||IKE mode Main mode |
|- | |- | ||
− | | | + | |pfs||string||no||CRU||Group5||N/A||Perfect Forward Secrecy ( Group2, Group5, Group14) |
|- | |- | ||
− | | | + | |ike_version||string||no||CRU||v1||N/A||v1 or v2 version |
|- | |- | ||
− | | | + | |lifetime |
|- | |- | ||
− | | | + | |units||string||no||CRU||seconds||"seconds"||Lifetime of the SA unit in ‘seconds’ |
+ | |- | ||
+ | |value||integer||no||CRU||3600 for seconds||Integer||Lifetime value in seconds (value >= 60) | ||
|- | |- | ||
− | |||
|} | |} | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | ===IPsecPolicies Resource=== | |
− | === | ||
Line 117: | Line 85: | ||
| tenant_id||uuid-str||Yes||CR||None||valid tenant_id||UUID for owner of the vpn service | | tenant_id||uuid-str||Yes||CR||None||valid tenant_id||UUID for owner of the vpn service | ||
|- | |- | ||
− | | name||string|| | + | | name||string||yes||CRU||None||N/A||friendly name for the IPsecPolicy |
|- | |- | ||
| description||string||no||CRU||None||N/A||Description of the policy | | description||string||no||CRU||None||N/A||Description of the policy | ||
|- | |- | ||
− | | transform_protocol||string|| | + | | transform_protocol||string||no||CRU||ESP||N/A||Tranform Protocol used such as ESP or AH or AH-ESP |
+ | |- | ||
+ | | encapsulation_mode||string||no||CRU||tunnel||N/A||Encapsulation mode either Tunnel mode or transport mode | ||
|- | |- | ||
− | | | + | | auth_algorithm||string||no||CRU||sha1||N/A||Authentication algorithm sha1 |
|- | |- | ||
− | | | + | |encryption_algorithm||string||no||CRU||aes-128||N/A||Encryption Algorithms 3des, aes-128, aes-256, aes-192 |
|- | |- | ||
− | | | + | |pfs||string||no||CRU||group5||N/A||Perfect Forward Secrecy ( group2, group5, group14) |
|- | |- | ||
− | | | + | |lifetime |
|- | |- | ||
− | | | + | |units||string||no||CRU||seconds||"seconds||Lifetime of the SA unit in ‘seconds’ |
|- | |- | ||
− | | | + | |value||integer||no||CRU||3600 for seconds||Integer||Lifetime value in seconds (value >= 60) |
|- | |- | ||
− | |||
|} | |} | ||
− | + | ===ipsec-site-connection Resource === | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | === | ||
Line 167: | Line 118: | ||
| tenant_id||uuid-str||Yes||CR||None||valid tenant_id||UUID for owner of the vpn service | | tenant_id||uuid-str||Yes||CR||None||valid tenant_id||UUID for owner of the vpn service | ||
|- | |- | ||
− | | name||string||no||CRU||None||N/A||name for | + | | name||string||no||CRU||None||N/A||name for ipsec-site-connection |
|- | |- | ||
− | | description||string||no||CRU||None||N/A||Description of the | + | | description||string||no||CRU||None||N/A||Description of the ipsec-site-connection |
|- | |- | ||
| peer_address||ipaddress(v4 or v6)||yes||CRU||N/A||valid ip address (v4 or v6)||peer vpn gateway public address or FQDN | | peer_address||ipaddress(v4 or v6)||yes||CRU||N/A||valid ip address (v4 or v6)||peer vpn gateway public address or FQDN | ||
Line 177: | Line 128: | ||
| peer_cidrs||list[string]||yes||CRU||N/A||list of valid cidr in the form <network_address>/<prefix>||Peer private cidrs | | peer_cidrs||list[string]||yes||CRU||N/A||list of valid cidr in the form <network_address>/<prefix>||Peer private cidrs | ||
|- | |- | ||
− | | route_mode||string|| | + | | route_mode||string||no||R||static||static||Static |
− | |||
− | |||
|- | |- | ||
− | | | + | | mtu||integer||no||CRU||1500||Integer||mtu - maximum transmission unit to address fragmentation ( value>=68 ) |
− | |||
− | |||
− | |- | ||
− | |||
|- | |- | ||
| auth_mode||string||no||R||psk||psk/certs||Authentication mode, either PSK or certificate | | auth_mode||string||no||R||psk||psk/certs||Authentication mode, either PSK or certificate | ||
Line 191: | Line 136: | ||
| psk||string||yes||CRU||N/A||NO||Pre-shared-key any string. | | psk||string||yes||CRU||N/A||NO||Pre-shared-key any string. | ||
|- | |- | ||
− | | initiator||string||no||CRU|| | + | | initiator||string||no||CRU||bi-directional||"bi-directional / response-only"||Whether this VPN can only respond to connections or can initiate as well |
|- | |- | ||
− | | | + | | admin_state_up||bool||N/A||CRU||TRUE||"true / false"||Administrative state of vpn connection. If false (down), vpn concd nection does not forward packets |
|- | |- | ||
| status||string||N/A||R||N/A||N/A||Indicates whether vpn connection is currently operational. Possible values include:ACTIVE,DOWN,BUILD,ERROR | | status||string||N/A||R||N/A||N/A||Indicates whether vpn connection is currently operational. Possible values include:ACTIVE,DOWN,BUILD,ERROR | ||
|- | |- | ||
− | | | + | | ikepolicy_id||uuid||yes||CR||N/A||uuid of ikepolicy||uuid id of ikepolicy |
|- | |- | ||
− | | | + | | ipsecpolicy_id||uuid||yes||CR||N/A||uuid of ipsecpolicy||uuid id of ipsecpolicy |
|- | |- | ||
| vpnservice_id||uuid||yes||CR||N/A||uuid of vpnservice||service id of vpnservice | | vpnservice_id||uuid||yes||CR||N/A||uuid of vpnservice||service id of vpnservice | ||
+ | |- | ||
+ | |dpd | ||
+ | |- | ||
+ | | action||string||no||CRU||hold||"hold / clear / disabled /restart /restart_by_peer"||DPD actions controls the use of Dead Peer Detection Protocol. ( clear, hold, restart, disabled, restart-by-peer) | ||
+ | |- | ||
+ | | interval||integer||no||CRU||30||> 0||sec for DPD delay | ||
+ | |- | ||
+ | | timeout||integer||no||CRU||120||> 0 & > dpd_interval||sec for DPD timeout | ||
+ | |- | ||
|} | |} | ||
+ | == Current Proposed API for VPNaaS "[[Neutron/VPNaaS/API]]"== | ||
+ | This section describes commands that will be introduced into python-neutronclient in order to support VPNaaS advanced service. | ||
<pre><nowiki> | <pre><nowiki> | ||
− | + | vpn-service-create Create a VPNService | |
− | + | vpn-service-delete Delete a given VPNService | |
− | + | vpn-service-list List all VPNService for a given tenant. | |
− | + | vpn-service-show Show detailed information of a given VPNService. | |
− | + | vpn-service-update Update a given VPNservice. | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | vpn- | ||
− | vpn- | ||
− | vpn- | ||
− | vpn- | ||
vpn-ikepolicy-create Create an IKEPolicy | vpn-ikepolicy-create Create an IKEPolicy | ||
Line 251: | Line 176: | ||
vpn-ipsecpolicy-create Create an IPsec policy | vpn-ipsecpolicy-create Create an IPsec policy | ||
vpn-ipsecpolicy-delete Delete a given IPsec Policy | vpn-ipsecpolicy-delete Delete a given IPsec Policy | ||
− | vpn-ipsecpolicy-list List | + | vpn-ipsecpolicy-list List IPsecPolicies that belong to a given tenant connection. |
vpn-ipsecpolicy-show Show detailed information of a given IPsec Policy | vpn-ipsecpolicy-show Show detailed information of a given IPsec Policy | ||
vpn-ipsecpolicy-update Update a given IPsec Policy. | vpn-ipsecpolicy-update Update a given IPsec Policy. | ||
− | + | ipsec-site-connection-create Create a ipsec-site-connection | |
− | + | ipsec-site-connection-delete Delete a given ipsec-site-connection. | |
− | + | ipsec-site-connection-list List ipsec-site-connections that belong to a given tenant. | |
− | + | ipsec-site-connection-show Show information of a given ipsec-site-connection. | |
− | + | ipsec-site-connection-update Update a given ipsec-site-connection. | |
</nowiki></pre> | </nowiki></pre> | ||
+ | |||
= Command Specification = | = Command Specification = | ||
− | == vpn- | + | == vpn-service-create == |
Create a new vpnservice | Create a new vpnservice | ||
Line 271: | Line 197: | ||
<pre><nowiki> | <pre><nowiki> | ||
− | + | neutron vpn-service-create [-h] [-f {shell,table}] [-c COLUMN] | |
[--variable VARIABLE] [--prefix PREFIX] | [--variable VARIABLE] [--prefix PREFIX] | ||
[--request-format {json,xml}] | [--request-format {json,xml}] | ||
[--tenant-id TENANT_ID] | [--tenant-id TENANT_ID] | ||
[--admin-state-down] [--name NAME] | [--admin-state-down] [--name NAME] | ||
− | [--description DESCRIPTION] | + | [--description DESCRIPTION] |
− | + | ROUTER | |
− | + | SUBNET | |
</nowiki></pre> | </nowiki></pre> | ||
− | + | ||
* '''tenant-id''': ID of the Tenant that owns the VPN Service. | * '''tenant-id''': ID of the Tenant that owns the VPN Service. | ||
− | * '''router | + | * '''router''': Unique identifier of the Router (either 'name' or 'id') to which the VPN will be attached to. |
− | * '''subnet | + | * '''subnet''': Unique identifier of the Subnet (either 'name' or 'id') to which the VPN will provide service. (*) |
− | |||
− | + | == vpn-service-delete == | |
− | |||
− | == vpn- | ||
Delete a given vpnservice object. | Delete a given vpnservice object. | ||
<pre><nowiki> | <pre><nowiki> | ||
− | + | neutron vpn-service-delete [-h] [--request-format {json,xml}] VPNSERVICE | |
</nowiki></pre> | </nowiki></pre> | ||
Line 300: | Line 223: | ||
− | == vpn- | + | == vpn-service-list == |
Show list of VPN Service objects available to tenant. | Show list of VPN Service objects available to tenant. | ||
<pre><nowiki> | <pre><nowiki> | ||
− | + | neutron vpn-service-list | |
</nowiki></pre> | </nowiki></pre> | ||
− | == vpn- | + | == vpn-service-show == |
Shows information about a given VPN Service object. | Shows information about a given VPN Service object. | ||
<pre><nowiki> | <pre><nowiki> | ||
− | + | neutron vpn-service-show [-h] [-f {shell,table}] [-c COLUMN] | |
[--variable VARIABLE] [--prefix PREFIX] | [--variable VARIABLE] [--prefix PREFIX] | ||
[--request-format {json,xml}] [-D] | [--request-format {json,xml}] [-D] | ||
Line 319: | Line 242: | ||
− | == vpn- | + | == vpn-service-update == |
Update information of a given VPN Service Object. | Update information of a given VPN Service Object. | ||
<pre><nowiki> | <pre><nowiki> | ||
− | + | neutron vpn-service-update [-h] [--request-format {json,xml}] VPNSERVICE | |
</nowiki></pre> | </nowiki></pre> | ||
+ | Note: Only can change when status is not PENDING_CREATE, PENDING_UPDATE, or PENDING_DELETE. | ||
== vpn-ikepolicy-create == | == vpn-ikepolicy-create == | ||
Line 333: | Line 257: | ||
<pre><nowiki> | <pre><nowiki> | ||
− | + | neutron vpn-ikepolicy-create [-h] [-f {shell,table}] [-c COLUMN] | |
[--variable VARIABLE] [--prefix PREFIX] | [--variable VARIABLE] [--prefix PREFIX] | ||
[--request-format {json,xml}] | [--request-format {json,xml}] | ||
− | [--tenant-id TENANT_ID] | + | [--tenant-id TENANT_ID] |
[--description DESCRIPTION] | [--description DESCRIPTION] | ||
− | [-- | + | [--auth-algorithm AUTH-ALGORITHM] |
− | [-- | + | [--encryption-algorithm ENCRYPTION-ALGORITHM] |
− | [-- | + | [--phase1-negotiation-mode PHASE1-NEGOTIATION-MODE] |
− | [-- | + | [--ike-version IKE-VERSION] |
− | |||
[--pfs PFS] | [--pfs PFS] | ||
+ | [--lifetime unit=UNITS,value=VALUE] | ||
+ | NAME | ||
</nowiki></pre> | </nowiki></pre> | ||
− | * ''' | + | * '''NAME''': Friendly name of the IKEPolicy used in IPsec VPN Service Connections |
* '''description''': Friendly description of the IKEPolicy used in IPsec VPN Service Connections | * '''description''': Friendly description of the IKEPolicy used in IPsec VPN Service Connections | ||
* '''tenant-id''': ID of the Tenant that owns the VPN Service. | * '''tenant-id''': ID of the Tenant that owns the VPN Service. | ||
− | * ''' | + | * '''auth-algorithm''': Authentication algorithm used in the IKEPolicy. |
− | * ''' | + | * '''encryption-algorithm''': Encryption algorithm used in the IKEPolicy. |
− | * ''' | + | * '''phase1-negotiation-mode''': Phase1 negotiation mode for IKE either 'Main' or 'Aggressive'. |
− | * ''' | + | * '''lifetime''': String with lifetime specific parameters example: --lifetime "units=seconds,value=3600" |
− | * ''' | + | * '''units''': Units for lifetime ('seconds' or 'kilobytes') |
− | + | * '''value'''. Value for lifetime (non-negative integer). | |
+ | * '''ike-version''': Specify the ike_version. | ||
+ | * '''pfs''': Specify the Perfect Forward Secrecy. | ||
== vpn-ikepolicy-delete == | == vpn-ikepolicy-delete == | ||
Line 361: | Line 288: | ||
<pre><nowiki> | <pre><nowiki> | ||
− | + | neutron vpn-ikepolicy-delete [-h] [--request-format {json,xml}] | |
IKEPOLICY | IKEPOLICY | ||
</nowiki></pre> | </nowiki></pre> | ||
Line 372: | Line 299: | ||
<pre><nowiki> | <pre><nowiki> | ||
− | + | neutron vpn-ikepolicy-list | |
</nowiki></pre> | </nowiki></pre> | ||
Line 379: | Line 306: | ||
<pre><nowiki> | <pre><nowiki> | ||
− | + | neutron vpn-ikepolicy-show [-h] [-f {shell,table}] [-c COLUMN] | |
[--variable VARIABLE] [--prefix PREFIX] | [--variable VARIABLE] [--prefix PREFIX] | ||
[--request-format {json,xml}] [-D] | [--request-format {json,xml}] [-D] | ||
Line 392: | Line 319: | ||
<pre><nowiki> | <pre><nowiki> | ||
− | + | neutron vpn-ikepolicy-delete [-h] [--request-format {json,xml}] | |
IKEPOLICY | IKEPOLICY | ||
Line 405: | Line 332: | ||
<pre><nowiki> | <pre><nowiki> | ||
− | + | neutron vpn-ipsecpolicy-create [-h] [-f {shell,table}] [-c COLUMN] | |
[--variable VARIABLE] [--prefix PREFIX] | [--variable VARIABLE] [--prefix PREFIX] | ||
[--request-format {json,xml}] | [--request-format {json,xml}] | ||
− | [--tenant-id TENANT_ID] | + | [--tenant-id TENANT_ID] |
[--description DESCRIPTION] | [--description DESCRIPTION] | ||
− | -- | + | --transform-protocol TRANSFORM-PROTOCOL |
− | [-- | + | [--auth-algorithm AUTH-ALGORITHM] |
− | [-- | + | [--encryption-algorithm ENCRYPTION-ALGORITHM] |
− | [-- | + | [--encapsulation-mode ENCAPSULATION-MODE] |
− | [-- | + | [--pfs PFS] |
− | [-- | + | [--lifetime units=UNITS,value=VALUE] |
− | + | NAME | |
</nowiki></pre> | </nowiki></pre> | ||
− | * ''' | + | * '''NAME''': Friendly name of the IPsecPolicy used in IPsec VPN Service Connections |
* '''description''': Friendly description of the IPsecPolicy used in IPsec VPN Service Connections | * '''description''': Friendly description of the IPsecPolicy used in IPsec VPN Service Connections | ||
* '''tenant-id''': ID of the Tenant that owns the VPN Service. | * '''tenant-id''': ID of the Tenant that owns the VPN Service. | ||
− | * ''' | + | * '''auth-algorithm''': Authentication algorithm used in the IPsecPolicy. |
− | * ''' | + | * '''encryption-algorithm''': Encryption algorithm used in the IPsecPolicy. |
− | * ''' | + | * '''encapsulation-mode''': Encapsulation mode for IPsec tunnel either 'tunnel' or 'transport'. |
− | * ''' | + | * '''transfrom-protocol''': IPsec Transform Protocol either 'ESP' or 'AH'. |
− | * ''' | + | * '''lifetime''': String with lifetime specific parameters example: --lifetime "units=seconds,value=3600" |
− | * ''' | + | * '''units''': Units for lifetime ('seconds' or 'kilobytes') |
+ | * '''value'''. Value for lifetime (non-negative integer). | ||
+ | * '''pfs''': Specify the Perfect Forward Secrecy. | ||
== vpn-ipsecpolicy-delete == | == vpn-ipsecpolicy-delete == | ||
Line 434: | Line 363: | ||
<pre><nowiki> | <pre><nowiki> | ||
− | + | neutron vpn-ipsecpolicy-delete [-h] [--request-format {json,xml}] | |
IPSECPOLICY | IPSECPOLICY | ||
</nowiki></pre> | </nowiki></pre> | ||
Line 445: | Line 374: | ||
<pre><nowiki> | <pre><nowiki> | ||
− | + | neutron vpn-ipsecpolicy-list | |
</nowiki></pre> | </nowiki></pre> | ||
Line 452: | Line 381: | ||
<pre><nowiki> | <pre><nowiki> | ||
− | + | neutron vpn-ipsecpolicy-show [-h] [-f {shell,table}] [-c COLUMN] | |
[--variable VARIABLE] [--prefix PREFIX] | [--variable VARIABLE] [--prefix PREFIX] | ||
[--request-format {json,xml}] [-D] | [--request-format {json,xml}] [-D] | ||
Line 465: | Line 394: | ||
<pre><nowiki> | <pre><nowiki> | ||
− | + | neutron vpn-ipsecpolicy-delete [-h] [--request-format {json,xml}] | |
IPSECPOLICY | IPSECPOLICY | ||
Line 471: | Line 400: | ||
− | == | + | == ipsec-site-connection-create == |
− | Create a new | + | Create a new ipsec-site-connection object |
<pre><nowiki> | <pre><nowiki> | ||
− | + | neutron ipsec-site-connection-create [-h] [-f {shell,table}] | |
[-c COLUMN] | [-c COLUMN] | ||
[--variable VARIABLE] | [--variable VARIABLE] | ||
Line 485: | Line 414: | ||
[--admin-state-down] --name NAME | [--admin-state-down] --name NAME | ||
[--description DESCRIPTION] | [--description DESCRIPTION] | ||
− | -- | + | --peer-address PEER-ADDRESS |
− | -- | + | --peer-id PEER-ID --peer_cidr |
− | + | PEER-CIDRS | |
[--mtu MTU] | [--mtu MTU] | ||
− | + | [--psk PSK] | |
− | |||
− | |||
− | |||
− | |||
[--initiator INITIATOR] | [--initiator INITIATOR] | ||
− | vpnservice ikepolicy | + | [--dpd DPD] |
+ | --vpnservice-id VPNSERVICE | ||
+ | --ikepolicy-id IKEPOLICY | ||
+ | --ipsecpolicy-id IPSECPOLICY | ||
</nowiki></pre> | </nowiki></pre> | ||
− | * ''' | + | * '''peer-address''': Remote Peer IP Address for the VPN Connection. |
* '''tenant-id''': ID of the Tenant that owns the VPN Service. | * '''tenant-id''': ID of the Tenant that owns the VPN Service. | ||
− | * ''' | + | * '''peer-id''': Peer identifier string. |
− | * ''' | + | * '''peer_cidr''': Remote Peer Subnet with mask in CIDR format. |
* '''mtu''': MTU for fragmentation | * '''mtu''': MTU for fragmentation | ||
− | * ''' | + | * '''dpd''': String with the dpd attributes. Example: --dpd "action=hold,interval=30,timeout=120" |
− | * ''' | + | * '''action''': Dead peer detection actions (action=hold, restart etc.,). |
− | * ''' | + | * '''interval''': Dead peer detection interval.(interval=30) |
− | * ''' | + | * '''timeout''': Dead peer detection timeout.(timeout=120) |
− | * ''' | + | * '''route-mode''': Routing mode either 'static' or 'dynamic' - for first release only 'static supported. |
+ | * '''auth-mode''': Authentication mode either 'PSK' or 'CERTS' | ||
* '''psk''': Peer identifier string. | * '''psk''': Peer identifier string. | ||
* '''initiator''': Initiator mode either 'bi-directional' or 'responder'. | * '''initiator''': Initiator mode either 'bi-directional' or 'responder'. | ||
− | * '''vpnservice''': Unique Identifier to the VPN Service Object. | + | * '''vpnservice-id''': Unique Identifier to the VPN Service Object. |
− | * '''ikepolicy''': Unique Identifier to the IKE Policy Object. | + | * '''ikepolicy-id''': Unique Identifier to the IKE Policy Object. |
− | * '''ipsecpolicy''': Unique Identifier to the IPsec Policy Object. | + | * '''ipsecpolicy-id''': Unique Identifier to the IPsec Policy Object. |
− | + | == ipsec-site-connection-delete == | |
− | == | + | Delete a given ipsec-site-connection object. |
− | Delete a given | ||
<pre><nowiki> | <pre><nowiki> | ||
− | + | neutron ipsec-site-connection-delete | |
+ | [-h] | ||
[--request-format {json,xml}] | [--request-format {json,xml}] | ||
− | + | ipsec-site-connection | |
</nowiki></pre> | </nowiki></pre> | ||
− | * ''' | + | * '''ipsec-site-connection''': Unique identifier that identifies the VPN Connection to be deleted. |
− | + | == ipsec-site-connection-list == | |
− | == | + | Show list of VPN Connection objects available to tenant. |
− | Show list of VPN | ||
<pre><nowiki> | <pre><nowiki> | ||
− | + | neutron ipsec-site-connection-list | |
</nowiki></pre> | </nowiki></pre> | ||
− | == | + | == ipsec-site-connection-show == |
− | Shows information about a given VPN | + | Shows information about a given VPN Connection object. |
<pre><nowiki> | <pre><nowiki> | ||
− | + | neutron ipsec-site-connection-show [-h] [-f {shell,table}] [-c COLUMN] | |
[--variable VARIABLE] [--prefix PREFIX] | [--variable VARIABLE] [--prefix PREFIX] | ||
[--request-format {json,xml}] [-D] | [--request-format {json,xml}] [-D] | ||
[-F FIELD] | [-F FIELD] | ||
− | + | ipsec-site-connection | |
</nowiki></pre> | </nowiki></pre> | ||
− | == | + | == ipsec-site-connection-update == |
− | Update information of a given VPN | + | Update information of a given VPN Connection Object. |
<pre><nowiki> | <pre><nowiki> | ||
− | + | neutron ipsec-site-connection-update [-h] [--request-format {json,xml}] ipsec-site-connection | |
</nowiki></pre> | </nowiki></pre> | ||
+ | |||
+ | Note: Only can change when status is not PENDING_CREATE, PENDING_UPDATE, or PENDING_DELETE. | ||
= REST API = | = REST API = | ||
Line 563: | Line 493: | ||
* The tenant creates one or more IKEPolicies. | * The tenant creates one or more IKEPolicies. | ||
* The tenant creates one or more IPsecPolicies. | * The tenant creates one or more IPsecPolicies. | ||
− | * The tenant creates one or more | + | * The tenant creates one or more ipsec-site-connections and associates with the VPNService id, IKEPolicy id and IPsecPolicy id. |
Line 573: | Line 503: | ||
/v1.0/vpnservices/ | /v1.0/vpnservices/ | ||
GET | GET | ||
− | /v1.0/vpnservices/ | + | /v1.0/vpnservices/vpnservice-id |
POST | POST | ||
/v1.0/vpnservices | /v1.0/vpnservices | ||
UPDATE | UPDATE | ||
− | /v1.0/vpnservices/ | + | /v1.0/vpnservices/vpnservice-id |
DELETE | DELETE | ||
− | /v1.0/vpnservices/ | + | /v1.0/vpnservices/vpnservice-id |
</nowiki></pre> | </nowiki></pre> | ||
Line 599: | Line 529: | ||
"tenant_id": "310df60f-2a10-4ee5-9554-98393092194c", | "tenant_id": "310df60f-2a10-4ee5-9554-98393092194c", | ||
"name": "cloud_vpn", | "name": "cloud_vpn", | ||
− | " | + | "subnet": "96a4386a-f8c3-42ed-afce-d7954eee77b3", |
− | " | + | "router": "8acda86a-f8c3-42ed-afce-d7954eee77b3", |
− | |||
} | } | ||
} | } | ||
</nowiki></pre> | </nowiki></pre> | ||
− | |||
====JSON Response==== | ====JSON Response==== | ||
Line 618: | Line 546: | ||
"vpnservice": { | "vpnservice": { | ||
"id": "02b1fef7-16f5-4917-bf19-c40a9af805ed", | "id": "02b1fef7-16f5-4917-bf19-c40a9af805ed", | ||
− | " | + | "tenant-id": "310df60f-2a10-4ee5-9554-98393092194c", |
"name": "cloud_vpn", | "name": "cloud_vpn", | ||
− | " | + | "subnet-id": "96a4386a-f8c3-42ed-afce-d7954eee77b3", |
− | " | + | "router-id": "8acda86a-f8c3-42ed-afce-d7954eee77b3", |
− | |||
− | |||
"admin_state_up": true, | "admin_state_up": true, | ||
"status": "PENDING_CREATE" | "status": "PENDING_CREATE" | ||
Line 635: | Line 561: | ||
<pre><nowiki> | <pre><nowiki> | ||
GET | GET | ||
− | /v1.0/ | + | /v1.0/ikepolicies/ |
POST | POST | ||
− | /v1.0/ | + | /v1.0/ikepolicies |
GET | GET | ||
− | /v1.0/ | + | /v1.0/ikepolicies/ikepolicy-id |
UPDATE | UPDATE | ||
− | /v1.0/ | + | /v1.0/ikepolicies/ikepolicy-id |
DELETE | DELETE | ||
− | /v1.0/ | + | /v1.0/ikepolicies/ikepolicy-id |
</nowiki></pre> | </nowiki></pre> | ||
Line 653: | Line 579: | ||
<pre><nowiki> | <pre><nowiki> | ||
#!highlight javascript numbers=disable | #!highlight javascript numbers=disable | ||
− | POST /v1.0/ | + | POST /v1.0/ikepolicies |
Accept: application/json | Accept: application/json | ||
Content-Type: application/json | Content-Type: application/json | ||
Line 662: | Line 588: | ||
"ikepolicy" : { | "ikepolicy" : { | ||
"name": "ikepolicy_1", | "name": "ikepolicy_1", | ||
− | " | + | "auth-algorithm" : "sha1", |
− | " | + | "encryption-algorithm" : "aes-256", |
− | " | + | "phase1-negotiation-mode" : "main", |
− | " | + | "lifetime": "units=seconds,value=28800", |
− | " | + | "ike-version" : "v1", |
− | "pfs": " | + | "pfs": " Group5", |
} | } | ||
} | } | ||
Line 684: | Line 610: | ||
"tenant_id": "310df60f-2a10-4ee5-9554-98393092194c", | "tenant_id": "310df60f-2a10-4ee5-9554-98393092194c", | ||
"name": "ikepolicy_1", | "name": "ikepolicy_1", | ||
− | " | + | "auth-algorithm" : "sha1", |
− | " | + | "encryption-algorithm" : "aes-256", |
− | " | + | "phase1-negotiation-mode" : "main", |
− | + | "lifetime": { | |
− | " | + | "units" : "seconds" |
− | "pfs": " | + | "value" : 28800, |
+ | } | ||
+ | "ike-version" : "v1", | ||
+ | "pfs": "Group5", | ||
} | } | ||
} | } | ||
</nowiki></pre> | </nowiki></pre> | ||
− | |||
==IPsecPolicy APIs== | ==IPsecPolicy APIs== | ||
Line 700: | Line 628: | ||
GET | GET | ||
− | /v1.0/ | + | /v1.0/ipsecpolicies/ |
POST | POST | ||
− | /v1.0/ | + | /v1.0/ipsecpolicies |
GET | GET | ||
− | /v1.0/ | + | /v1.0/ipsecpolicies/ipsecpolicy-id |
UPDATE | UPDATE | ||
− | /v1.0/ | + | /v1.0/ipsecpolicies/ipsecpolicy-id |
DELETE | DELETE | ||
− | /v1.0/ | + | /v1.0/ipsecpolicies/ipsecpolicy-id |
</nowiki></pre> | </nowiki></pre> | ||
Line 716: | Line 644: | ||
<pre><nowiki> | <pre><nowiki> | ||
#!highlight javascript numbers=disable | #!highlight javascript numbers=disable | ||
− | POST /v1.0/ | + | POST /v1.0/ipsecpolicies |
Accept: application/json | Accept: application/json | ||
Content-Type: application/json | Content-Type: application/json | ||
Line 725: | Line 653: | ||
"ipsecpolicy" : { | "ipsecpolicy" : { | ||
"name": "ipsecpolicy_1", | "name": "ipsecpolicy_1", | ||
− | " | + | "transform-protocol": "esp", |
− | " | + | "auth-algorithm" : "sha1", |
− | " | + | "encryption-algorithm" : "aes-256", |
− | " | + | "encapsulation-mode" : "tunnel", |
− | " | + | "lifetime": "units=seconds,value=28800", |
− | + | "pfs": "Group5" | |
− | "pfs": " | ||
} | } | ||
} | } | ||
Line 749: | Line 676: | ||
"ipsecpolicy" : { | "ipsecpolicy" : { | ||
"id":"cfc6589d-f949-4c66-99d2-c2da56ef3764", | "id":"cfc6589d-f949-4c66-99d2-c2da56ef3764", | ||
− | " | + | "tenant-id": "310df60f-2a10-4ee5-9554-98393092194c", |
"name": "ipsecpolicy_1", | "name": "ipsecpolicy_1", | ||
− | " | + | "transform-protocol": "esp", |
− | " | + | "auth-algorithm" : "sha1", |
− | " | + | "encryption-algorithm" : "aes-256", |
− | " | + | "encapsulation-mode" : "tunnel", |
− | + | "lifetime": { | |
− | + | "units" : "seconds" | |
− | "pfs": " | + | "value" : 28800, |
+ | } | ||
+ | "pfs": "Group5" | ||
} | } | ||
} | } | ||
Line 763: | Line 692: | ||
− | + | ipsec-site-connection | |
− | |||
− | == | + | ==ipsec-site-connection APIs== |
<pre><nowiki> | <pre><nowiki> | ||
GET | GET | ||
− | /v1.0/ | + | /v1.0/ipsec-site-connections/ |
POST | POST | ||
− | /v1.0/ | + | /v1.0/ipsec-site-connections |
GET | GET | ||
− | /v1.0/ | + | /v1.0/ipsec-site-connections/ipsec-site-connection-id |
UPDATE | UPDATE | ||
− | /v1.0/ | + | /v1.0/ipsec-site-connections/ipsec-site-connection-id |
DELETE | DELETE | ||
− | /v1.0/ | + | /v1.0/ipsec-site-connections/ipsec-site-connection-id |
</nowiki></pre> | </nowiki></pre> | ||
− | === | + | ===ipsec-site-connection Create=== |
====JSON Request==== | ====JSON Request==== | ||
Line 789: | Line 717: | ||
<pre><nowiki> | <pre><nowiki> | ||
#!highlight javascript numbers=disable | #!highlight javascript numbers=disable | ||
− | POST /v1.0/ | + | POST /v1.0/ipsec-site-connections |
Accept: application/json | Accept: application/json | ||
Content-Type: application/json | Content-Type: application/json | ||
Line 796: | Line 724: | ||
{ | { | ||
− | " | + | "ipsec_site_connection" : { |
"name": "ipsec_connection_1", | "name": "ipsec_connection_1", | ||
− | " | + | "peer-address": "192.168.2.255", |
− | " | + | "peer-id" : "192.168.2.255", |
− | " | + | "peer-cidr" : "10.30.2.0/24", |
− | " | + | "dpd": "action=hold,interval=20,timeout=120", |
− | |||
− | |||
− | |||
"mtu": "1500", | "mtu": "1500", | ||
− | |||
"psk": "bla_bla_bla", | "psk": "bla_bla_bla", | ||
"initiator": "bi-directional", | "initiator": "bi-directional", | ||
− | " | + | "vpnservice-id": "02b1fef7-16f5-4917-bf19-c40a9af805ed", |
− | " | + | "ikepolicy-id": "03299abc-16f5-4917-bf19-c40a9af805ed", |
− | " | + | "ipsecpolicy-id": "0dbc1234-16f5-4917-bf19-c40a9af805ed" |
} | } | ||
} | } | ||
Line 827: | Line 751: | ||
{ | { | ||
− | " | + | "ipsec_site_connection" : { |
"id":"cfc6589d-f949-4c66-99d2-c2da56ef3764", | "id":"cfc6589d-f949-4c66-99d2-c2da56ef3764", | ||
− | " | + | "tenant-id": "310df60f-2a10-4ee5-9554-98393092194c", |
"name": "ipsec_connection_1", | "name": "ipsec_connection_1", | ||
− | " | + | "peer-address": "192.168.2.255", |
− | " | + | "peer-id" : "192.168.2.255", |
− | " | + | "peer-cidr" : "10.30.2.0/24", |
− | " | + | "dpd": { |
− | + | "action" : "hold" | |
− | + | "interval" : 20, | |
− | + | "timeout" : 120, | |
+ | } | ||
"mtu": "1500", | "mtu": "1500", | ||
− | |||
"psk": "bla_bla_bla", | "psk": "bla_bla_bla", | ||
"initiator": "bi-directional", | "initiator": "bi-directional", | ||
− | " | + | "vpnservice-id": "02b1fef7-16f5-4917-bf19-c40a9af805ed", |
− | " | + | "ikepolicy-id": "03299abc-16f5-4917-bf19-c40a9af805ed", |
− | " | + | "ipsecpolicy-id": "0dbc1234-16f5-4917-bf19-c40a9af805ed", |
"admin_state_up": true, | "admin_state_up": true, | ||
"status": "PENDING_CREATE" | "status": "PENDING_CREATE" | ||
Line 851: | Line 775: | ||
</nowiki></pre> | </nowiki></pre> | ||
− | |||
− | |||
− | |||
= Blueprints = | = Blueprints = |
Latest revision as of 16:48, 28 January 2016
This wiki page is for development discussion
Contents
- 1 Overview
- 2 Command Specification
- 2.1 vpn-service-create
- 2.2 vpn-service-delete
- 2.3 vpn-service-list
- 2.4 vpn-service-show
- 2.5 vpn-service-update
- 2.6 vpn-ikepolicy-create
- 2.7 vpn-ikepolicy-delete
- 2.8 vpn-ikepolicy-list
- 2.9 vpn-ikepolicy-show
- 2.10 vpn-ikepolicy-update
- 2.11 vpn-ipsecpolicy-create
- 2.12 vpn-ipsecpolicy-delete
- 2.13 vpn-ipsecpolicy-list
- 2.14 vpn-ipsecpolicy-show
- 2.15 vpn-ipsecpolicy-update
- 2.16 ipsec-site-connection-create
- 2.17 ipsec-site-connection-delete
- 2.18 ipsec-site-connection-list
- 2.19 ipsec-site-connection-show
- 2.20 ipsec-site-connection-update
- 3 REST API
- 4 Blueprints
- 5 Havana Plan
Overview
VPNaaS (VPN-as-a-Service) is a Neutron extension that introduces VPN feature set.
The following is the proposed plan for design and implementation of the VPN as a Service feature in OpenStack Networking for the Havana release. While our long term goal for VPNaaS is to make it very feature rich and to support multiple tunneling,security protocols that supports both static and dynamic routing, but for the short term we would want to deliver a basic experimental reference implementation based on opensource for IPsec based VPNs using just static routing that will allow us to evaluate the API, resource model and usability of this feature. This will allow us to gather feedback, and make enhancements if required.
Also we would like to have a simple model such as the AWS for configuring the VPN. In AWS the IKE and IPsec Policies are pre-defined, but we would want to make it more user configurable rather than pre-defined templates.
Again for simplicity we will be just implementing IKE with “PSK” authentication mode rather than using certificates. In future we can extend to support certificate based authentication.
DataModel
VPNServices Resource
Attribute | Type | Required | CRUD | DefaultValue | Validation Constraint | Notes |
---|---|---|---|---|---|---|
id | uuid-str | N/A | R | generated | N/A | UUID for VPNService Object |
tenant_id | uuid-str | Yes | CR | None | valid tenant_id | UUID of the tenant for the vpn service |
name | string | no | CRU | None | N/A | name of the VPN Service |
description | string | no | CRU | None | N/A | Description of the VPN Service |
status | string | N/A | R | N/A | N/A | Indicates whether ipsec vpnservice is currently operational. Possible values include:
ACTIVE DOWN BUILD ERROR |
admin_state_up | bool | N/A | CRU | TRUE | true/false | Administrative state of vpnservice. If false (down), port does not forward packets |
subnet_id | uuid | yes*( subnet_id is needed) | CR | N/A | Valid subnet id | Subnet id in which the tenant wants the vpn service |
router_id | uuid | yes | CR | N/A | Valid router id | Router id to which the vpn service is inserted |
IKEPolicies Resource
Attribute | Type | Required | CRUD | DefaultValue | Validation Constraint | Notes |
---|---|---|---|---|---|---|
id | uuid-str | N/A | R | generated | N/A | UUID for the IKEPolicy |
tenant_id | uuid-str | Yes | CR | None | valid tenant_id | UUID for owner of the vpn service |
name | string | yes | CRU | None | N/A | friendly name for the ikepolicy |
description | string | no | CRU | None | N/A | Description of the ikepolicy |
auth_algorithm | string | no | CRU | sha1 | N/A | Authentication Hash algorithms“sha1”. |
encryption_algorithm | string | no | CRU | aes-128 | N/A | Encryption Algorithms 3des, aes-128, aes-256, aes-192 etc., |
phase1_negotiation_mode | string | no | CRU | Main Mode | N/A | IKE mode Main mode |
pfs | string | no | CRU | Group5 | N/A | Perfect Forward Secrecy ( Group2, Group5, Group14) |
ike_version | string | no | CRU | v1 | N/A | v1 or v2 version |
lifetime | ||||||
units | string | no | CRU | seconds | "seconds" | Lifetime of the SA unit in ‘seconds’ |
value | integer | no | CRU | 3600 for seconds | Integer | Lifetime value in seconds (value >= 60) |
IPsecPolicies Resource
Attribute | Type | Required | CRUD | DefaultValue | Validation Constraint | Notes |
---|---|---|---|---|---|---|
id | uuid-str | N/A | R | generated | N/A | UUID for the IPsecPolicy |
tenant_id | uuid-str | Yes | CR | None | valid tenant_id | UUID for owner of the vpn service |
name | string | yes | CRU | None | N/A | friendly name for the IPsecPolicy |
description | string | no | CRU | None | N/A | Description of the policy |
transform_protocol | string | no | CRU | ESP | N/A | Tranform Protocol used such as ESP or AH or AH-ESP |
encapsulation_mode | string | no | CRU | tunnel | N/A | Encapsulation mode either Tunnel mode or transport mode |
auth_algorithm | string | no | CRU | sha1 | N/A | Authentication algorithm sha1 |
encryption_algorithm | string | no | CRU | aes-128 | N/A | Encryption Algorithms 3des, aes-128, aes-256, aes-192 |
pfs | string | no | CRU | group5 | N/A | Perfect Forward Secrecy ( group2, group5, group14) |
lifetime | ||||||
units | string | no | CRU | seconds | "seconds | Lifetime of the SA unit in ‘seconds’ |
value | integer | no | CRU | 3600 for seconds | Integer | Lifetime value in seconds (value >= 60) |
ipsec-site-connection Resource
Attribute | Type | Required | CRUD | DefaultValue | Validation Constraint | Notes |
---|---|---|---|---|---|---|
id | uuid-str | N/A | R | generated | N/A | UUID for the vpns connection |
tenant_id | uuid-str | Yes | CR | None | valid tenant_id | UUID for owner of the vpn service |
name | string | no | CRU | None | N/A | name for ipsec-site-connection |
description | string | no | CRU | None | N/A | Description of the ipsec-site-connection |
peer_address | ipaddress(v4 or v6) | yes | CRU | N/A | valid ip address (v4 or v6) | peer vpn gateway public address or FQDN |
peer_id | string | yes | CRU | N/A | N/A | Peer identifier ( Can be name, string or FQDN ) |
peer_cidrs | list[string] | yes | CRU | N/A | list of valid cidr in the form <network_address>/<prefix> | Peer private cidrs |
route_mode | string | no | R | static | static | Static |
mtu | integer | no | CRU | 1500 | Integer | mtu - maximum transmission unit to address fragmentation ( value>=68 ) |
auth_mode | string | no | R | psk | psk/certs | Authentication mode, either PSK or certificate |
psk | string | yes | CRU | N/A | NO | Pre-shared-key any string. |
initiator | string | no | CRU | bi-directional | "bi-directional / response-only" | Whether this VPN can only respond to connections or can initiate as well |
admin_state_up | bool | N/A | CRU | TRUE | "true / false" | Administrative state of vpn connection. If false (down), vpn concd nection does not forward packets |
status | string | N/A | R | N/A | N/A | Indicates whether vpn connection is currently operational. Possible values include:ACTIVE,DOWN,BUILD,ERROR |
ikepolicy_id | uuid | yes | CR | N/A | uuid of ikepolicy | uuid id of ikepolicy |
ipsecpolicy_id | uuid | yes | CR | N/A | uuid of ipsecpolicy | uuid id of ipsecpolicy |
vpnservice_id | uuid | yes | CR | N/A | uuid of vpnservice | service id of vpnservice |
dpd | ||||||
action | string | no | CRU | hold | "hold / clear / disabled /restart /restart_by_peer" | DPD actions controls the use of Dead Peer Detection Protocol. ( clear, hold, restart, disabled, restart-by-peer) |
interval | integer | no | CRU | 30 | > 0 | sec for DPD delay |
timeout | integer | no | CRU | 120 | > 0 & > dpd_interval | sec for DPD timeout |
Current Proposed API for VPNaaS "Neutron/VPNaaS/API"
This section describes commands that will be introduced into python-neutronclient in order to support VPNaaS advanced service.
vpn-service-create Create a VPNService vpn-service-delete Delete a given VPNService vpn-service-list List all VPNService for a given tenant. vpn-service-show Show detailed information of a given VPNService. vpn-service-update Update a given VPNservice. vpn-ikepolicy-create Create an IKEPolicy vpn-ikepolicy-delete Delete a given IKE Policy. vpn-ikepolicy-list List IKEPolicies that belong to a given tenant. vpn-ikepolicy-show Show detailed information of a given IKEPolicy. vpn-ikepolicy-update Update a given IKE Policy. vpn-ipsecpolicy-create Create an IPsec policy vpn-ipsecpolicy-delete Delete a given IPsec Policy vpn-ipsecpolicy-list List IPsecPolicies that belong to a given tenant connection. vpn-ipsecpolicy-show Show detailed information of a given IPsec Policy vpn-ipsecpolicy-update Update a given IPsec Policy. ipsec-site-connection-create Create a ipsec-site-connection ipsec-site-connection-delete Delete a given ipsec-site-connection. ipsec-site-connection-list List ipsec-site-connections that belong to a given tenant. ipsec-site-connection-show Show information of a given ipsec-site-connection. ipsec-site-connection-update Update a given ipsec-site-connection.
Command Specification
vpn-service-create
Create a new vpnservice
neutron vpn-service-create [-h] [-f {shell,table}] [-c COLUMN] [--variable VARIABLE] [--prefix PREFIX] [--request-format {json,xml}] [--tenant-id TENANT_ID] [--admin-state-down] [--name NAME] [--description DESCRIPTION] ROUTER SUBNET
- tenant-id: ID of the Tenant that owns the VPN Service.
- router: Unique identifier of the Router (either 'name' or 'id') to which the VPN will be attached to.
- subnet: Unique identifier of the Subnet (either 'name' or 'id') to which the VPN will provide service. (*)
vpn-service-delete
Delete a given vpnservice object.
neutron vpn-service-delete [-h] [--request-format {json,xml}] VPNSERVICE
- VPNSERVICE: Unique identifier that identifies the VPN Service to be deleted.
vpn-service-list
Show list of VPN Service objects available to tenant.
neutron vpn-service-list
vpn-service-show
Shows information about a given VPN Service object.
neutron vpn-service-show [-h] [-f {shell,table}] [-c COLUMN] [--variable VARIABLE] [--prefix PREFIX] [--request-format {json,xml}] [-D] [-F FIELD] VPNSERVICE
vpn-service-update
Update information of a given VPN Service Object.
neutron vpn-service-update [-h] [--request-format {json,xml}] VPNSERVICE
Note: Only can change when status is not PENDING_CREATE, PENDING_UPDATE, or PENDING_DELETE.
vpn-ikepolicy-create
Create a new ikepolicy object
neutron vpn-ikepolicy-create [-h] [-f {shell,table}] [-c COLUMN] [--variable VARIABLE] [--prefix PREFIX] [--request-format {json,xml}] [--tenant-id TENANT_ID] [--description DESCRIPTION] [--auth-algorithm AUTH-ALGORITHM] [--encryption-algorithm ENCRYPTION-ALGORITHM] [--phase1-negotiation-mode PHASE1-NEGOTIATION-MODE] [--ike-version IKE-VERSION] [--pfs PFS] [--lifetime unit=UNITS,value=VALUE] NAME
- NAME: Friendly name of the IKEPolicy used in IPsec VPN Service Connections
- description: Friendly description of the IKEPolicy used in IPsec VPN Service Connections
- tenant-id: ID of the Tenant that owns the VPN Service.
- auth-algorithm: Authentication algorithm used in the IKEPolicy.
- encryption-algorithm: Encryption algorithm used in the IKEPolicy.
- phase1-negotiation-mode: Phase1 negotiation mode for IKE either 'Main' or 'Aggressive'.
- lifetime: String with lifetime specific parameters example: --lifetime "units=seconds,value=3600"
- units: Units for lifetime ('seconds' or 'kilobytes')
- value. Value for lifetime (non-negative integer).
- ike-version: Specify the ike_version.
- pfs: Specify the Perfect Forward Secrecy.
vpn-ikepolicy-delete
Delete a given IKEPolicy object.
neutron vpn-ikepolicy-delete [-h] [--request-format {json,xml}] IKEPOLICY
- IKEPOLICY: Unique identifier that identifies the IKEPolicy to be deleted.
vpn-ikepolicy-list
Show list of IKEPolicy objects available to tenant.
neutron vpn-ikepolicy-list
vpn-ikepolicy-show
Shows information about a given IKEPolicy object.
neutron vpn-ikepolicy-show [-h] [-f {shell,table}] [-c COLUMN] [--variable VARIABLE] [--prefix PREFIX] [--request-format {json,xml}] [-D] [-F FIELD] IKEPOLICY
vpn-ikepolicy-update
Update information of a given IKEPolicy Object.
neutron vpn-ikepolicy-delete [-h] [--request-format {json,xml}] IKEPOLICY
vpn-ipsecpolicy-create
Create a new ipsecpolicy object
neutron vpn-ipsecpolicy-create [-h] [-f {shell,table}] [-c COLUMN] [--variable VARIABLE] [--prefix PREFIX] [--request-format {json,xml}] [--tenant-id TENANT_ID] [--description DESCRIPTION] --transform-protocol TRANSFORM-PROTOCOL [--auth-algorithm AUTH-ALGORITHM] [--encryption-algorithm ENCRYPTION-ALGORITHM] [--encapsulation-mode ENCAPSULATION-MODE] [--pfs PFS] [--lifetime units=UNITS,value=VALUE] NAME
- NAME: Friendly name of the IPsecPolicy used in IPsec VPN Service Connections
- description: Friendly description of the IPsecPolicy used in IPsec VPN Service Connections
- tenant-id: ID of the Tenant that owns the VPN Service.
- auth-algorithm: Authentication algorithm used in the IPsecPolicy.
- encryption-algorithm: Encryption algorithm used in the IPsecPolicy.
- encapsulation-mode: Encapsulation mode for IPsec tunnel either 'tunnel' or 'transport'.
- transfrom-protocol: IPsec Transform Protocol either 'ESP' or 'AH'.
- lifetime: String with lifetime specific parameters example: --lifetime "units=seconds,value=3600"
- units: Units for lifetime ('seconds' or 'kilobytes')
- value. Value for lifetime (non-negative integer).
- pfs: Specify the Perfect Forward Secrecy.
vpn-ipsecpolicy-delete
Delete a given IPsecPolicy object.
neutron vpn-ipsecpolicy-delete [-h] [--request-format {json,xml}] IPSECPOLICY
- IPSECPOLICY: Unique identifier that identifies the IPSECPolicy to be deleted.
vpn-ipsecpolicy-list
Show list of IPSECPolicy objects available to tenant.
neutron vpn-ipsecpolicy-list
vpn-ipsecpolicy-show
Shows information about a given IPsecPolicy object.
neutron vpn-ipsecpolicy-show [-h] [-f {shell,table}] [-c COLUMN] [--variable VARIABLE] [--prefix PREFIX] [--request-format {json,xml}] [-D] [-F FIELD] IPSECPOLICY
vpn-ipsecpolicy-update
Update information of a given IPsecPolicy Object.
neutron vpn-ipsecpolicy-delete [-h] [--request-format {json,xml}] IPSECPOLICY
ipsec-site-connection-create
Create a new ipsec-site-connection object
neutron ipsec-site-connection-create [-h] [-f {shell,table}] [-c COLUMN] [--variable VARIABLE] [--prefix PREFIX] [--request-format {json,xml}] [--tenant-id TENANT_ID] [--admin-state-down] --name NAME [--description DESCRIPTION] --peer-address PEER-ADDRESS --peer-id PEER-ID --peer_cidr PEER-CIDRS [--mtu MTU] [--psk PSK] [--initiator INITIATOR] [--dpd DPD] --vpnservice-id VPNSERVICE --ikepolicy-id IKEPOLICY --ipsecpolicy-id IPSECPOLICY
- peer-address: Remote Peer IP Address for the VPN Connection.
- tenant-id: ID of the Tenant that owns the VPN Service.
- peer-id: Peer identifier string.
- peer_cidr: Remote Peer Subnet with mask in CIDR format.
- mtu: MTU for fragmentation
- dpd: String with the dpd attributes. Example: --dpd "action=hold,interval=30,timeout=120"
- action: Dead peer detection actions (action=hold, restart etc.,).
- interval: Dead peer detection interval.(interval=30)
- timeout: Dead peer detection timeout.(timeout=120)
- route-mode: Routing mode either 'static' or 'dynamic' - for first release only 'static supported.
- auth-mode: Authentication mode either 'PSK' or 'CERTS'
- psk: Peer identifier string.
- initiator: Initiator mode either 'bi-directional' or 'responder'.
- vpnservice-id: Unique Identifier to the VPN Service Object.
- ikepolicy-id: Unique Identifier to the IKE Policy Object.
- ipsecpolicy-id: Unique Identifier to the IPsec Policy Object.
ipsec-site-connection-delete
Delete a given ipsec-site-connection object.
neutron ipsec-site-connection-delete [-h] [--request-format {json,xml}] ipsec-site-connection
- ipsec-site-connection: Unique identifier that identifies the VPN Connection to be deleted.
ipsec-site-connection-list
Show list of VPN Connection objects available to tenant.
neutron ipsec-site-connection-list
ipsec-site-connection-show
Shows information about a given VPN Connection object.
neutron ipsec-site-connection-show [-h] [-f {shell,table}] [-c COLUMN] [--variable VARIABLE] [--prefix PREFIX] [--request-format {json,xml}] [-D] [-F FIELD] ipsec-site-connection
ipsec-site-connection-update
Update information of a given VPN Connection Object.
neutron ipsec-site-connection-update [-h] [--request-format {json,xml}] ipsec-site-connection
Note: Only can change when status is not PENDING_CREATE, PENDING_UPDATE, or PENDING_DELETE.
REST API
High-Level Task Flow
The high-level task flow for using VPNaaS API to configure IPsec VPN is as follows:
- The tenant creates a VPNService, without any connections.
- The tenant creates one or more IKEPolicies.
- The tenant creates one or more IPsecPolicies.
- The tenant creates one or more ipsec-site-connections and associates with the VPNService id, IKEPolicy id and IPsecPolicy id.
VPNService APIs
GET /v1.0/vpnservices/ GET /v1.0/vpnservices/vpnservice-id POST /v1.0/vpnservices UPDATE /v1.0/vpnservices/vpnservice-id DELETE /v1.0/vpnservices/vpnservice-id
VPNService Create
JSON Request
#!highlight javascript numbers=disable POST /v1.0/vpnservices Content-Type: application/json Accept: application/json X-Auth-Token:xyz Content-Length: abc { "vpnservice": { "tenant_id": "310df60f-2a10-4ee5-9554-98393092194c", "name": "cloud_vpn", "subnet": "96a4386a-f8c3-42ed-afce-d7954eee77b3", "router": "8acda86a-f8c3-42ed-afce-d7954eee77b3", } }
JSON Response
#!highlight javascript numbers=disable HTTP/1.1 202 Accepted Content-Type: application/json Content-Length: abc { "vpnservice": { "id": "02b1fef7-16f5-4917-bf19-c40a9af805ed", "tenant-id": "310df60f-2a10-4ee5-9554-98393092194c", "name": "cloud_vpn", "subnet-id": "96a4386a-f8c3-42ed-afce-d7954eee77b3", "router-id": "8acda86a-f8c3-42ed-afce-d7954eee77b3", "admin_state_up": true, "status": "PENDING_CREATE" } }
IKEPolicy APIs
GET /v1.0/ikepolicies/ POST /v1.0/ikepolicies GET /v1.0/ikepolicies/ikepolicy-id UPDATE /v1.0/ikepolicies/ikepolicy-id DELETE /v1.0/ikepolicies/ikepolicy-id
IKEPolicy Create
JSON Request
#!highlight javascript numbers=disable POST /v1.0/ikepolicies Accept: application/json Content-Type: application/json X-Auth-Token:xyz Content-Length: abc { "ikepolicy" : { "name": "ikepolicy_1", "auth-algorithm" : "sha1", "encryption-algorithm" : "aes-256", "phase1-negotiation-mode" : "main", "lifetime": "units=seconds,value=28800", "ike-version" : "v1", "pfs": " Group5", } }
JSON Response
#!highlight javascript numbers=disable HTTP/1.1 202 Accepted Content-Type: application/json Content-Length: abc { "ikepolicy" : { "id":"cfc6589d-f949-4c66-99d2-c2da56ef3764", "tenant_id": "310df60f-2a10-4ee5-9554-98393092194c", "name": "ikepolicy_1", "auth-algorithm" : "sha1", "encryption-algorithm" : "aes-256", "phase1-negotiation-mode" : "main", "lifetime": { "units" : "seconds" "value" : 28800, } "ike-version" : "v1", "pfs": "Group5", } }
IPsecPolicy APIs
GET /v1.0/ipsecpolicies/ POST /v1.0/ipsecpolicies GET /v1.0/ipsecpolicies/ipsecpolicy-id UPDATE /v1.0/ipsecpolicies/ipsecpolicy-id DELETE /v1.0/ipsecpolicies/ipsecpolicy-id
IPsecPolicy Create
JSON Request
#!highlight javascript numbers=disable POST /v1.0/ipsecpolicies Accept: application/json Content-Type: application/json X-Auth-Token:xyz Content-Length: abc { "ipsecpolicy" : { "name": "ipsecpolicy_1", "transform-protocol": "esp", "auth-algorithm" : "sha1", "encryption-algorithm" : "aes-256", "encapsulation-mode" : "tunnel", "lifetime": "units=seconds,value=28800", "pfs": "Group5" } }
JSON Response
#!highlight javascript numbers=disable HTTP/1.1 202 Accepted Content-Type: application/json Content-Length: abc { "ipsecpolicy" : { "id":"cfc6589d-f949-4c66-99d2-c2da56ef3764", "tenant-id": "310df60f-2a10-4ee5-9554-98393092194c", "name": "ipsecpolicy_1", "transform-protocol": "esp", "auth-algorithm" : "sha1", "encryption-algorithm" : "aes-256", "encapsulation-mode" : "tunnel", "lifetime": { "units" : "seconds" "value" : 28800, } "pfs": "Group5" } }
ipsec-site-connection
ipsec-site-connection APIs
GET /v1.0/ipsec-site-connections/ POST /v1.0/ipsec-site-connections GET /v1.0/ipsec-site-connections/ipsec-site-connection-id UPDATE /v1.0/ipsec-site-connections/ipsec-site-connection-id DELETE /v1.0/ipsec-site-connections/ipsec-site-connection-id
ipsec-site-connection Create
JSON Request
#!highlight javascript numbers=disable POST /v1.0/ipsec-site-connections Accept: application/json Content-Type: application/json X-Auth-Token:xyz Content-Length: abc { "ipsec_site_connection" : { "name": "ipsec_connection_1", "peer-address": "192.168.2.255", "peer-id" : "192.168.2.255", "peer-cidr" : "10.30.2.0/24", "dpd": "action=hold,interval=20,timeout=120", "mtu": "1500", "psk": "bla_bla_bla", "initiator": "bi-directional", "vpnservice-id": "02b1fef7-16f5-4917-bf19-c40a9af805ed", "ikepolicy-id": "03299abc-16f5-4917-bf19-c40a9af805ed", "ipsecpolicy-id": "0dbc1234-16f5-4917-bf19-c40a9af805ed" } }
JSON Response
#!highlight javascript numbers=disable HTTP/1.1 202 Accepted Content-Type: application/json Content-Length: abc { "ipsec_site_connection" : { "id":"cfc6589d-f949-4c66-99d2-c2da56ef3764", "tenant-id": "310df60f-2a10-4ee5-9554-98393092194c", "name": "ipsec_connection_1", "peer-address": "192.168.2.255", "peer-id" : "192.168.2.255", "peer-cidr" : "10.30.2.0/24", "dpd": { "action" : "hold" "interval" : 20, "timeout" : 120, } "mtu": "1500", "psk": "bla_bla_bla", "initiator": "bi-directional", "vpnservice-id": "02b1fef7-16f5-4917-bf19-c40a9af805ed", "ikepolicy-id": "03299abc-16f5-4917-bf19-c40a9af805ed", "ipsecpolicy-id": "0dbc1234-16f5-4917-bf19-c40a9af805ed", "admin_state_up": true, "status": "PENDING_CREATE" } }
Blueprints
VPN as a Service ( VPNaaS) APIs, DataModel and Use Cases