Difference between revisions of "Heat/Blueprints/VPaaS Support"
< Heat
(Created page with "Adding new resources types: * VPNServices * IKEPolicy * IPsecPolicy * VPNConnections ===== VPNServices ===== {| class="wikitable" |- ! Property !! Description |- | name || N...") |
|||
| Line 1: | Line 1: | ||
| + | == Summary == | ||
| + | |||
| + | == Components == | ||
| + | |||
Adding new resources types: | Adding new resources types: | ||
* VPNServices | * VPNServices | ||
| Line 5: | Line 9: | ||
* VPNConnections | * VPNConnections | ||
| − | + | === VPNServices === | |
{| class="wikitable" | {| class="wikitable" | ||
| Line 43: | Line 47: | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | + | === IKEPolicy === | |
{| class="wikitable" | {| class="wikitable" | ||
| Line 93: | Line 97: | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | + | === IPsecPolicy === | |
{| class="wikitable" | {| class="wikitable" | ||
| Line 143: | Line 147: | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | + | === VPNConnections === | |
{| class="wikitable" | {| class="wikitable" | ||
| Line 208: | Line 212: | ||
... | ... | ||
</nowiki></pre> | </nowiki></pre> | ||
| + | |||
| + | == Dependencies & References == | ||
| + | |||
| + | * BL: [https://blueprints.launchpad.net/neutron/+spec/quantum-vpnaas-ipsec-ssl VPN as a Service providing IPsec VPN with Static routing] '''(UNDER REVIEW)''' | ||
| + | ** [https://review.openstack.org/#/c/34882/ UI Patch] | ||
| + | ** [https://review.openstack.org/#/c/33148/ Backend Patch] | ||
| + | ** [https://review.openstack.org/#/c/29811/ API Patch] | ||
| + | ** [https://wiki.openstack.org/wiki/Quantum/VPNaaS/HowToInstall Instruction] | ||
| + | |||
| + | == Appendix == | ||
| + | |||
| + | === VPNaaS.template === | ||
| + | <pre><nowiki> | ||
| + | { | ||
| + | "AWSTemplateFormatVersion" : "2010-09-09", | ||
| + | |||
| + | "Description" : "Creates one sided VPN connection between to different regions", | ||
| + | |||
| + | "Parameters" : { | ||
| + | |||
| + | "ExternalNetworkId" : { | ||
| + | "Description" : "External network id", | ||
| + | "Type" : "String", | ||
| + | "ConstraintDescription" : "must be a uuid of existing external network" | ||
| + | }, | ||
| + | |||
| + | "ExternalGatewayIPAddress" : { | ||
| + | "Description" : "External Gateway IP address", | ||
| + | "Type" : "String", | ||
| + | "Default" : "172.24.4.233", | ||
| + | "ConstraintDescription" : "must be an IP address of external gateway" | ||
| + | } | ||
| + | |||
| + | }, | ||
| + | |||
| + | "Resources" : { | ||
| + | |||
| + | "Network": { | ||
| + | "Type": "OS::Quantum::Net", | ||
| + | "Properties": { | ||
| + | "name": "My Network" | ||
| + | } | ||
| + | }, | ||
| + | |||
| + | "Subnet": { | ||
| + | "Type": "OS::Quantum::Subnet", | ||
| + | "Properties": { | ||
| + | "name": "My Subnet", | ||
| + | "network_id": { "Ref" : "Network" }, | ||
| + | "ip_version": 4, | ||
| + | "cidr": "10.1.0.0/24", | ||
| + | "allocation_pools": [ { | ||
| + | "start": "10.1.0.10", | ||
| + | "end": "10.1.0.200" | ||
| + | } | ||
| + | ] | ||
| + | } | ||
| + | }, | ||
| + | |||
| + | "Router": { | ||
| + | "Type": "OS::Quantum::Router", | ||
| + | "Properties": { | ||
| + | "name": "My Router" | ||
| + | } | ||
| + | }, | ||
| + | |||
| + | "RouterInterface": { | ||
| + | "Type": "OS::Quantum::RouterInterface", | ||
| + | "Properties": { | ||
| + | "router_id": { "Ref" : "Router" }, | ||
| + | "subnet_id": { "Ref" : "Subnet" } | ||
| + | } | ||
| + | }, | ||
| + | |||
| + | "RouterGateway": { | ||
| + | "Type": "OS::Quantum::RouterGateway", | ||
| + | "Properties": { | ||
| + | "router_id": { "Ref" : "Router" }, | ||
| + | "network_id": { "Ref" : "ExternalNetworkId" } | ||
| + | } | ||
| + | }, | ||
| + | |||
| + | "VPNService" : { | ||
| + | "Type" : "OS::Quantum::VPNService", | ||
| + | "Properties" : { | ||
| + | "name" : "VPNService", | ||
| + | "description" : "My new VPN service", | ||
| + | "router_id" : { "Ref" : "Router" }, | ||
| + | "subnet_id" : { "Ref" : "Subnet" } | ||
| + | } | ||
| + | }, | ||
| + | |||
| + | "IKEPolicy" : { | ||
| + | "Type" : "OS::Quantum::IKEPolicy", | ||
| + | "Properties" : { | ||
| + | "name" : "IKEPolicy", | ||
| + | "description" : "My new IKE policy" | ||
| + | } | ||
| + | }, | ||
| + | |||
| + | "IPsecPolicy" : { | ||
| + | "Type" : "OS::Quantum::IPsecPolicy", | ||
| + | "Properties" : { | ||
| + | "name" : "IPsecPolicy", | ||
| + | "description" : "My new IPsec policy" | ||
| + | } | ||
| + | }, | ||
| + | |||
| + | "VPNConnection" : { | ||
| + | "Type" : "OS::Quantum::VPNConnection", | ||
| + | "Properties" : { | ||
| + | "name" : "VPNConnection", | ||
| + | "description" : "My new VPN connection", | ||
| + | "peer_address" : { "Ref" : "ExternalGatewayIPAddress" }, | ||
| + | "peer_id" : { "Ref" : "ExternalGatewayIPAddress" }, | ||
| + | "peer_cidrs" : [ "10.2.0.0/24" ], | ||
| + | "psk" : "secret", | ||
| + | "ikepolicy_id" : { "Ref" : "IKEPolicy" }, | ||
| + | "ipsecpolicy_id" : { "Ref" : "IPsecPolicy" }, | ||
| + | "vpnservice_id" : { "Ref" : "VPNService" } | ||
| + | } | ||
| + | } | ||
| + | }, | ||
| + | |||
| + | "Outputs" : { | ||
| + | "router_name" : { | ||
| + | "Value" : { "Fn::GetAtt" : [ "Router", "name" ]}, | ||
| + | "Description" : "Router name" | ||
| + | } | ||
| + | } | ||
| + | } | ||
| + | </nowiki></pre> | ||
| + | |||
| + | [[File:Ntti3 logo.png|framed|center|NTTI3]] | ||
Revision as of 22:09, 19 July 2013
Contents
Summary
Components
Adding new resources types:
- VPNServices
- IKEPolicy
- IPsecPolicy
- VPNConnections
VPNServices
| Property | Description |
|---|---|
| name | Name of the VPN Service. |
| description | Description of the VPN Service. |
| admin_state_up | Administrative state of vpnservice. If false (down), port does not forward packets. |
| subnet_id | Subnet id in which the tenant wants the vpn service. |
| router_id | Router id to which the vpn service is inserted. |
Example:
...
"Resources" : {
...
"VPNService" : {
"Type" : "OS::Quantum::VPNService",
"Properties" : {
"name" : "My VPN",
"description" : "My new VPN",
"admin_state_up" : True,
"subnet_Id" : { "Ref" : "Subnet" },
"router_Id" : { "Ref" : "Router" }
}
}
...
},
...
IKEPolicy
| Property | Description |
|---|---|
| name | Friendly name for the IKE policy. |
| description | Description of the IKE policy. |
| auth_algorithm | Authentication Hash algorithms "sha1". |
| encryption_algorithm | Encryption Algorithms "3des", "aes-128", "aes-256", "aes-192" etc. |
| phase1_negotiation_mode | IKE mode "main". |
| lifetime_units | Lifetime of the SA unit in "seconds" or "kilobytes". |
| lifetime_value | Lifetime value in seconds or kilobytes. |
| pfs | Perfect Forward Secrecy (group2, group5, group14). |
| ike_version | v1 or v2 version. |
Example:
...
"Resources" : {
...
"IKEPolicy" : {
"Type" : "OS::Quantum::IKEPolicy",
"Properties" : {
"name" : "My IKEPolicy",
"description" : "My new IKE policy",
"auth_algorithm" : "sha1",
"encryption_algorithm" : "3des",
"phase1_negotiation_mode" : "main",
"lifetime_units" : "seconds",
"lifetime_value" : 3600,
"pfs" : "group5",
"ike_version" : "v1"
}
}
...
},
...
IPsecPolicy
| Property | Description |
|---|---|
| name | Friendly name for the IPsec policy. |
| description | Description of the IPsec policy. |
| transform_protocol | Transform Protocol used such as "esp" or "ah" or "ah-esp". |
| encapsulation_mode | Encapsulation mode either "tunnel" mode or "transport" mode. |
| auth_algorithm | Authentication Hash algorithms "sha1". |
| encryption_algorithm | Encryption Algorithms "3des", "aes-128", "aes-256", "aes-192" etc. |
| lifetime_units | Lifetime of the SA unit in "seconds" or "kilobytes". |
| lifetime_value | Lifetime value in seconds or kilobytes. |
| pfs | Perfect Forward Secrecy (group2, group5, group14). |
Example:
...
"Resources" : {
...
"IPsecPolicy" : {
"Type" : "OS::Quantum::IPsecPolicy",
"Properties" : {
"name" : "My IKEPolicy",
"description" : "My new IKE policy",
"transform_protocol": "esp",
"encapsulation_mode" : "tunnel",
"auth_algorithm" : "sha1",
"encryption_algorithm" : "3des",
"lifetime_units" : "seconds",
"lifetime_value" : 3600,
"pfs" : "group5"
}
}
...
},
...
VPNConnections
| Property | Description |
|---|---|
| name | Friendly Name for the VPN connection. |
| description | Description of the VPN connection. |
| peer_address | Peer VPN gateway public address or FQDN. |
| peer_id | Peer identifier (Can be name, string or FQDN). |
| mtu | Maximum transmission unit to address fragmentation. |
| dpd_actions | DPD actions controls the use of Dead Peer Detection Protocol. ("clear", "hold", "restart", "disabled", "restart-by-peer"). |
| dpd_interval | Number of seconds for DPD delay. |
| dpd_timeout | Number of seconds for DPD timeout. |
| psk | Pre-shared-key any string. |
| initiator | Whether this VPN can only respond to connections or can initiate as well. |
| admin_state_up | Administrative state of vpn connection. If false (down), VPN connection does not forward packets. |
| ikepolicy_id | UUID id of IKE policy. |
| ipsecpolicy_id | UUID id of IPsec policy. |
| vpnservice_id | UUID id of VPN service. |
Example:
...
"Resources" : {
...
"VPNConnection" : {
"Type" : "OS::Quantum::VPNConnection",
"Properties" : {
"name" : "My VPN connection",
"description" : "My new VPN connection",
"peer_address" : "10.0.0.1",
"peer_id" : "peer",
"peer_cidrs" : ["10.0.0.0/24"],
"mtu" : "1500",
"dpd_actions" : "hold",
"dpd_interval" : "30",
"dpd_timeout" : "120",
"psk" : "secret",
"initiator" : "bi-directional",
"admin_state_up" : True,
"ikepolicy_id" : { "Ref" : "IKEPolicy" },
"ipsecpolicy_Id" : { "Ref" : "IPsecPolicy" },
"vpnservice_id" : { "Ref" : "VPNService" }
}
}
...
},
...
Dependencies & References
- BL: VPN as a Service providing IPsec VPN with Static routing (UNDER REVIEW)
Appendix
VPNaaS.template
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "Creates one sided VPN connection between to different regions",
"Parameters" : {
"ExternalNetworkId" : {
"Description" : "External network id",
"Type" : "String",
"ConstraintDescription" : "must be a uuid of existing external network"
},
"ExternalGatewayIPAddress" : {
"Description" : "External Gateway IP address",
"Type" : "String",
"Default" : "172.24.4.233",
"ConstraintDescription" : "must be an IP address of external gateway"
}
},
"Resources" : {
"Network": {
"Type": "OS::Quantum::Net",
"Properties": {
"name": "My Network"
}
},
"Subnet": {
"Type": "OS::Quantum::Subnet",
"Properties": {
"name": "My Subnet",
"network_id": { "Ref" : "Network" },
"ip_version": 4,
"cidr": "10.1.0.0/24",
"allocation_pools": [ {
"start": "10.1.0.10",
"end": "10.1.0.200"
}
]
}
},
"Router": {
"Type": "OS::Quantum::Router",
"Properties": {
"name": "My Router"
}
},
"RouterInterface": {
"Type": "OS::Quantum::RouterInterface",
"Properties": {
"router_id": { "Ref" : "Router" },
"subnet_id": { "Ref" : "Subnet" }
}
},
"RouterGateway": {
"Type": "OS::Quantum::RouterGateway",
"Properties": {
"router_id": { "Ref" : "Router" },
"network_id": { "Ref" : "ExternalNetworkId" }
}
},
"VPNService" : {
"Type" : "OS::Quantum::VPNService",
"Properties" : {
"name" : "VPNService",
"description" : "My new VPN service",
"router_id" : { "Ref" : "Router" },
"subnet_id" : { "Ref" : "Subnet" }
}
},
"IKEPolicy" : {
"Type" : "OS::Quantum::IKEPolicy",
"Properties" : {
"name" : "IKEPolicy",
"description" : "My new IKE policy"
}
},
"IPsecPolicy" : {
"Type" : "OS::Quantum::IPsecPolicy",
"Properties" : {
"name" : "IPsecPolicy",
"description" : "My new IPsec policy"
}
},
"VPNConnection" : {
"Type" : "OS::Quantum::VPNConnection",
"Properties" : {
"name" : "VPNConnection",
"description" : "My new VPN connection",
"peer_address" : { "Ref" : "ExternalGatewayIPAddress" },
"peer_id" : { "Ref" : "ExternalGatewayIPAddress" },
"peer_cidrs" : [ "10.2.0.0/24" ],
"psk" : "secret",
"ikepolicy_id" : { "Ref" : "IKEPolicy" },
"ipsecpolicy_id" : { "Ref" : "IPsecPolicy" },
"vpnservice_id" : { "Ref" : "VPNService" }
}
}
},
"Outputs" : {
"router_name" : {
"Value" : { "Fn::GetAtt" : [ "Router", "name" ]},
"Description" : "Router name"
}
}
}
NTTI3
