Jump to: navigation, search

Neutron/VPNaaS/SSLVPN

< Neutron‎ | VPNaaS
Revision as of 22:44, 30 January 2014 by Nachi Ueno (talk | contribs) (Created page with "= Overview = This page describes SSL-VPN extension feature in OpenStack Networking for the IceHouse release. == DataModel == ===SSLVPNConnection Resource=== {| class="wiki...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Overview

This page describes SSL-VPN extension feature in OpenStack Networking for the IceHouse release.


DataModel

SSLVPNConnection Resource

Attribute Type Required CRUD DefaultValue Validation Constraint Notes
id uuid-str N/A R generated N/A UUID for VPNService Object
tenant_id uuid-str Yes CR None valid tenant_id UUID of the tenant for the vpn service
name string no CRU None N/A name of the VPN Service
status string N/A R N/A N/A Indicates whether ipsec vpnservice is currently operational. Possible values include:

ACTIVE DOWN BUILD ERROR

admin_state_up bool N/A CRU TRUE true/false Administrative state of vpnservice. If false (down), port does not forward packets
client_address_pool_cidr cidr yes CR N/A Valid cidr Client address pool subnet which will be used by sslvpn client
credential_id uuid-str yes CR valid vpn credential id N/A UUID for VPNCredential
vpnservice_id uuid-str yes CR valid vpn service id N/A UUID for VPNService

VPNCredential Resource

Attribute Type Required CRUD DefaultValue Validation Constraint Notes
id uuid-str N/A R generated N/A UUID for  the  IKEPolicy
tenant_id uuid-str Yes CR None valid tenant_id UUID for owner of the vpn service
name string yes CRU None N/A friendly name for the ikepolicy
ca string yes CR N/A N/A PEM encoded CA certificate
server_certificate string yes CR N/A N/A PEM encoded Server Certificate
server_key string yes CR N/A N/A PEM encoded Server Key
dh string yes CR N/A N/A PEM encoded dh key
crl string yes CR N/A N/A PEM encoded crl key

Current Proposed API for SSLVPN Extension "Neutron/VPNaaS/SSLVPN/API"

This section describes commands that will be introduced into python-neutronclient in order to support SSLVPN services 


  vpn-credential-create          Create an VPNCredential.
  vpn-credential-delete          Delete a given VPNCredential.
  vpn-credential-list            List VPNCredentials that belong to a given tenant.
  vpn-credential-show            Show information of a given VPNCredential.
  vpn-credential-update          Update a given VPNCredential.

  ssl-vpn-connection-create      Create an SSLVPNConnection.
  ssl-vpn-connection-delete      Delete a given SSLVPNConnection.
  ssl-vpn-connection-list        List SSLVPNConnections that belong to a given tenant.
  ssl-vpn-connection-show        Show information of a given SSLVPNConnection.
  ssl-vpn-connection-update      Update a given SSLVPNConnection.

Command Specification (TBD)

vpn-credential-create

Create a new vpnservice 


neutron vpn-service-create [-h] [-f {shell,table}] [-c COLUMN]
                                     [--variable VARIABLE] [--prefix PREFIX]
                                     [--request-format {json,xml}]
                                     [--tenant-id TENANT_ID]
                                     [--admin-state-down] [--name NAME]
                                     [--description DESCRIPTION] 
                                     ROUTER
                                     SUBNET


  • tenant-id: ID of the Tenant that owns the VPN Service.
  • router: Unique identifier of the Router (either 'name' or 'id') to which the VPN will be attached to.
  • subnet: Unique identifier of the Subnet (either 'name' or 'id') to which the VPN will provide service. (*)


REST API (TBD)

High-Level Task Flow

The high-level task flow for using SSLVPN API to configure SSL VPN is as follows:

  • The tenant creates a VPNService, without any connections.
  • The tenant creates one or more VPNCredential.
  • The tenant creates one or more SSLVPnConnection and associates with the VPNService id, VPNCredential id


VPNService APIs


GET
/v1.0/vpnservices/
GET
/v1.0/vpnservices/vpnservice-id
POST
/v1.0/vpnservices
UPDATE
/v1.0/vpnservices/vpnservice-id
DELETE
/v1.0/vpnservices/vpnservice-id


VPNService Create

JSON Request

#!highlight javascript numbers=disable
POST /v1.0/vpnservices
Content-Type: application/json
Accept: application/json
X-Auth-Token:xyz
Content-Length: abc

{
  "vpnservice": {
           
           "tenant_id": "310df60f-2a10-4ee5-9554-98393092194c",
           "name": "cloud_vpn",
           "subnet": "96a4386a-f8c3-42ed-afce-d7954eee77b3",
	   "router": "8acda86a-f8c3-42ed-afce-d7954eee77b3",
           }
}

JSON Response

#!highlight javascript numbers=disable
HTTP/1.1 202 Accepted
Content-Type: application/json
Content-Length: abc

{
  "vpnservice": {
           "id": "02b1fef7-16f5-4917-bf19-c40a9af805ed",
           "tenant-id": "310df60f-2a10-4ee5-9554-98393092194c",
           "name": "cloud_vpn",
           "subnet-id": "96a4386a-f8c3-42ed-afce-d7954eee77b3",
	   "router-id": "8acda86a-f8c3-42ed-afce-d7954eee77b3",
           "admin_state_up": true,
           "status": "PENDING_CREATE"
           }
}

Blueprints

https://blueprints.launchpad.net/neutron/+spec/neutron-ssl-vpn

Retrieved from "https://wiki.openstack.org/w/index.php?title=Neutron/VPNaaS/SSLVPN&oldid=40868"