Jump to: navigation, search

Difference between revisions of "Neutron/VPNaaS"

(updated link for API reference)
 
(70 intermediate revisions by 5 users not shown)
Line 1: Line 1:
 +
{{warning|REASON=The api document is now in official api document. Please see http://developer.openstack.org/api-ref-networking-v2-ext.html#vpnaas-v2.0}}
 +
 +
This wiki page is for development discussion
 +
 
= Overview =
 
= Overview =
VPNaaS (VPN-as-a-Service) is a Quantum extension that introduces VPN feature set.
+
VPNaaS (VPN-as-a-Service) is a Neutron extension that introduces VPN feature set.
  
 
The following is the proposed plan for design and implementation of the VPN as a Service feature in OpenStack Networking for the Havana release. While our long term goal for VPNaaS is to make it very feature rich and to support multiple tunneling,security protocols that supports both static and dynamic routing, but for the short term we would want to deliver a basic experimental reference implementation based on opensource for IPsec based VPNs using just static routing that will allow us to evaluate the API, resource model and usability of this feature. This will allow us to gather feedback, and make enhancements if required.
 
The following is the proposed plan for design and implementation of the VPN as a Service feature in OpenStack Networking for the Havana release. While our long term goal for VPNaaS is to make it very feature rich and to support multiple tunneling,security protocols that supports both static and dynamic routing, but for the short term we would want to deliver a basic experimental reference implementation based on opensource for IPsec based VPNs using just static routing that will allow us to evaluate the API, resource model and usability of this feature. This will allow us to gather feedback, and make enhancements if required.
Line 8: Line 12:
 
Again for simplicity we will be just implementing IKE with “PSK” authentication mode rather than using certificates. In future we can extend to support certificate based authentication.
 
Again for simplicity we will be just implementing IKE with “PSK” authentication mode rather than using certificates. In future we can extend to support certificate based authentication.
  
 +
== DataModel ==
 +
 +
===VPNServices Resource===
 +
 +
{| class="wikitable"
 +
|-
 +
! Attribute !! Type !! Required !! CRUD !! DefaultValue !! Validation Constraint !! Notes
 +
|-
 +
| id || uuid-str || N/A || R || generated || N/A || UUID for VPNService Object
 +
|-
 +
| tenant_id || uuid-str || Yes || CR || None || valid tenant_id || UUID of the tenant for the vpn service
 +
|-
 +
| name||string||no||CRU||None||N/A||name of the VPN Service
 +
|-
 +
| description||string||no||CRU||None||N/A||Description of the VPN Service
 +
|-
 +
| status||string||N/A||R||N/A||N/A||Indicates whether ipsec vpnservice is currently operational. Possible values include:
 +
ACTIVE
 +
DOWN
 +
BUILD
 +
ERROR
 +
|-
 +
| admin_state_up||bool||N/A||CRU||TRUE||true/false||Administrative state of vpnservice. If false (down), port does not forward packets
 +
|-
 +
|subnet_id||uuid||yes*( subnet_id is needed)||CR||N/A||Valid subnet id||Subnet id in which the tenant wants the vpn service
 +
|-
 +
|router_id||uuid||yes||CR||N/A||Valid router id||Router id to which the vpn service is inserted
 +
|}
 +
 +
===IKEPolicies Resource===
 +
 +
 +
{| class="wikitable"
 +
|-
 +
! Attribute !! Type !! Required !! CRUD !! DefaultValue !! Validation Constraint !! Notes
 +
|-
 +
| id||uuid-str||N/A||R||generated||N/A||UUID for  the  IKEPolicy
 +
|-
 +
| tenant_id||uuid-str||Yes||CR||None||valid tenant_id||UUID for owner of the vpn service
 +
|-
 +
| name||string||yes||CRU||None||N/A||friendly name for the ikepolicy
 +
|-
 +
| description||string||no||CRU||None||N/A||Description of the ikepolicy
 +
|-
 +
| auth_algorithm||string||no||CRU||sha1||N/A||Authentication Hash algorithms“sha1”.
 +
|-
 +
| encryption_algorithm||string||no||CRU||aes-128||N/A||Encryption Algorithms 3des, aes-128, aes-256, aes-192 etc.,
 +
|-
 +
| phase1_negotiation_mode||string||no||CRU||Main Mode||N/A||IKE mode  Main mode
 +
|-
 +
|pfs||string||no||CRU||Group5||N/A||Perfect Forward Secrecy  ( Group2, Group5, Group14)
 +
|-
 +
|ike_version||string||no||CRU||v1||N/A||v1 or v2 version
 +
|-
 +
|lifetime
 +
|-
 +
|units||string||no||CRU||seconds||"seconds"||Lifetime of the  SA unit in ‘seconds’
 +
|-
 +
|value||integer||no||CRU||3600 for seconds||Integer||Lifetime value in  seconds (value >= 60)
 +
|-
 +
|}
  
== Current Proposed API for VPNaaS "[[Quantum/VPNaaS/API]]"==
+
===IPsecPolicies Resource===
This section describes commands that will be introduced into python-quantumclient in order to support VPNaaS advanced service.  
+
 
 +
 
 +
{| class="wikitable"
 +
|-
 +
! Attribute !! Type !! Required !! CRUD !! DefaultValue !! Validation Constraint !! Notes
 +
|-
 +
| id||uuid-str||N/A||R||generated||N/A||UUID for  the  IPsecPolicy
 +
|-
 +
| tenant_id||uuid-str||Yes||CR||None||valid tenant_id||UUID for owner of the vpn service
 +
|-
 +
| name||string||yes||CRU||None||N/A||friendly name for the IPsecPolicy
 +
|-
 +
| description||string||no||CRU||None||N/A||Description of  the policy
 +
|-
 +
| transform_protocol||string||no||CRU||ESP||N/A||Tranform  Protocol used such as ESP or AH or AH-ESP
 +
|-
 +
| encapsulation_mode||string||no||CRU||tunnel||N/A||Encapsulation mode either Tunnel mode or transport mode
 +
|-
 +
| auth_algorithm||string||no||CRU||sha1||N/A||Authentication algorithm sha1
 +
|-
 +
|encryption_algorithm||string||no||CRU||aes-128||N/A||Encryption Algorithms 3des, aes-128, aes-256, aes-192
 +
|-
 +
|pfs||string||no||CRU||group5||N/A||Perfect Forward Secrecy  ( group2, group5, group14)
 +
|-
 +
|lifetime
 +
|-
 +
|units||string||no||CRU||seconds||"seconds||Lifetime of the  SA unit in ‘seconds’
 +
|-
 +
|value||integer||no||CRU||3600 for seconds||Integer||Lifetime value in  seconds (value >= 60)
 +
|-
 +
|}
 +
 
 +
===ipsec-site-connection Resource ===
 +
 
 +
 
 +
{| class="wikitable"
 +
|-
 +
! Attribute !! Type !! Required !! CRUD !! DefaultValue !! Validation Constraint !! Notes
 +
|-
 +
| id||uuid-str||N/A||R||generated||N/A||UUID for  the vpns connection
 +
|-
 +
| tenant_id||uuid-str||Yes||CR||None||valid tenant_id||UUID for owner of the  vpn service
 +
|-
 +
| name||string||no||CRU||None||N/A||name for ipsec-site-connection
 +
|-
 +
| description||string||no||CRU||None||N/A||Description of the ipsec-site-connection
 +
|-
 +
| peer_address||ipaddress(v4 or v6)||yes||CRU||N/A||valid ip address (v4 or v6)||peer vpn gateway public address or FQDN
 +
|-
 +
| peer_id||string||yes||CRU||N/A||N/A||Peer identifier ( Can be name, string or FQDN )
 +
|-
 +
| peer_cidrs||list[string]||yes||CRU||N/A||list of valid cidr in the form <network_address>/<prefix>||Peer private cidrs
 +
|-
 +
| route_mode||string||no||R||static||static||Static
 +
|-
 +
| mtu||integer||no||CRU||1500||Integer||mtu - maximum transmission unit to address fragmentation ( value>=68 )
 +
|-
 +
| auth_mode||string||no||R||psk||psk/certs||Authentication mode, either PSK or certificate
 +
|-
 +
| psk||string||yes||CRU||N/A||NO||Pre-shared-key any string.
 +
|-
 +
| initiator||string||no||CRU||bi-directional||"bi-directional / response-only"||Whether this VPN can only respond to connections or can initiate as well
 +
|-
 +
| admin_state_up||bool||N/A||CRU||TRUE||"true / false"||Administrative state of vpn connection. If false (down), vpn concd nection does not forward packets
 +
|-
 +
| status||string||N/A||R||N/A||N/A||Indicates whether vpn connection is currently operational. Possible values include:ACTIVE,DOWN,BUILD,ERROR
 +
|-
 +
| ikepolicy_id||uuid||yes||CR||N/A||uuid of ikepolicy||uuid id of ikepolicy
 +
|-
 +
| ipsecpolicy_id||uuid||yes||CR||N/A||uuid of ipsecpolicy||uuid id of ipsecpolicy
 +
|-
 +
| vpnservice_id||uuid||yes||CR||N/A||uuid of vpnservice||service id of vpnservice
 +
|-
 +
|dpd
 +
|-
 +
| action||string||no||CRU||hold||"hold / clear / disabled /restart /restart_by_peer"||DPD actions controls the use of Dead Peer Detection Protocol. ( clear, hold, restart, disabled, restart-by-peer)
 +
|-
 +
| interval||integer||no||CRU||30||> 0||sec for DPD delay
 +
|-
 +
| timeout||integer||no||CRU||120||> 0 & > dpd_interval||sec for DPD timeout
 +
|-
 +
|}
 +
 
 +
== Current Proposed API for VPNaaS "[[Neutron/VPNaaS/API]]"==
 +
This section describes commands that will be introduced into python-neutronclient in order to support VPNaaS advanced service.  
 
<pre><nowiki>
 
<pre><nowiki>
  
vpn-vpnservice-create      Create a VPNService   
+
vpn-service-create      Create a VPNService   
vpn-vpnservice-delete      Delete a given VPNService
+
vpn-service-delete      Delete a given VPNService
vpn-vpnservice-list        List all VPNService for a given tenant.
+
vpn-service-list        List all VPNService for a given tenant.
vpn-vpnservice-show        Show detailed information of a given VPNService.
+
vpn-service-show        Show detailed information of a given VPNService.
vpn-vpnservice-update      Update a given VPNservice.
+
vpn-service-update      Update a given VPNservice.
 
   
 
   
 
vpn-ikepolicy-create      Create an IKEPolicy
 
vpn-ikepolicy-create      Create an IKEPolicy
Line 27: Line 176:
 
vpn-ipsecpolicy-create    Create an IPsec policy
 
vpn-ipsecpolicy-create    Create an IPsec policy
 
vpn-ipsecpolicy-delete    Delete a given IPsec Policy
 
vpn-ipsecpolicy-delete    Delete a given IPsec Policy
vpn-ipsecpolicy-list      List IPsec Policy that belong to a given tenant    connection.
+
vpn-ipsecpolicy-list      List IPsecPolicies that belong to a given tenant    connection.
 
vpn-ipsecpolicy-show      Show detailed information of a given IPsec Policy
 
vpn-ipsecpolicy-show      Show detailed information of a given IPsec Policy
 
vpn-ipsecpolicy-update    Update a given IPsec Policy.
 
vpn-ipsecpolicy-update    Update a given IPsec Policy.
 
   
 
   
vpn-vpnserviceconnection-create  Create a VPNServiceConnection
+
ipsec-site-connection-create  Create a ipsec-site-connection
vpn-vpnserviceconnection-delete  Delete a given VPNServiceConnection.
+
ipsec-site-connection-delete  Delete a given ipsec-site-connection.
vpn-vpnserviceconnection-list    List VPNServiceConnections that belong to a given tenant.
+
ipsec-site-connection-list    List ipsec-site-connections that belong to a given tenant.
vpn-vpnserviceconnection-show    Show information of a given VPNServiceConnection.
+
ipsec-site-connection-show    Show information of a given ipsec-site-connection.
vpn-vpnserviceconnection-update  Update a given VPNServiceConnection.
+
ipsec-site-connection-update  Update a given ipsec-site-connection.
  
  
 
</nowiki></pre>
 
</nowiki></pre>
 +
 
= Command Specification =
 
= Command Specification =
  
== vpn-vpnservice-create ==
+
== vpn-service-create ==
  
 
Create a new vpnservice
 
Create a new vpnservice
Line 47: Line 197:
 
<pre><nowiki>
 
<pre><nowiki>
  
quantum vpn-vpnservice-create [-h] [-f {shell,table}] [-c COLUMN]
+
neutron vpn-service-create [-h] [-f {shell,table}] [-c COLUMN]
 
                                     [--variable VARIABLE] [--prefix PREFIX]
 
                                     [--variable VARIABLE] [--prefix PREFIX]
 
                                     [--request-format {json,xml}]
 
                                     [--request-format {json,xml}]
 
                                     [--tenant-id TENANT_ID]
 
                                     [--tenant-id TENANT_ID]
 
                                     [--admin-state-down] [--name NAME]
 
                                     [--admin-state-down] [--name NAME]
                                     [--description DESCRIPTION] --vpn_type
+
                                     [--description DESCRIPTION]  
                                VPN_TYPE [--router_id ROUTER_ID]
+
                                    ROUTER
                                     --subnet_id SUBNET_ID [--port_id PORT_ID]
+
                                     SUBNET
  
 
</nowiki></pre>
 
</nowiki></pre>
  
* '''vpn_type''': One of predefined vpn service types, for the first release only "ipsec" supported.
+
 
 
* '''tenant-id''': ID of the Tenant that owns the VPN Service.
 
* '''tenant-id''': ID of the Tenant that owns the VPN Service.
* '''subnet-id''': ID of the Subnet to which the VPN will provide service.
+
* '''router''': Unique identifier of the Router (either 'name' or 'id'to which the VPN will be attached to.
* '''router-id''': ID of the router to which the VPN will be attached to.
+
* '''subnet''': Unique identifier of the Subnet (either 'name' or 'id') to which the VPN will provide service. (*)
* '''port-id''': ID of the port to which the VPN address will be associated with.
 
  
 
+
== vpn-service-delete ==
== vpn-vpnservice-delete ==
 
 
Delete a given vpnservice object.
 
Delete a given vpnservice object.
  
 
<pre><nowiki>
 
<pre><nowiki>
quantum vpn-vpnservice-delete [-h] [--request-format {json,xml}] VPNSERVICE
+
neutron vpn-service-delete [-h] [--request-format {json,xml}] VPNSERVICE
 
</nowiki></pre>
 
</nowiki></pre>
  
Line 75: Line 223:
  
  
== vpn-vpnservice-list ==
+
== vpn-service-list ==
 
Show list of VPN Service objects available to tenant.
 
Show list of VPN Service objects available to tenant.
  
 
<pre><nowiki>
 
<pre><nowiki>
quantum vpn-vpnservice-list
+
neutron vpn-service-list
 
</nowiki></pre>
 
</nowiki></pre>
  
== vpn-vpnservice-show ==
+
== vpn-service-show ==
 
Shows information about a given VPN Service object.
 
Shows information about a given VPN Service object.
  
 
<pre><nowiki>
 
<pre><nowiki>
quantum vpn-vpnservice-show [-h] [-f {shell,table}] [-c COLUMN]
+
neutron vpn-service-show [-h] [-f {shell,table}] [-c COLUMN]
 
                                   [--variable VARIABLE] [--prefix PREFIX]
 
                                   [--variable VARIABLE] [--prefix PREFIX]
 
                                   [--request-format {json,xml}] [-D]
 
                                   [--request-format {json,xml}] [-D]
Line 94: Line 242:
  
  
== vpn-vpnservice-update ==
+
== vpn-service-update ==
 
Update information of a given VPN Service Object.
 
Update information of a given VPN Service Object.
  
 
<pre><nowiki>
 
<pre><nowiki>
quantum vpn-vpnservice-update [-h] [--request-format {json,xml}] VPNSERVICE
+
neutron vpn-service-update [-h] [--request-format {json,xml}] VPNSERVICE
 
</nowiki></pre>
 
</nowiki></pre>
  
 +
Note: Only can change when status is not PENDING_CREATE, PENDING_UPDATE, or PENDING_DELETE.
  
 
== vpn-ikepolicy-create ==
 
== vpn-ikepolicy-create ==
Line 108: Line 257:
 
<pre><nowiki>
 
<pre><nowiki>
  
quantum vpn-ikepolicy-create [-h] [-f {shell,table}] [-c COLUMN]
+
neutron vpn-ikepolicy-create [-h] [-f {shell,table}] [-c COLUMN]
 
               [--variable VARIABLE] [--prefix PREFIX]
 
               [--variable VARIABLE] [--prefix PREFIX]
 
               [--request-format {json,xml}]
 
               [--request-format {json,xml}]
               [--tenant-id TENANT_ID] --name NAME
+
               [--tenant-id TENANT_ID]  
 
               [--description DESCRIPTION]
 
               [--description DESCRIPTION]
               [--auth_algorithm AUTH_ALGORITHM]
+
               [--auth-algorithm AUTH-ALGORITHM]
               [--encryption_algorithm ENCRYPTION_ALGORITHM]
+
               [--encryption-algorithm ENCRYPTION-ALGORITHM]
               [--phase1_negotiation_mode PHASE1_NEGOTIATION_MODE]
+
               [--phase1-negotiation-mode PHASE1-NEGOTIATION-MODE]
               [--lifetime_units LIFETIME_UNITS]
+
               [--ike-version IKE-VERSION]
              [--lifetime_value LIFETIME_VALUE]
 
 
               [--pfs PFS]
 
               [--pfs PFS]
 +
              [--lifetime unit=UNITS,value=VALUE]
 +
              NAME
  
 
</nowiki></pre>
 
</nowiki></pre>
  
* '''name''': Friendly name of the IKEPolicy used in IPsec VPN Service Connections
+
* '''NAME''': Friendly name of the IKEPolicy used in IPsec VPN Service Connections
 
* '''description''': Friendly description of the IKEPolicy used in IPsec VPN Service Connections
 
* '''description''': Friendly description of the IKEPolicy used in IPsec VPN Service Connections
 
* '''tenant-id''': ID of the Tenant that owns the VPN Service.
 
* '''tenant-id''': ID of the Tenant that owns the VPN Service.
* '''auth_algorithm''': Authentication algorithm used in the IKEPolicy.
+
* '''auth-algorithm''': Authentication algorithm used in the IKEPolicy.
* '''encryption_algorithm''': Encryption algorithm used in the IKEPolicy.
+
* '''encryption-algorithm''': Encryption algorithm used in the IKEPolicy.
* '''phase1_negotiation_mode''': Phase1 negotiation mode for IKE either 'Main' or 'Aggressive'.
+
* '''phase1-negotiation-mode''': Phase1 negotiation mode for IKE either 'Main' or 'Aggressive'.
* '''lifetime_units''': Specify the unit of measurement for the lifetime either 'seconds' or 'kilobytes'.
+
* '''lifetime''': String with  lifetime specific parameters example: --lifetime "units=seconds,value=3600"
* '''lifetime_value''': Specify the lifetime value based on the unit selected.
+
* '''units''':  Units for lifetime ('seconds' or 'kilobytes')
 
+
* '''value'''. Value for lifetime (non-negative integer).
 +
* '''ike-version''': Specify the ike_version.
 +
* '''pfs''': Specify the Perfect Forward Secrecy.
  
 
== vpn-ikepolicy-delete ==
 
== vpn-ikepolicy-delete ==
Line 136: Line 288:
  
 
<pre><nowiki>
 
<pre><nowiki>
quantum vpn-ikepolicy-delete [-h] [--request-format {json,xml}]
+
neutron vpn-ikepolicy-delete [-h] [--request-format {json,xml}]
 
                                     IKEPOLICY
 
                                     IKEPOLICY
 
</nowiki></pre>
 
</nowiki></pre>
Line 147: Line 299:
  
 
<pre><nowiki>
 
<pre><nowiki>
quantum vpn-ikepolicy-list
+
neutron vpn-ikepolicy-list
 
</nowiki></pre>
 
</nowiki></pre>
  
Line 154: Line 306:
  
 
<pre><nowiki>
 
<pre><nowiki>
quantum vpn-ikepolicy-show [-h] [-f {shell,table}] [-c COLUMN]
+
neutron vpn-ikepolicy-show [-h] [-f {shell,table}] [-c COLUMN]
 
                                   [--variable VARIABLE] [--prefix PREFIX]
 
                                   [--variable VARIABLE] [--prefix PREFIX]
 
                                   [--request-format {json,xml}] [-D]
 
                                   [--request-format {json,xml}] [-D]
Line 167: Line 319:
  
 
<pre><nowiki>
 
<pre><nowiki>
quantum vpn-ikepolicy-delete [-h] [--request-format {json,xml}]
+
neutron vpn-ikepolicy-delete [-h] [--request-format {json,xml}]
 
                                     IKEPOLICY
 
                                     IKEPOLICY
  
Line 180: Line 332:
 
<pre><nowiki>
 
<pre><nowiki>
  
quantum vpn-ipsecpolicy-create [-h] [-f {shell,table}] [-c COLUMN]
+
neutron vpn-ipsecpolicy-create [-h] [-f {shell,table}] [-c COLUMN]
 
                 [--variable VARIABLE] [--prefix PREFIX]
 
                 [--variable VARIABLE] [--prefix PREFIX]
 
                 [--request-format {json,xml}]
 
                 [--request-format {json,xml}]
                 [--tenant-id TENANT_ID] --name NAME
+
                 [--tenant-id TENANT_ID]
 
               [--description DESCRIPTION]
 
               [--description DESCRIPTION]
                 --transform_protocol TRANSFORM_PROTOCOL
+
                 --transform-protocol TRANSFORM-PROTOCOL
                 [--auth_algorithm AUTH_ALGORITHM]
+
                 [--auth-algorithm AUTH-ALGORITHM]
                 [--encryption_algorithm ENCRYPTION_ALGORITHM]
+
                 [--encryption-algorithm ENCRYPTION-ALGORITHM]
                 [--encapsulation_mode ENCAPSULATION_MODE]
+
                 [--encapsulation-mode ENCAPSULATION-MODE]
                 [--lifetime_units LIFETIME_UNITS]
+
                 [--pfs PFS]
                 [--lifetime_value LIFETIME_VALUE]
+
                 [--lifetime units=UNITS,value=VALUE]
          [--pfs PFS]
+
                NAME
  
 
</nowiki></pre>
 
</nowiki></pre>
  
* '''name''': Friendly name of the IPsecPolicy used in IPsec VPN Service Connections
+
* '''NAME''': Friendly name of the IPsecPolicy used in IPsec VPN Service Connections
 
* '''description''': Friendly description of the IPsecPolicy used in IPsec VPN Service Connections
 
* '''description''': Friendly description of the IPsecPolicy used in IPsec VPN Service Connections
 
* '''tenant-id''': ID of the Tenant that owns the VPN Service.
 
* '''tenant-id''': ID of the Tenant that owns the VPN Service.
* '''auth_algorithm''': Authentication algorithm used in the IPsecPolicy.
+
* '''auth-algorithm''': Authentication algorithm used in the IPsecPolicy.
* '''encryption_algorithm''': Encryption algorithm used in the IPsecPolicy.
+
* '''encryption-algorithm''': Encryption algorithm used in the IPsecPolicy.
* '''encapsulation_mode''': Encapsulation mode for IPsec tunnel either 'tunnel' or 'transport'.
+
* '''encapsulation-mode''': Encapsulation mode for IPsec tunnel either 'tunnel' or 'transport'.
* '''transfrom_protocol''': IPsec Transform Protocol either 'ESP' or 'AH'.
+
* '''transfrom-protocol''': IPsec Transform Protocol either 'ESP' or 'AH'.
* '''lifetime_units''': Specify the unit of measurement for the lifetime either 'seconds' or 'kilobytes'.
+
* '''lifetime''': String with  lifetime specific parameters example: --lifetime "units=seconds,value=3600"
* '''lifetime_value''': Specify the lifetime value based on the unit selected.
+
* '''units''':  Units for lifetime ('seconds' or 'kilobytes')
 +
* '''value'''. Value for lifetime (non-negative integer).
 +
* '''pfs''': Specify the Perfect Forward Secrecy.
  
 
== vpn-ipsecpolicy-delete ==
 
== vpn-ipsecpolicy-delete ==
Line 209: Line 363:
  
 
<pre><nowiki>
 
<pre><nowiki>
quantum vpn-ipsecpolicy-delete [-h] [--request-format {json,xml}]
+
neutron vpn-ipsecpolicy-delete [-h] [--request-format {json,xml}]
 
                                     IPSECPOLICY
 
                                     IPSECPOLICY
 
</nowiki></pre>
 
</nowiki></pre>
Line 220: Line 374:
  
 
<pre><nowiki>
 
<pre><nowiki>
quantum vpn-ipsecpolicy-list
+
neutron vpn-ipsecpolicy-list
 
</nowiki></pre>
 
</nowiki></pre>
  
Line 227: Line 381:
  
 
<pre><nowiki>
 
<pre><nowiki>
quantum vpn-ipsecpolicy-show [-h] [-f {shell,table}] [-c COLUMN]
+
neutron vpn-ipsecpolicy-show [-h] [-f {shell,table}] [-c COLUMN]
 
                                   [--variable VARIABLE] [--prefix PREFIX]
 
                                   [--variable VARIABLE] [--prefix PREFIX]
 
                                   [--request-format {json,xml}] [-D]
 
                                   [--request-format {json,xml}] [-D]
Line 240: Line 394:
  
 
<pre><nowiki>
 
<pre><nowiki>
quantum vpn-ipsecpolicy-delete [-h] [--request-format {json,xml}]
+
neutron vpn-ipsecpolicy-delete [-h] [--request-format {json,xml}]
 
                                     IPSECPOLICY
 
                                     IPSECPOLICY
  
Line 246: Line 400:
  
  
== vpn-vpnserviceconnection-create ==
+
== ipsec-site-connection-create ==
  
Create a new vpnserviceconnection object
+
Create a new ipsec-site-connection object
  
 
<pre><nowiki>
 
<pre><nowiki>
  
quantum vpn-vpnserviceconnection-create [-h] [-f {shell,table}]
+
neutron ipsec-site-connection-create [-h] [-f {shell,table}]
 
                               [-c COLUMN]
 
                               [-c COLUMN]
 
                               [--variable VARIABLE]
 
                               [--variable VARIABLE]
Line 260: Line 414:
 
                                 [--admin-state-down] --name NAME
 
                                 [--admin-state-down] --name NAME
 
                                 [--description DESCRIPTION]
 
                                 [--description DESCRIPTION]
                                 --peer_address PEER_ADDRESS
+
                                 --peer-address PEER-ADDRESS
                                --peer_id PEER_ID --peer_cidrs
+
                                --peer-id PEER-ID --peer_cidr
                                PEER_CIDRS --local_cidrs
+
                                 PEER-CIDRS
                                LOCAL_CIDRS [--mtu MTU]
+
                                 [--mtu MTU]
                                [--dpd_action DPD_ACTION]
+
                                 [--psk PSK]
                                 [--dpd_interval DPD_INTERVAL]
 
                                 [--dpd_timeout DPD_TIMEOUT]
 
                                 [--route_mode ROUTE_MODE]
 
                            [--auth_mode AUTH_MODE] [--psk PSK]
 
 
                                 [--initiator INITIATOR]
 
                                 [--initiator INITIATOR]
                                 vpnservice ikepolicy ipsecpolicy
+
                                [--dpd DPD]
 +
                                 --vpnservice-id VPNSERVICE
 +
                                --ikepolicy-id IKEPOLICY
 +
                                --ipsecpolicy-id IPSECPOLICY
  
 
</nowiki></pre>
 
</nowiki></pre>
  
* '''peer_address''': Remote Peer IP Address for the VPN Connection.
+
* '''peer-address''': Remote Peer IP Address for the VPN Connection.
 
* '''tenant-id''': ID of the Tenant that owns the VPN Service.
 
* '''tenant-id''': ID of the Tenant that owns the VPN Service.
* '''peer_id''': Peer identifier string.
+
* '''peer-id''': Peer identifier string.
* '''peer_cidrs''': Remote Peer Subnet with mask in CIDR format.
+
* '''peer_cidr''': Remote Peer Subnet with mask in CIDR format.
* '''local-cidrs''': Local Subnet with mask in CIDR format.
 
 
* '''mtu''': MTU for fragmentation
 
* '''mtu''': MTU for fragmentation
* '''dpd_action''': Dead peer detection action.
+
* '''dpd''': String with the dpd attributes. Example: --dpd "action=hold,interval=30,timeout=120"
* '''dpd_interval''': Dead peer detection interval.
+
* '''action''': Dead peer detection actions (action=hold, restart etc.,).
* '''dpd_timeout''': Dead peer detection timeout.
+
* '''interval''': Dead peer detection interval.(interval=30)
* '''route_mode''': Routing mode either 'static' or 'dynamic' - for first release only 'static supported.
+
* '''timeout''': Dead peer detection timeout.(timeout=120)
* '''auth_mode''': Authentication mode either 'PSK' or 'CERTS'
+
* '''route-mode''': Routing mode either 'static' or 'dynamic' - for first release only 'static supported.
 +
* '''auth-mode''': Authentication mode either 'PSK' or 'CERTS'
 
* '''psk''': Peer identifier string.
 
* '''psk''': Peer identifier string.
 
* '''initiator''': Initiator mode either 'bi-directional' or 'responder'.
 
* '''initiator''': Initiator mode either 'bi-directional' or 'responder'.
* '''vpnservice''': Unique Identifier to the VPN Service Object.
+
* '''vpnservice-id''': Unique Identifier to the VPN Service Object.
* '''ikepolicy''': Unique Identifier to the IKE Policy Object.
+
* '''ikepolicy-id''': Unique Identifier to the IKE Policy Object.
* '''ipsecpolicy''': Unique Identifier to the IPsec Policy Object.
+
* '''ipsecpolicy-id''': Unique Identifier to the IPsec Policy Object.
 
 
  
== vpn-vpnserviceconnection-delete ==
+
== ipsec-site-connection-delete ==
Delete a given vpnserviceconnection object.
+
Delete a given ipsec-site-connection object.
  
 
<pre><nowiki>
 
<pre><nowiki>
quantum vpn-vpnserviceconnection-delete [-h]
+
neutron ipsec-site-connection-delete  
 +
                                              [-h]
 
                                               [--request-format {json,xml}]
 
                                               [--request-format {json,xml}]
                                               VPNSERVICECONNECTION
+
                                               ipsec-site-connection
  
 
</nowiki></pre>
 
</nowiki></pre>
  
* '''VPNSERVICECONNECTION''': Unique identifier that identifies the VPN Service Connection to be deleted.
+
* '''ipsec-site-connection''': Unique identifier that identifies the VPN Connection to be deleted.
  
 
+
== ipsec-site-connection-list ==
== vpn-vpnserviceconnection-list ==
+
Show list of VPN Connection objects available to tenant.
Show list of VPN Service Connection objects available to tenant.
 
  
 
<pre><nowiki>
 
<pre><nowiki>
quantum vpn-vpnserviceconnection-list
+
neutron ipsec-site-connection-list
 
</nowiki></pre>
 
</nowiki></pre>
  
== vpn-vpnserviceconnection-show ==
+
== ipsec-site-connection-show ==
Shows information about a given VPN Service Connection object.
+
Shows information about a given VPN Connection object.
  
 
<pre><nowiki>
 
<pre><nowiki>
quantum vpn-vpnserviceconnection-show [-h] [-f {shell,table}] [-c COLUMN]
+
neutron ipsec-site-connection-show [-h] [-f {shell,table}] [-c COLUMN]
 
                                   [--variable VARIABLE] [--prefix PREFIX]
 
                                   [--variable VARIABLE] [--prefix PREFIX]
 
                                   [--request-format {json,xml}] [-D]
 
                                   [--request-format {json,xml}] [-D]
 
                                   [-F FIELD]
 
                                   [-F FIELD]
                                   VPNSERVICECONNECTION
+
                                   ipsec-site-connection
 
</nowiki></pre>
 
</nowiki></pre>
  
  
== vpn-vpnserviceconnection-update ==
+
== ipsec-site-connection-update ==
Update information of a given VPN Service Connection Object.
+
Update information of a given VPN Connection Object.
  
 
<pre><nowiki>
 
<pre><nowiki>
quantum vpn-vpnserviceconnection-update [-h] [--request-format {json,xml}] VPNSERVICECONNECTION
+
neutron ipsec-site-connection-update [-h] [--request-format {json,xml}] ipsec-site-connection
 
</nowiki></pre>
 
</nowiki></pre>
 +
 +
Note: Only can change when status is not PENDING_CREATE, PENDING_UPDATE, or PENDING_DELETE.
  
 
= REST API =
 
= REST API =
Line 339: Line 493:
 
* The tenant creates one or more IKEPolicies.
 
* The tenant creates one or more IKEPolicies.
 
* The tenant creates one or more IPsecPolicies.
 
* The tenant creates one or more IPsecPolicies.
* The tenant creates one or more VPNServiceConnections and associates with the VPNService id, IKEPolicy id and IPsecPolicy id.
+
* The tenant creates one or more ipsec-site-connections and associates with the VPNService id, IKEPolicy id and IPsecPolicy id.
  
  
Line 349: Line 503:
 
/v1.0/vpnservices/
 
/v1.0/vpnservices/
 
GET
 
GET
/v1.0/vpnservices/vpnservice_id
+
/v1.0/vpnservices/vpnservice-id
 
POST
 
POST
 
/v1.0/vpnservices
 
/v1.0/vpnservices
 
UPDATE
 
UPDATE
/v1.0/vpnservices/vpnservice_id
+
/v1.0/vpnservices/vpnservice-id
 
DELETE
 
DELETE
/v1.0/vpnservices/vpnservice_id
+
/v1.0/vpnservices/vpnservice-id
 
</nowiki></pre>
 
</nowiki></pre>
  
Line 375: Line 529:
 
           "tenant_id": "310df60f-2a10-4ee5-9554-98393092194c",
 
           "tenant_id": "310df60f-2a10-4ee5-9554-98393092194c",
 
           "name": "cloud_vpn",
 
           "name": "cloud_vpn",
           "subnet_id": "96a4386a-f8c3-42ed-afce-d7954eee77b3",
+
           "subnet": "96a4386a-f8c3-42ed-afce-d7954eee77b3",
  "router_id": "8acda86a-f8c3-42ed-afce-d7954eee77b3",
+
  "router": "8acda86a-f8c3-42ed-afce-d7954eee77b3",
          "vpn_type": "ipsec”,
 
 
           }
 
           }
 
}
 
}
 
</nowiki></pre>
 
</nowiki></pre>
 
  
 
====JSON Response====
 
====JSON Response====
Line 394: Line 546:
 
   "vpnservice": {
 
   "vpnservice": {
 
           "id": "02b1fef7-16f5-4917-bf19-c40a9af805ed",
 
           "id": "02b1fef7-16f5-4917-bf19-c40a9af805ed",
           "tenant_id": "310df60f-2a10-4ee5-9554-98393092194c",
+
           "tenant-id": "310df60f-2a10-4ee5-9554-98393092194c",
 
           "name": "cloud_vpn",
 
           "name": "cloud_vpn",
           "subnet_id": "96a4386a-f8c3-42ed-afce-d7954eee77b3",
+
           "subnet-id": "96a4386a-f8c3-42ed-afce-d7954eee77b3",
  "router_id": "8acda86a-f8c3-42ed-afce-d7954eee77b3",
+
  "router-id": "8acda86a-f8c3-42ed-afce-d7954eee77b3",
          "port_id" : "cd1f7a47-4fa6-449c-9ee7-632838aedfea",
 
          "vpn_type": "ipsec”,
 
 
           "admin_state_up": true,
 
           "admin_state_up": true,
 
           "status": "PENDING_CREATE"
 
           "status": "PENDING_CREATE"
Line 411: Line 561:
 
<pre><nowiki>
 
<pre><nowiki>
 
GET
 
GET
/v1.0/ikepolicys/
+
/v1.0/ikepolicies/
 
POST
 
POST
/v1.0/ikepolicys
+
/v1.0/ikepolicies
 
GET
 
GET
/v1.0/ikepolicys/ikepolicy_id
+
/v1.0/ikepolicies/ikepolicy-id
 
UPDATE
 
UPDATE
/v1.0/ikepolicys/ikepolicy_id
+
/v1.0/ikepolicies/ikepolicy-id
 
DELETE
 
DELETE
/v1.0/ikepolicys/ikepolicy_id
+
/v1.0/ikepolicies/ikepolicy-id
  
 
</nowiki></pre>
 
</nowiki></pre>
Line 429: Line 579:
 
<pre><nowiki>
 
<pre><nowiki>
 
#!highlight javascript numbers=disable
 
#!highlight javascript numbers=disable
POST /v1.0/ikepolicys
+
POST /v1.0/ikepolicies
 
Accept: application/json
 
Accept: application/json
 
Content-Type: application/json
 
Content-Type: application/json
Line 438: Line 588:
 
   "ikepolicy" : {
 
   "ikepolicy" : {
 
             "name": "ikepolicy_1",
 
             "name": "ikepolicy_1",
             "auth_algorithm" : "sha1",
+
             "auth-algorithm" : "sha1",
             "encryption_algorithm" : "aes-256",
+
             "encryption-algorithm" : "aes-256",
             "phase1_negotiation_mode" : "main",
+
             "phase1-negotiation-mode" : "main",
    "lifetime_unit" : "seconds"
+
    "lifetime": "units=seconds,value=28800",     
             "lifetime_value" : "28800",
+
             "ike-version" : "v1",
             "pfs": " Group2",
+
             "pfs": " Group5",
 
           }
 
           }
 
}
 
}
Line 460: Line 610:
 
             "tenant_id": "310df60f-2a10-4ee5-9554-98393092194c",
 
             "tenant_id": "310df60f-2a10-4ee5-9554-98393092194c",
 
             "name": "ikepolicy_1",
 
             "name": "ikepolicy_1",
             "auth_algorithm" : "sha1",
+
             "auth-algorithm" : "sha1",
             "encryption_algorithm" : "aes-256",
+
             "encryption-algorithm" : "aes-256",
             "phase1_negotiation_mode" : "main",
+
             "phase1-negotiation-mode" : "main",
            "lifetime_units" : "seconds",
+
          "lifetime": {
             "lifetime" : "28800",
+
                      "units" : "seconds"
             "pfs": "Group2",
+
                      "value" : 28800,
 +
            }
 +
             "ike-version" : "v1",
 +
             "pfs": "Group5",
 
           }
 
           }
 
}
 
}
 
</nowiki></pre>
 
</nowiki></pre>
 
  
 
==IPsecPolicy APIs==
 
==IPsecPolicy APIs==
Line 476: Line 628:
  
 
GET
 
GET
/v1.0/ipsecpolicys/
+
/v1.0/ipsecpolicies/
 
POST
 
POST
/v1.0/ipsecpolicys
+
/v1.0/ipsecpolicies
 
GET
 
GET
/v1.0/ipsecpolicys/ipsecpolicy_id
+
/v1.0/ipsecpolicies/ipsecpolicy-id
 
UPDATE
 
UPDATE
/v1.0/ipsecpolicys/ipsecpolicy_id
+
/v1.0/ipsecpolicies/ipsecpolicy-id
 
DELETE
 
DELETE
/v1.0/ipsecpolicys/ipsecpolicy_id
+
/v1.0/ipsecpolicies/ipsecpolicy-id
  
 
</nowiki></pre>
 
</nowiki></pre>
Line 492: Line 644:
 
<pre><nowiki>
 
<pre><nowiki>
 
#!highlight javascript numbers=disable
 
#!highlight javascript numbers=disable
POST /v1.0/ipsecpolicys
+
POST /v1.0/ipsecpolicies
 
Accept: application/json
 
Accept: application/json
 
Content-Type: application/json
 
Content-Type: application/json
Line 501: Line 653:
 
   "ipsecpolicy" : {
 
   "ipsecpolicy" : {
 
             "name": "ipsecpolicy_1",
 
             "name": "ipsecpolicy_1",
             "transform_protocol": "esp",
+
             "transform-protocol": "esp",
    "auth_algorithm" : "sha1",
+
    "auth-algorithm" : "sha1",
             "encryption_algorithm" : "aes-256",
+
             "encryption-algorithm" : "aes-256",
             "encapsulation_mode" : "tunnel",
+
             "encapsulation-mode" : "tunnel",
             "lifetime_units" : "seconds",
+
             "lifetime": "units=seconds,value=28800",
            "lifetime" : "28800s",
+
             "pfs": "Group5"
             "pfs": "Group2"
 
 
           }
 
           }
 
}
 
}
Line 525: Line 676:
 
   "ipsecpolicy" : {
 
   "ipsecpolicy" : {
 
             "id":"cfc6589d-f949-4c66-99d2-c2da56ef3764",
 
             "id":"cfc6589d-f949-4c66-99d2-c2da56ef3764",
             "tenant_id": "310df60f-2a10-4ee5-9554-98393092194c",
+
             "tenant-id": "310df60f-2a10-4ee5-9554-98393092194c",
 
             "name": "ipsecpolicy_1",
 
             "name": "ipsecpolicy_1",
             "transform_protocol": "esp",
+
             "transform-protocol": "esp",
    "auth_algorithm" : "sha1",
+
    "auth-algorithm" : "sha1",
             "encryption_algorithm" : "aes-256",
+
             "encryption-algorithm" : "aes-256",
             "encapsulation_mode" : "tunnel",
+
             "encapsulation-mode" : "tunnel",
            "lifetime_units" : "seconds",
+
            "lifetime": {
            "lifetime" : "28800",
+
                      "units" : "seconds"
             "pfs": "Group2"
+
                      "value" : 28800,
 +
            }
 +
             "pfs": "Group5"
 
       }
 
       }
 
}
 
}
Line 539: Line 692:
  
  
VPNServiceConnection
+
ipsec-site-connection
 
 
  
==VPNServiceConnection APIs==
+
==ipsec-site-connection APIs==
  
 
<pre><nowiki>
 
<pre><nowiki>
  
 
GET
 
GET
/v1.0/vpnserviceconnections/
+
/v1.0/ipsec-site-connections/
 
POST
 
POST
/v1.0/vpnserviceconnections
+
/v1.0/ipsec-site-connections
 
GET
 
GET
/v1.0/vpnserviceconnections/vpnservice_conn_id
+
/v1.0/ipsec-site-connections/ipsec-site-connection-id
 
UPDATE
 
UPDATE
/v1.0/vpnserviceconnections/vpnservice_conn_id
+
/v1.0/ipsec-site-connections/ipsec-site-connection-id
 
DELETE
 
DELETE
/v1.0/vpnserviceconnections/vpnservice_conn_id
+
/v1.0/ipsec-site-connections/ipsec-site-connection-id
  
 
</nowiki></pre>
 
</nowiki></pre>
  
===VPNServiceConnection Create===
+
===ipsec-site-connection Create===
  
 
====JSON Request====
 
====JSON Request====
Line 565: Line 717:
 
<pre><nowiki>
 
<pre><nowiki>
 
#!highlight javascript numbers=disable
 
#!highlight javascript numbers=disable
POST /v1.0/vpnserviceconnections
+
POST /v1.0/ipsec-site-connections
 
Accept: application/json
 
Accept: application/json
 
Content-Type: application/json
 
Content-Type: application/json
Line 572: Line 724:
  
 
{
 
{
   "vpnserviceconnection" : {
+
   "ipsec_site_connection" : {
 
             "name": "ipsec_connection_1",
 
             "name": "ipsec_connection_1",
             "peer_address": "192.168.2.255",
+
             "peer-address": "192.168.2.255",
             "peer_id" : "192.168.2.255",
+
             "peer-id" : "192.168.2.255",
    "peer_cidrs" : "10.30.2.0/24",
+
    "peer-cidr" : "10.30.2.0/24",
             "local_cidrs" : "10.20.3.0/24",
+
             "dpd": "action=hold,interval=20,timeout=120",
            "route_mode" : "static",
 
            "dpd_action" : "hold",
 
            "dpd_timeout" : "30",
 
            "dpd_interval": "150",
 
 
           "mtu": "1500",
 
           "mtu": "1500",
          "auth_mode": "psk",
 
 
           "psk": "bla_bla_bla",
 
           "psk": "bla_bla_bla",
 
           "initiator": "bi-directional",
 
           "initiator": "bi-directional",
           "vpnservice_id": "02b1fef7-16f5-4917-bf19-c40a9af805ed",
+
           "vpnservice-id": "02b1fef7-16f5-4917-bf19-c40a9af805ed",
             "vpnservice_ikepolicy_id": "03299abc-16f5-4917-bf19-c40a9af805ed",
+
             "ikepolicy-id": "03299abc-16f5-4917-bf19-c40a9af805ed",
             "vpnservice_ipsecpolicy_id": "0dbc1234-16f5-4917-bf19-c40a9af805ed"
+
             "ipsecpolicy-id": "0dbc1234-16f5-4917-bf19-c40a9af805ed"
 
         }
 
         }
 
}
 
}
Line 604: Line 751:
  
 
{
 
{
   "vpnserviceconnection" : {
+
   "ipsec_site_connection" : {
 
             "id":"cfc6589d-f949-4c66-99d2-c2da56ef3764",
 
             "id":"cfc6589d-f949-4c66-99d2-c2da56ef3764",
             "tenant_id": "310df60f-2a10-4ee5-9554-98393092194c",
+
             "tenant-id": "310df60f-2a10-4ee5-9554-98393092194c",
 
             "name": "ipsec_connection_1",
 
             "name": "ipsec_connection_1",
             "peer_address": "192.168.2.255",
+
             "peer-address": "192.168.2.255",
             "peer_id" : "192.168.2.255",
+
             "peer-id" : "192.168.2.255",
    "peer_cidrs" : "10.30.2.0/24",
+
    "peer-cidr" : "10.30.2.0/24",
             "local_cidrs" : "10.20.3.0/24",
+
             "dpd": {
            "route_mode" : "static",
+
                      "action" : "hold"
            "dpd_action" : "hold",
+
                      "interval" : 20,
            "dpd_timeout" : "30",
+
                      "timeout" : 120,
            "dpd_interval": "150",
+
            }
 
           "mtu": "1500",
 
           "mtu": "1500",
          "auth_mode": "psk",
 
 
           "psk": "bla_bla_bla",
 
           "psk": "bla_bla_bla",
 
           "initiator": "bi-directional",
 
           "initiator": "bi-directional",
             "vpnservice_id": "02b1fef7-16f5-4917-bf19-c40a9af805ed",
+
             "vpnservice-id": "02b1fef7-16f5-4917-bf19-c40a9af805ed",
             "vpnservice_ikepolicy_id": "03299abc-16f5-4917-bf19-c40a9af805ed",
+
             "ikepolicy-id": "03299abc-16f5-4917-bf19-c40a9af805ed",
             "vpnservice_ipsecpolicy_id": "0dbc1234-16f5-4917-bf19-c40a9af805ed",
+
             "ipsecpolicy-id": "0dbc1234-16f5-4917-bf19-c40a9af805ed",
 
             "admin_state_up": true,
 
             "admin_state_up": true,
 
             "status": "PENDING_CREATE"
 
             "status": "PENDING_CREATE"
Line 629: Line 775:
  
 
</nowiki></pre>
 
</nowiki></pre>
 
 
 
  
 
= Blueprints =
 
= Blueprints =

Latest revision as of 16:48, 28 January 2016

Warning icon.svg {{{header}}}

{{{body}}}

This wiki page is for development discussion

Overview

VPNaaS (VPN-as-a-Service) is a Neutron extension that introduces VPN feature set.

The following is the proposed plan for design and implementation of the VPN as a Service feature in OpenStack Networking for the Havana release. While our long term goal for VPNaaS is to make it very feature rich and to support multiple tunneling,security protocols that supports both static and dynamic routing, but for the short term we would want to deliver a basic experimental reference implementation based on opensource for IPsec based VPNs using just static routing that will allow us to evaluate the API, resource model and usability of this feature. This will allow us to gather feedback, and make enhancements if required.

Also we would like to have a simple model such as the AWS for configuring the VPN. In AWS the IKE and IPsec Policies are pre-defined, but we would want to make it more user configurable rather than pre-defined templates.

Again for simplicity we will be just implementing IKE with “PSK” authentication mode rather than using certificates. In future we can extend to support certificate based authentication.

DataModel

VPNServices Resource

Attribute Type Required CRUD DefaultValue Validation Constraint Notes
id uuid-str N/A R generated N/A UUID for VPNService Object
tenant_id uuid-str Yes CR None valid tenant_id UUID of the tenant for the vpn service
name string no CRU None N/A name of the VPN Service
description string no CRU None N/A Description of the VPN Service
status string N/A R N/A N/A Indicates whether ipsec vpnservice is currently operational. Possible values include:

ACTIVE DOWN BUILD ERROR

admin_state_up bool N/A CRU TRUE true/false Administrative state of vpnservice. If false (down), port does not forward packets
subnet_id uuid yes*( subnet_id is needed) CR N/A Valid subnet id Subnet id in which the tenant wants the vpn service
router_id uuid yes CR N/A Valid router id Router id to which the vpn service is inserted

IKEPolicies Resource

Attribute Type Required CRUD DefaultValue Validation Constraint Notes
id uuid-str N/A R generated N/A UUID for  the  IKEPolicy
tenant_id uuid-str Yes CR None valid tenant_id UUID for owner of the vpn service
name string yes CRU None N/A friendly name for the ikepolicy
description string no CRU None N/A Description of the ikepolicy
auth_algorithm string no CRU sha1 N/A Authentication Hash algorithms“sha1”.
encryption_algorithm string no CRU aes-128 N/A Encryption Algorithms 3des, aes-128, aes-256, aes-192 etc.,
phase1_negotiation_mode string no CRU Main Mode N/A IKE mode Main mode
pfs string no CRU Group5 N/A Perfect Forward Secrecy  ( Group2, Group5, Group14)
ike_version string no CRU v1 N/A v1 or v2 version
lifetime
units string no CRU seconds "seconds" Lifetime of the  SA unit in ‘seconds’
value integer no CRU 3600 for seconds Integer Lifetime value in  seconds (value >= 60)

IPsecPolicies Resource

Attribute Type Required CRUD DefaultValue Validation Constraint Notes
id uuid-str N/A R generated N/A UUID for  the  IPsecPolicy
tenant_id uuid-str Yes CR None valid tenant_id UUID for owner of the vpn service
name string yes CRU None N/A friendly name for the IPsecPolicy
description string no CRU None N/A Description of  the policy
transform_protocol string no CRU ESP N/A Tranform  Protocol used such as ESP or AH or AH-ESP
encapsulation_mode string no CRU tunnel N/A Encapsulation mode either Tunnel mode or transport mode
auth_algorithm string no CRU sha1 N/A Authentication algorithm sha1
encryption_algorithm string no CRU aes-128 N/A Encryption Algorithms 3des, aes-128, aes-256, aes-192
pfs string no CRU group5 N/A Perfect Forward Secrecy  ( group2, group5, group14)
lifetime
units string no CRU seconds "seconds Lifetime of the  SA unit in ‘seconds’
value integer no CRU 3600 for seconds Integer Lifetime value in  seconds (value >= 60)

ipsec-site-connection Resource

Attribute Type Required CRUD DefaultValue Validation Constraint Notes
id uuid-str N/A R generated N/A UUID for  the vpns connection
tenant_id uuid-str Yes CR None valid tenant_id UUID for owner of the  vpn service
name string no CRU None N/A name for ipsec-site-connection
description string no CRU None N/A Description of the ipsec-site-connection
peer_address ipaddress(v4 or v6) yes CRU N/A valid ip address (v4 or v6) peer vpn gateway public address or FQDN
peer_id string yes CRU N/A N/A Peer identifier ( Can be name, string or FQDN )
peer_cidrs list[string] yes CRU N/A list of valid cidr in the form <network_address>/<prefix> Peer private cidrs
route_mode string no R static static Static
mtu integer no CRU 1500 Integer mtu - maximum transmission unit to address fragmentation ( value>=68 )
auth_mode string no R psk psk/certs Authentication mode, either PSK or certificate
psk string yes CRU N/A NO Pre-shared-key any string.
initiator string no CRU bi-directional "bi-directional / response-only" Whether this VPN can only respond to connections or can initiate as well
admin_state_up bool N/A CRU TRUE "true / false" Administrative state of vpn connection. If false (down), vpn concd nection does not forward packets
status string N/A R N/A N/A Indicates whether vpn connection is currently operational. Possible values include:ACTIVE,DOWN,BUILD,ERROR
ikepolicy_id uuid yes CR N/A uuid of ikepolicy uuid id of ikepolicy
ipsecpolicy_id uuid yes CR N/A uuid of ipsecpolicy uuid id of ipsecpolicy
vpnservice_id uuid yes CR N/A uuid of vpnservice service id of vpnservice
dpd
action string no CRU hold "hold / clear / disabled /restart /restart_by_peer" DPD actions controls the use of Dead Peer Detection Protocol. ( clear, hold, restart, disabled, restart-by-peer)
interval integer no CRU 30 > 0 sec for DPD delay
timeout integer no CRU 120 > 0 & > dpd_interval sec for DPD timeout

Current Proposed API for VPNaaS "Neutron/VPNaaS/API"

This section describes commands that will be introduced into python-neutronclient in order to support VPNaaS advanced service. 


vpn-service-create      Create a VPNService  
vpn-service-delete      Delete a given VPNService
vpn-service-list        List all VPNService for a given tenant.
vpn-service-show        Show detailed information of a given VPNService.
vpn-service-update      Update a given VPNservice.
 
vpn-ikepolicy-create       Create an IKEPolicy
vpn-ikepolicy-delete       Delete a given IKE Policy.
vpn-ikepolicy-list         List IKEPolicies that belong to a given tenant.
vpn-ikepolicy-show         Show detailed information of a given IKEPolicy.
vpn-ikepolicy-update       Update a given IKE Policy.
 
vpn-ipsecpolicy-create     Create an IPsec policy
vpn-ipsecpolicy-delete     Delete a given IPsec Policy
vpn-ipsecpolicy-list       List IPsecPolicies that belong to a given tenant    connection.
vpn-ipsecpolicy-show       Show detailed information of a given IPsec Policy
vpn-ipsecpolicy-update     Update a given IPsec Policy.
 
ipsec-site-connection-create  Create a ipsec-site-connection
ipsec-site-connection-delete  Delete a given ipsec-site-connection.
ipsec-site-connection-list    List ipsec-site-connections that belong to a given tenant.
ipsec-site-connection-show    Show information of a given ipsec-site-connection.
ipsec-site-connection-update  Update a given ipsec-site-connection.

Command Specification

vpn-service-create

Create a new vpnservice 


neutron vpn-service-create [-h] [-f {shell,table}] [-c COLUMN]
                                     [--variable VARIABLE] [--prefix PREFIX]
                                     [--request-format {json,xml}]
                                     [--tenant-id TENANT_ID]
                                     [--admin-state-down] [--name NAME]
                                     [--description DESCRIPTION] 
                                     ROUTER
                                     SUBNET


  • tenant-id: ID of the Tenant that owns the VPN Service.
  • router: Unique identifier of the Router (either 'name' or 'id') to which the VPN will be attached to.
  • subnet: Unique identifier of the Subnet (either 'name' or 'id') to which the VPN will provide service. (*)

vpn-service-delete

Delete a given vpnservice object. 

neutron vpn-service-delete [-h] [--request-format {json,xml}] VPNSERVICE
  • VPNSERVICE: Unique identifier that identifies the VPN Service to be deleted.


vpn-service-list

Show list of VPN Service objects available to tenant. 

neutron vpn-service-list

vpn-service-show

Shows information about a given VPN Service object. 

neutron vpn-service-show [-h] [-f {shell,table}] [-c COLUMN]
                                   [--variable VARIABLE] [--prefix PREFIX]
                                   [--request-format {json,xml}] [-D]
                                   [-F FIELD]
                                   VPNSERVICE


vpn-service-update

Update information of a given VPN Service Object. 

neutron vpn-service-update [-h] [--request-format {json,xml}] VPNSERVICE

Note: Only can change when status is not PENDING_CREATE, PENDING_UPDATE, or PENDING_DELETE.

vpn-ikepolicy-create

Create a new ikepolicy object 


neutron vpn-ikepolicy-create [-h] [-f {shell,table}] [-c COLUMN]
              [--variable VARIABLE] [--prefix PREFIX]
              [--request-format {json,xml}]
              [--tenant-id TENANT_ID] 
              [--description DESCRIPTION]
              [--auth-algorithm AUTH-ALGORITHM]
              [--encryption-algorithm ENCRYPTION-ALGORITHM]
              [--phase1-negotiation-mode PHASE1-NEGOTIATION-MODE]
              [--ike-version IKE-VERSION]
              [--pfs PFS]
              [--lifetime unit=UNITS,value=VALUE]
              NAME
  • NAME: Friendly name of the IKEPolicy used in IPsec VPN Service Connections
  • description: Friendly description of the IKEPolicy used in IPsec VPN Service Connections
  • tenant-id: ID of the Tenant that owns the VPN Service.
  • auth-algorithm: Authentication algorithm used in the IKEPolicy.
  • encryption-algorithm: Encryption algorithm used in the IKEPolicy.
  • phase1-negotiation-mode: Phase1 negotiation mode for IKE either 'Main' or 'Aggressive'.
  • lifetime: String with lifetime specific parameters example: --lifetime "units=seconds,value=3600"
  • units: Units for lifetime ('seconds' or 'kilobytes')
  • value. Value for lifetime (non-negative integer).
  • ike-version: Specify the ike_version.
  • pfs: Specify the Perfect Forward Secrecy.

vpn-ikepolicy-delete

Delete a given IKEPolicy object. 

neutron vpn-ikepolicy-delete [-h] [--request-format {json,xml}]
                                    IKEPOLICY
  • IKEPOLICY: Unique identifier that identifies the IKEPolicy to be deleted.


vpn-ikepolicy-list

Show list of IKEPolicy objects available to tenant. 

neutron vpn-ikepolicy-list

vpn-ikepolicy-show

Shows information about a given IKEPolicy object. 

neutron vpn-ikepolicy-show [-h] [-f {shell,table}] [-c COLUMN]
                                  [--variable VARIABLE] [--prefix PREFIX]
                                  [--request-format {json,xml}] [-D]
                                  [-F FIELD]
                                  IKEPOLICY


vpn-ikepolicy-update

Update information of a given IKEPolicy Object. 

neutron vpn-ikepolicy-delete [-h] [--request-format {json,xml}]
                                    IKEPOLICY


vpn-ipsecpolicy-create

Create a new ipsecpolicy object 


neutron vpn-ipsecpolicy-create [-h] [-f {shell,table}] [-c COLUMN]
                [--variable VARIABLE] [--prefix PREFIX]
                [--request-format {json,xml}]
                [--tenant-id TENANT_ID]  
               	 [--description DESCRIPTION]
                 --transform-protocol TRANSFORM-PROTOCOL
                [--auth-algorithm AUTH-ALGORITHM]
                [--encryption-algorithm ENCRYPTION-ALGORITHM]
                [--encapsulation-mode ENCAPSULATION-MODE]
                [--pfs PFS]
                [--lifetime units=UNITS,value=VALUE]
                 NAME
  • NAME: Friendly name of the IPsecPolicy used in IPsec VPN Service Connections
  • description: Friendly description of the IPsecPolicy used in IPsec VPN Service Connections
  • tenant-id: ID of the Tenant that owns the VPN Service.
  • auth-algorithm: Authentication algorithm used in the IPsecPolicy.
  • encryption-algorithm: Encryption algorithm used in the IPsecPolicy.
  • encapsulation-mode: Encapsulation mode for IPsec tunnel either 'tunnel' or 'transport'.
  • transfrom-protocol: IPsec Transform Protocol either 'ESP' or 'AH'.
  • lifetime: String with lifetime specific parameters example: --lifetime "units=seconds,value=3600"
  • units: Units for lifetime ('seconds' or 'kilobytes')
  • value. Value for lifetime (non-negative integer).
  • pfs: Specify the Perfect Forward Secrecy.

vpn-ipsecpolicy-delete

Delete a given IPsecPolicy object. 

neutron vpn-ipsecpolicy-delete [-h] [--request-format {json,xml}]
                                    IPSECPOLICY
  • IPSECPOLICY: Unique identifier that identifies the IPSECPolicy to be deleted.


vpn-ipsecpolicy-list

Show list of IPSECPolicy objects available to tenant. 

neutron vpn-ipsecpolicy-list

vpn-ipsecpolicy-show

Shows information about a given IPsecPolicy object. 

neutron vpn-ipsecpolicy-show [-h] [-f {shell,table}] [-c COLUMN]
                                  [--variable VARIABLE] [--prefix PREFIX]
                                  [--request-format {json,xml}] [-D]
                                  [-F FIELD]
                                  IPSECPOLICY


vpn-ipsecpolicy-update

Update information of a given IPsecPolicy Object. 

neutron vpn-ipsecpolicy-delete [-h] [--request-format {json,xml}]
                                    IPSECPOLICY


ipsec-site-connection-create

Create a new ipsec-site-connection object 


neutron ipsec-site-connection-create [-h] [-f {shell,table}]
                               [-c COLUMN]
                               [--variable VARIABLE]
      	                        [--prefix PREFIX]
                                [--request-format {json,xml}]
                                [--tenant-id TENANT_ID]
                                [--admin-state-down] --name NAME
                                [--description DESCRIPTION]
                                 --peer-address PEER-ADDRESS
                                 --peer-id PEER-ID --peer_cidr
                                PEER-CIDRS 
                                [--mtu MTU]
                                [--psk PSK]
                                [--initiator INITIATOR]
                                [--dpd DPD]
                                 --vpnservice-id VPNSERVICE
                                 --ikepolicy-id IKEPOLICY
                                 --ipsecpolicy-id IPSECPOLICY
  • peer-address: Remote Peer IP Address for the VPN Connection.
  • tenant-id: ID of the Tenant that owns the VPN Service.
  • peer-id: Peer identifier string.
  • peer_cidr: Remote Peer Subnet with mask in CIDR format.
  • mtu: MTU for fragmentation
  • dpd: String with the dpd attributes. Example: --dpd "action=hold,interval=30,timeout=120"
  • action: Dead peer detection actions (action=hold, restart etc.,).
  • interval: Dead peer detection interval.(interval=30)
  • timeout: Dead peer detection timeout.(timeout=120)
  • route-mode: Routing mode either 'static' or 'dynamic' - for first release only 'static supported.
  • auth-mode: Authentication mode either 'PSK' or 'CERTS'
  • psk: Peer identifier string.
  • initiator: Initiator mode either 'bi-directional' or 'responder'.
  • vpnservice-id: Unique Identifier to the VPN Service Object.
  • ikepolicy-id: Unique Identifier to the IKE Policy Object.
  • ipsecpolicy-id: Unique Identifier to the IPsec Policy Object.

ipsec-site-connection-delete

Delete a given ipsec-site-connection object. 

neutron ipsec-site-connection-delete 
                                               [-h]
                                               [--request-format {json,xml}]
                                               ipsec-site-connection
  • ipsec-site-connection: Unique identifier that identifies the VPN Connection to be deleted.

ipsec-site-connection-list

Show list of VPN Connection objects available to tenant. 

neutron ipsec-site-connection-list

ipsec-site-connection-show

Shows information about a given VPN Connection object. 

neutron ipsec-site-connection-show [-h] [-f {shell,table}] [-c COLUMN]
                                   [--variable VARIABLE] [--prefix PREFIX]
                                   [--request-format {json,xml}] [-D]
                                   [-F FIELD]
                                   ipsec-site-connection


ipsec-site-connection-update

Update information of a given VPN Connection Object. 

neutron ipsec-site-connection-update [-h] [--request-format {json,xml}] ipsec-site-connection

Note: Only can change when status is not PENDING_CREATE, PENDING_UPDATE, or PENDING_DELETE.

REST API

High-Level Task Flow

The high-level task flow for using VPNaaS API to configure IPsec VPN is as follows:

  • The tenant creates a VPNService, without any connections.
  • The tenant creates one or more IKEPolicies.
  • The tenant creates one or more IPsecPolicies.
  • The tenant creates one or more ipsec-site-connections and associates with the VPNService id, IKEPolicy id and IPsecPolicy id.


VPNService APIs


GET
/v1.0/vpnservices/
GET
/v1.0/vpnservices/vpnservice-id
POST
/v1.0/vpnservices
UPDATE
/v1.0/vpnservices/vpnservice-id
DELETE
/v1.0/vpnservices/vpnservice-id


VPNService Create

JSON Request

#!highlight javascript numbers=disable
POST /v1.0/vpnservices
Content-Type: application/json
Accept: application/json
X-Auth-Token:xyz
Content-Length: abc

{
  "vpnservice": {
           
           "tenant_id": "310df60f-2a10-4ee5-9554-98393092194c",
           "name": "cloud_vpn",
           "subnet": "96a4386a-f8c3-42ed-afce-d7954eee77b3",
	   "router": "8acda86a-f8c3-42ed-afce-d7954eee77b3",
           }
}

JSON Response

#!highlight javascript numbers=disable
HTTP/1.1 202 Accepted
Content-Type: application/json
Content-Length: abc

{
  "vpnservice": {
           "id": "02b1fef7-16f5-4917-bf19-c40a9af805ed",
           "tenant-id": "310df60f-2a10-4ee5-9554-98393092194c",
           "name": "cloud_vpn",
           "subnet-id": "96a4386a-f8c3-42ed-afce-d7954eee77b3",
	   "router-id": "8acda86a-f8c3-42ed-afce-d7954eee77b3",
           "admin_state_up": true,
           "status": "PENDING_CREATE"
           }
}


IKEPolicy APIs

GET
/v1.0/ikepolicies/
POST
/v1.0/ikepolicies
GET
/v1.0/ikepolicies/ikepolicy-id
UPDATE
/v1.0/ikepolicies/ikepolicy-id
DELETE
/v1.0/ikepolicies/ikepolicy-id

IKEPolicy Create

JSON Request

#!highlight javascript numbers=disable
POST /v1.0/ikepolicies
Accept: application/json
Content-Type: application/json
X-Auth-Token:xyz
Content-Length: abc

{
  "ikepolicy" : {
            "name": "ikepolicy_1",
            "auth-algorithm" : "sha1",
            "encryption-algorithm" : "aes-256",
            "phase1-negotiation-mode" : "main",
	    "lifetime": "units=seconds,value=28800",       
            "ike-version" : "v1",
            "pfs": " Group5",
           }
}

JSON Response

#!highlight javascript numbers=disable
HTTP/1.1 202 Accepted
Content-Type: application/json
Content-Length: abc

{
  "ikepolicy" : {
            "id":"cfc6589d-f949-4c66-99d2-c2da56ef3764",
            "tenant_id": "310df60f-2a10-4ee5-9554-98393092194c",
            "name": "ikepolicy_1",
            "auth-algorithm" : "sha1",
            "encryption-algorithm" : "aes-256",
            "phase1-negotiation-mode" : "main",
           "lifetime": {
                      "units" : "seconds"
                      "value" : 28800,
             }
            "ike-version" : "v1",
            "pfs": "Group5",
          }
}

IPsecPolicy APIs


GET
/v1.0/ipsecpolicies/
POST
/v1.0/ipsecpolicies
GET
/v1.0/ipsecpolicies/ipsecpolicy-id
UPDATE
/v1.0/ipsecpolicies/ipsecpolicy-id
DELETE
/v1.0/ipsecpolicies/ipsecpolicy-id

IPsecPolicy Create

JSON Request

#!highlight javascript numbers=disable
POST /v1.0/ipsecpolicies
Accept: application/json
Content-Type: application/json
X-Auth-Token:xyz
Content-Length: abc

{
  "ipsecpolicy" : {
            "name": "ipsecpolicy_1",
            "transform-protocol": "esp",
	    "auth-algorithm" : "sha1",
            "encryption-algorithm" : "aes-256",
            "encapsulation-mode" : "tunnel",
            "lifetime": "units=seconds,value=28800",
            "pfs": "Group5"
          }
}

JSON Response


#!highlight javascript numbers=disable
HTTP/1.1 202 Accepted
Content-Type: application/json
Content-Length: abc

{
  "ipsecpolicy" : {
            "id":"cfc6589d-f949-4c66-99d2-c2da56ef3764",
            "tenant-id": "310df60f-2a10-4ee5-9554-98393092194c",
            "name": "ipsecpolicy_1",
            "transform-protocol": "esp",
	    "auth-algorithm" : "sha1",
            "encryption-algorithm" : "aes-256",
            "encapsulation-mode" : "tunnel",
             "lifetime": {
                      "units" : "seconds"
                      "value" : 28800,
             }
            "pfs": "Group5"
       }
}


ipsec-site-connection

ipsec-site-connection APIs


GET
/v1.0/ipsec-site-connections/
POST
/v1.0/ipsec-site-connections
GET
/v1.0/ipsec-site-connections/ipsec-site-connection-id
UPDATE
/v1.0/ipsec-site-connections/ipsec-site-connection-id
DELETE
/v1.0/ipsec-site-connections/ipsec-site-connection-id

ipsec-site-connection Create

JSON Request

#!highlight javascript numbers=disable
POST /v1.0/ipsec-site-connections
Accept: application/json
Content-Type: application/json
X-Auth-Token:xyz
Content-Length: abc

{
  "ipsec_site_connection" : {
            "name": "ipsec_connection_1",
            "peer-address": "192.168.2.255",
            "peer-id" : "192.168.2.255",
	    "peer-cidr" : "10.30.2.0/24",
            "dpd": "action=hold,interval=20,timeout=120",
           "mtu": "1500",
           "psk": "bla_bla_bla",
           "initiator": "bi-directional",
           "vpnservice-id": "02b1fef7-16f5-4917-bf19-c40a9af805ed",
            "ikepolicy-id": "03299abc-16f5-4917-bf19-c40a9af805ed",
            "ipsecpolicy-id": "0dbc1234-16f5-4917-bf19-c40a9af805ed"
         }
}

JSON Response


#!highlight javascript numbers=disable
HTTP/1.1 202 Accepted
Content-Type: application/json
Content-Length: abc

{
  "ipsec_site_connection" : {
            "id":"cfc6589d-f949-4c66-99d2-c2da56ef3764",
            "tenant-id": "310df60f-2a10-4ee5-9554-98393092194c",
            "name": "ipsec_connection_1",
            "peer-address": "192.168.2.255",
            "peer-id" : "192.168.2.255",
	    "peer-cidr" : "10.30.2.0/24",
            "dpd": {
                      "action" : "hold"
                      "interval" : 20,
                      "timeout" : 120,
             }
           "mtu": "1500",
           "psk": "bla_bla_bla",
           "initiator": "bi-directional",
            "vpnservice-id": "02b1fef7-16f5-4917-bf19-c40a9af805ed",
            "ikepolicy-id": "03299abc-16f5-4917-bf19-c40a9af805ed",
            "ipsecpolicy-id": "0dbc1234-16f5-4917-bf19-c40a9af805ed",
            "admin_state_up": true,
            "status": "PENDING_CREATE"
          }
}

Blueprints

VPN as a Service ( VPNaaS) APIs, DataModel and Use Cases

Havana Plan

Retrieved from "https://wiki.openstack.org/w/index.php?title=Neutron/VPNaaS&oldid=102401"