Difference between revisions of "Heat/Blueprints/VPaaS Support"
< Heat
| (2 intermediate revisions by the same user not shown) | |||
| Line 69: | Line 69: | ||
| ike_version || v1 or v2 version. | | ike_version || v1 or v2 version. | ||
|- | |- | ||
| − | lifetime || | + | | lifetime || |
|- | |- | ||
| units || Lifetime of the SA unit in "seconds" or "kilobytes". | | units || Lifetime of the SA unit in "seconds" or "kilobytes". | ||
| Line 90: | Line 90: | ||
"encryption_algorithm" : "3des", | "encryption_algorithm" : "3des", | ||
"phase1_negotiation_mode" : "main", | "phase1_negotiation_mode" : "main", | ||
| − | " | + | "lifetime" : { |
| − | + | "units" : "seconds", | |
| + | "value" : 3600 | ||
| + | }, | ||
"pfs" : "group5", | "pfs" : "group5", | ||
"ike_version" : "v1" | "ike_version" : "v1" | ||
| Line 119: | Line 121: | ||
| encryption_algorithm || Encryption Algorithms "3des", "aes-128", "aes-256", "aes-192" etc. | | encryption_algorithm || Encryption Algorithms "3des", "aes-128", "aes-256", "aes-192" etc. | ||
|- | |- | ||
| − | | | + | | pfs || Perfect Forward Secrecy (group2, group5, group14). |
|- | |- | ||
| − | | | + | | lifetime || |
| + | |- | ||
| + | | units || Lifetime of the SA unit in "seconds" or "kilobytes". | ||
| + | |- | ||
| + | | value || Lifetime value in seconds or kilobytes. | ||
|- | |- | ||
| − | |||
|} | |} | ||
| Line 141: | Line 146: | ||
"auth_algorithm" : "sha1", | "auth_algorithm" : "sha1", | ||
"encryption_algorithm" : "3des", | "encryption_algorithm" : "3des", | ||
| − | " | + | "lifetime" : { |
| − | + | "units" : "seconds", | |
| + | "value" : 3600 | ||
| + | }, | ||
"pfs" : "group5" | "pfs" : "group5" | ||
} | } | ||
| Line 168: | Line 175: | ||
|- | |- | ||
| mtu || Maximum transmission unit to address fragmentation. | | mtu || Maximum transmission unit to address fragmentation. | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
|- | |- | ||
| psk || Pre-shared-key any string. | | psk || Pre-shared-key any string. | ||
| Line 186: | Line 187: | ||
|- | |- | ||
| vpnservice_id || UUID id of VPN service. | | vpnservice_id || UUID id of VPN service. | ||
| + | |- | ||
| + | | dpd || | ||
| + | |- | ||
| + | | actions || DPD actions controls the use of Dead Peer Detection Protocol. ("clear", "hold", "restart", "disabled", "restart-by-peer"). | ||
| + | |- | ||
| + | | interval || Number of seconds for DPD delay. | ||
| + | |- | ||
| + | | timeout || Number of seconds for DPD timeout. | ||
|} | |} | ||
| Line 203: | Line 212: | ||
"peer_cidrs" : ["10.0.0.0/24"], | "peer_cidrs" : ["10.0.0.0/24"], | ||
"mtu" : 1500, | "mtu" : 1500, | ||
| − | " | + | "dpd" : { |
| − | + | "actions" : "hold", | |
| − | + | "interval" : 30, | |
| + | "timeout" : 120 | ||
| + | }, | ||
"psk" : "secret", | "psk" : "secret", | ||
"initiator" : "bi-directional", | "initiator" : "bi-directional", | ||
| Line 235: | Line 246: | ||
"AWSTemplateFormatVersion" : "2010-09-09", | "AWSTemplateFormatVersion" : "2010-09-09", | ||
| − | "Description" : " | + | "Description" : "", |
"Parameters" : { | "Parameters" : { | ||
| − | + | ||
"ExternalNetworkId" : { | "ExternalNetworkId" : { | ||
"Description" : "External network id", | "Description" : "External network id", | ||
"Type" : "String", | "Type" : "String", | ||
| − | "ConstraintDescription" : "must be a | + | "ConstraintDescription" : "must be a id of existing external network" |
}, | }, | ||
| − | + | ||
"ExternalGatewayIPAddress" : { | "ExternalGatewayIPAddress" : { | ||
"Description" : "External Gateway IP address", | "Description" : "External Gateway IP address", | ||
"Type" : "String", | "Type" : "String", | ||
| − | |||
"ConstraintDescription" : "must be an IP address of external gateway" | "ConstraintDescription" : "must be an IP address of external gateway" | ||
| + | }, | ||
| + | |||
| + | "SubnetCidr" : { | ||
| + | "Description" : "Subnet cidr", | ||
| + | "Type" : "String", | ||
| + | "ConstraintDescription" : "must be a cidr" | ||
| + | }, | ||
| + | |||
| + | "SubnetPoolStart" : { | ||
| + | "Description" : "Start of allocation pool for subnet", | ||
| + | "Type" : "String", | ||
| + | "ConstraintDescription" : "must be a valid IP address" | ||
| + | }, | ||
| + | |||
| + | "SubnetPoolEnd" : { | ||
| + | "Description" : "End of allocation pool for subnet", | ||
| + | "Type" : "String", | ||
| + | "ConstraintDescription" : "must be a valid IP address" | ||
| + | }, | ||
| + | |||
| + | "VPNPeerCidr" : { | ||
| + | "Description" : "Cidr for VPN peer", | ||
| + | "Type" : "String", | ||
| + | "ConstraintDescription" : "must be a valid cidr" | ||
} | } | ||
}, | }, | ||
| − | + | ||
"Resources" : { | "Resources" : { | ||
| Line 269: | Line 303: | ||
"network_id": { "Ref" : "Network" }, | "network_id": { "Ref" : "Network" }, | ||
"ip_version": 4, | "ip_version": 4, | ||
| − | "cidr": " | + | "cidr": { "Ref" : "SubnetCidr" }, |
| + | "dns_nameservers": ["8.8.8.8"], | ||
"allocation_pools": [ { | "allocation_pools": [ { | ||
| − | "start": " | + | "start": { "Ref" : "SubnetPoolStart" }, |
| − | "end": " | + | "end": { "Ref" : "SubnetPoolEnd" } |
} | } | ||
] | ] | ||
| Line 300: | Line 335: | ||
} | } | ||
}, | }, | ||
| − | + | ||
"VPNService" : { | "VPNService" : { | ||
| − | "Type" : "OS:: | + | "Type" : "OS::Neutron::VPNService", |
"Properties" : { | "Properties" : { | ||
"name" : "VPNService", | "name" : "VPNService", | ||
"description" : "My new VPN service", | "description" : "My new VPN service", | ||
| + | "admin_state_up" : true, | ||
"router_id" : { "Ref" : "Router" }, | "router_id" : { "Ref" : "Router" }, | ||
"subnet_id" : { "Ref" : "Subnet" } | "subnet_id" : { "Ref" : "Subnet" } | ||
| Line 311: | Line 347: | ||
}, | }, | ||
| − | + | "IKEPolicy" : { | |
| − | "Type" : "OS:: | + | "Type" : "OS::Neutron::IKEPolicy", |
"Properties" : { | "Properties" : { | ||
"name" : "IKEPolicy", | "name" : "IKEPolicy", | ||
| − | "description" : "My new IKE policy" | + | "description" : "My new IKE policy", |
| + | "auth_algorithm" : "sha1", | ||
| + | "encryption_algorithm" : "3des", | ||
| + | "phase1_negotiation_mode" : "main", | ||
| + | "lifetime" : { | ||
| + | "units" : "seconds", | ||
| + | "value" : 3600 | ||
| + | }, | ||
| + | "pfs" : "group5", | ||
| + | "ike_version" : "v1" | ||
} | } | ||
}, | }, | ||
"IPsecPolicy" : { | "IPsecPolicy" : { | ||
| − | "Type" : "OS:: | + | "Type" : "OS::Neutron::IPsecPolicy", |
"Properties" : { | "Properties" : { | ||
"name" : "IPsecPolicy", | "name" : "IPsecPolicy", | ||
| − | "description" : "My new IPsec policy" | + | "description" : "My new IPsec policy", |
| + | "transform_protocol": "esp", | ||
| + | "encapsulation_mode" : "tunnel", | ||
| + | "auth_algorithm" : "sha1", | ||
| + | "encryption_algorithm" : "3des", | ||
| + | "lifetime" : { | ||
| + | "units" : "seconds", | ||
| + | "value" : 3600 | ||
| + | }, | ||
| + | "pfs" : "group5" | ||
} | } | ||
}, | }, | ||
"IPsecSiteConnection" : { | "IPsecSiteConnection" : { | ||
| − | "Type" : "OS:: | + | "Type" : "OS::Neutron::VPNConnection", |
"Properties" : { | "Properties" : { | ||
| − | "name" : " | + | "name" : "VPNConnection", |
| − | "description" : "My new | + | "description" : "My new VPN connection", |
"peer_address" : { "Ref" : "ExternalGatewayIPAddress" }, | "peer_address" : { "Ref" : "ExternalGatewayIPAddress" }, | ||
"peer_id" : { "Ref" : "ExternalGatewayIPAddress" }, | "peer_id" : { "Ref" : "ExternalGatewayIPAddress" }, | ||
| − | "peer_cidrs" : [ " | + | "peer_cidrs" : [ { "Ref" : "VPNPeerCidr" } ], |
| + | "mtu" : 1500, | ||
| + | "dpd" : { | ||
| + | "actions" : "hold", | ||
| + | "interval" : 30, | ||
| + | "timeout" : 120 | ||
| + | }, | ||
"psk" : "secret", | "psk" : "secret", | ||
| + | "initiator" : "bi-directional", | ||
| + | "admin_state_up" : true, | ||
"ikepolicy_id" : { "Ref" : "IKEPolicy" }, | "ikepolicy_id" : { "Ref" : "IKEPolicy" }, | ||
"ipsecpolicy_id" : { "Ref" : "IPsecPolicy" }, | "ipsecpolicy_id" : { "Ref" : "IPsecPolicy" }, | ||
Latest revision as of 11:03, 13 August 2013
Contents
Summary
The point of this blueprint is to add VPNaaS components to resources supported by Heat.
VPNaaS componets to add:
- VPNService
- IKEPolicy
- IPsecPolicy
- IPsecSiteConnection
Components
VPNServices
| Property | Description |
|---|---|
| name | Name of the VPN Service. |
| description | Description of the VPN Service. |
| admin_state_up | Administrative state of vpnservice. If false (down), port does not forward packets. |
| subnet_id | Subnet id in which the tenant wants the vpn service. |
| router_id | Router id to which the vpn service is inserted. |
Example:
...
"Resources" : {
...
"VPNService" : {
"Type" : "OS::Neutron::VPNService",
"Properties" : {
"name" : "My VPN",
"description" : "My new VPN",
"admin_state_up" : True,
"subnet_Id" : { "Ref" : "Subnet" },
"router_Id" : { "Ref" : "Router" }
}
}
...
},
...
IKEPolicy
| Property | Description |
|---|---|
| name | Friendly name for the IKE policy. |
| description | Description of the IKE policy. |
| auth_algorithm | Authentication Hash algorithms "sha1". |
| encryption_algorithm | Encryption Algorithms "3des", "aes-128", "aes-256", "aes-192" etc. |
| phase1_negotiation_mode | IKE mode "main". |
| pfs | Perfect Forward Secrecy (group2, group5, group14). |
| ike_version | v1 or v2 version. |
| lifetime | |
| units | Lifetime of the SA unit in "seconds" or "kilobytes". |
| value | Lifetime value in seconds or kilobytes. |
Example:
...
"Resources" : {
...
"IKEPolicy" : {
"Type" : "OS::Neutron::IKEPolicy",
"Properties" : {
"name" : "My IKEPolicy",
"description" : "My new IKE policy",
"auth_algorithm" : "sha1",
"encryption_algorithm" : "3des",
"phase1_negotiation_mode" : "main",
"lifetime" : {
"units" : "seconds",
"value" : 3600
},
"pfs" : "group5",
"ike_version" : "v1"
}
}
...
},
...
IPsecPolicy
| Property | Description |
|---|---|
| name | Friendly name for the IPsec policy. |
| description | Description of the IPsec policy. |
| transform_protocol | Transform Protocol used such as "esp" or "ah" or "ah-esp". |
| encapsulation_mode | Encapsulation mode either "tunnel" mode or "transport" mode. |
| auth_algorithm | Authentication Hash algorithms "sha1". |
| encryption_algorithm | Encryption Algorithms "3des", "aes-128", "aes-256", "aes-192" etc. |
| pfs | Perfect Forward Secrecy (group2, group5, group14). |
| lifetime | |
| units | Lifetime of the SA unit in "seconds" or "kilobytes". |
| value | Lifetime value in seconds or kilobytes. |
Example:
...
"Resources" : {
...
"IPsecPolicy" : {
"Type" : "OS::Neutron::IPsecPolicy",
"Properties" : {
"name" : "My IKEPolicy",
"description" : "My new IKE policy",
"transform_protocol": "esp",
"encapsulation_mode" : "tunnel",
"auth_algorithm" : "sha1",
"encryption_algorithm" : "3des",
"lifetime" : {
"units" : "seconds",
"value" : 3600
},
"pfs" : "group5"
}
}
...
},
...
IPsecSiteConnection
| Property | Description |
|---|---|
| name | Friendly Name for the IPsec site connection. |
| description | Description of the IPsec site connection. |
| peer_address | Remote branch router public IPv4 address or IPv6 address or FQDN. |
| peer_id | Remote branch router identity. |
| peer_cidrs | Peer private cidrs. |
| mtu | Maximum transmission unit to address fragmentation. |
| psk | Pre-shared-key any string. |
| initiator | Whether this VPN can only respond to connections or can initiate as well ("bi-directional", "response-only"). |
| admin_state_up | Administrative state of vpn connection. If false (down), VPN connection does not forward packets. |
| ikepolicy_id | UUID id of IKE policy. |
| ipsecpolicy_id | UUID id of IPsec policy. |
| vpnservice_id | UUID id of VPN service. |
| dpd | |
| actions | DPD actions controls the use of Dead Peer Detection Protocol. ("clear", "hold", "restart", "disabled", "restart-by-peer"). |
| interval | Number of seconds for DPD delay. |
| timeout | Number of seconds for DPD timeout. |
Example:
...
"Resources" : {
...
"VPNConnection" : {
"Type" : "OS::Neutron::VPNConnection",
"Properties" : {
"name" : "My VPN connection",
"description" : "My new VPN connection",
"peer_address" : "10.0.0.1",
"peer_id" : "peer",
"peer_cidrs" : ["10.0.0.0/24"],
"mtu" : 1500,
"dpd" : {
"actions" : "hold",
"interval" : 30,
"timeout" : 120
},
"psk" : "secret",
"initiator" : "bi-directional",
"admin_state_up" : True,
"ikepolicy_id" : { "Ref" : "IKEPolicy" },
"ipsecpolicy_Id" : { "Ref" : "IPsecPolicy" },
"vpnservice_id" : { "Ref" : "VPNService" }
}
}
...
},
...
Dependencies & References
- BL: VPN as a Service providing IPsec VPN with Static routing (UNDER REVIEW)
Appendix
VPNaaS.template
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "",
"Parameters" : {
"ExternalNetworkId" : {
"Description" : "External network id",
"Type" : "String",
"ConstraintDescription" : "must be a id of existing external network"
},
"ExternalGatewayIPAddress" : {
"Description" : "External Gateway IP address",
"Type" : "String",
"ConstraintDescription" : "must be an IP address of external gateway"
},
"SubnetCidr" : {
"Description" : "Subnet cidr",
"Type" : "String",
"ConstraintDescription" : "must be a cidr"
},
"SubnetPoolStart" : {
"Description" : "Start of allocation pool for subnet",
"Type" : "String",
"ConstraintDescription" : "must be a valid IP address"
},
"SubnetPoolEnd" : {
"Description" : "End of allocation pool for subnet",
"Type" : "String",
"ConstraintDescription" : "must be a valid IP address"
},
"VPNPeerCidr" : {
"Description" : "Cidr for VPN peer",
"Type" : "String",
"ConstraintDescription" : "must be a valid cidr"
}
},
"Resources" : {
"Network": {
"Type": "OS::Quantum::Net",
"Properties": {
"name": "My Network"
}
},
"Subnet": {
"Type": "OS::Quantum::Subnet",
"Properties": {
"name": "My Subnet",
"network_id": { "Ref" : "Network" },
"ip_version": 4,
"cidr": { "Ref" : "SubnetCidr" },
"dns_nameservers": ["8.8.8.8"],
"allocation_pools": [ {
"start": { "Ref" : "SubnetPoolStart" },
"end": { "Ref" : "SubnetPoolEnd" }
}
]
}
},
"Router": {
"Type": "OS::Quantum::Router",
"Properties": {
"name": "My Router"
}
},
"RouterInterface": {
"Type": "OS::Quantum::RouterInterface",
"Properties": {
"router_id": { "Ref" : "Router" },
"subnet_id": { "Ref" : "Subnet" }
}
},
"RouterGateway": {
"Type": "OS::Quantum::RouterGateway",
"Properties": {
"router_id": { "Ref" : "Router" },
"network_id": { "Ref" : "ExternalNetworkId" }
}
},
"VPNService" : {
"Type" : "OS::Neutron::VPNService",
"Properties" : {
"name" : "VPNService",
"description" : "My new VPN service",
"admin_state_up" : true,
"router_id" : { "Ref" : "Router" },
"subnet_id" : { "Ref" : "Subnet" }
}
},
"IKEPolicy" : {
"Type" : "OS::Neutron::IKEPolicy",
"Properties" : {
"name" : "IKEPolicy",
"description" : "My new IKE policy",
"auth_algorithm" : "sha1",
"encryption_algorithm" : "3des",
"phase1_negotiation_mode" : "main",
"lifetime" : {
"units" : "seconds",
"value" : 3600
},
"pfs" : "group5",
"ike_version" : "v1"
}
},
"IPsecPolicy" : {
"Type" : "OS::Neutron::IPsecPolicy",
"Properties" : {
"name" : "IPsecPolicy",
"description" : "My new IPsec policy",
"transform_protocol": "esp",
"encapsulation_mode" : "tunnel",
"auth_algorithm" : "sha1",
"encryption_algorithm" : "3des",
"lifetime" : {
"units" : "seconds",
"value" : 3600
},
"pfs" : "group5"
}
},
"IPsecSiteConnection" : {
"Type" : "OS::Neutron::VPNConnection",
"Properties" : {
"name" : "VPNConnection",
"description" : "My new VPN connection",
"peer_address" : { "Ref" : "ExternalGatewayIPAddress" },
"peer_id" : { "Ref" : "ExternalGatewayIPAddress" },
"peer_cidrs" : [ { "Ref" : "VPNPeerCidr" } ],
"mtu" : 1500,
"dpd" : {
"actions" : "hold",
"interval" : 30,
"timeout" : 120
},
"psk" : "secret",
"initiator" : "bi-directional",
"admin_state_up" : true,
"ikepolicy_id" : { "Ref" : "IKEPolicy" },
"ipsecpolicy_id" : { "Ref" : "IPsecPolicy" },
"vpnservice_id" : { "Ref" : "VPNService" }
}
}
}
}
NTTI3
