Jump to: navigation, search



VPNaaS (VPN-as-a-Service) is a Quantum extension that introduces VPN feature set.

The following is the proposed plan for design and implementation of the VPN as a Service feature in OpenStack Networking for the Havana release. While our long term goal for VPNaaS is to make it very feature rich and to support multiple tunneling,security protocols that supports both static and dynamic routing, but for the short term we would want to deliver a basic experimental reference implementation based on opensource for IPsec based VPNs using just static routing that will allow us to evaluate the API, resource model and usability of this feature. This will allow us to gather feedback, and make enhancements if required.

Also we would like to have a simple model such as the AWS for configuring the VPN. In AWS the IKE and IPsec Policies are pre-defined, but we would want to make it more user configurable rather than pre-defined templates.

Again for simplicity we will be just implementing IKE with “PSK” authentication mode rather than using certificates. In future we can extend to support certificate based authentication.

Current Proposed API for VPNaaS "Quantum/VPNaaS/API"

This section describes commands that will be introduced into python-quantumclient in order to support VPNaaS advanced service.

vpn-vpnservice-create      Create a VPNService  
vpn-vpnservice-delete      Delete a given VPNService
vpn-vpnservice-list        List all VPNService for a given tenant.
vpn-vpnservice-show        Show detailed information of a given VPNService.
vpn-vpnservice-update      Update a given VPNservice.
vpn-ikepolicy-create       Create an IKEPolicy
vpn-ikepolicy-delete       Delete a given IKE Policy.
vpn-ikepolicy-list         List IKEPolicies that belong to a given tenant.
vpn-ikepolicy-show         Show detailed information of a given IKEPolicy.
vpn-ikepolicy-update       Update a given IKE Policy.
vpn-ipsecpolicy-create     Create an IPsec policy
vpn-ipsecpolicy-delete     Delete a given IPsec Policy
vpn-ipsecpolicy-list       List IPsec Policy that belong to a given tenant    connection.
vpn-ipsecpolicy-show       Show detailed information of a given IPsec Policy
vpn-ipsecpolicy-update     Update a given IPsec Policy.
vpn-vpnserviceconnection-create  Create a VPNServiceConnection
vpn-vpnserviceconnection-delete  Delete a given VPNServiceConnection.
vpn-vpnserviceconnection-list    List VPNServiceConnections that belong to a given tenant.
vpn-vpnserviceconnection-show    Show information of a given VPNServiceConnection.
vpn-vpnserviceconnection-update  Update a given VPNServiceConnection.

Command Specification


Create a new vpnservice

quantum vpn-vpnservice-create [-h] [-f {shell,table}] [-c COLUMN]
                                     [--variable VARIABLE] [--prefix PREFIX]
                                     [--request-format {json,xml}]
                                     [--tenant-id TENANT_ID]
                                     [--admin-state-down] [--name NAME]
                                     [--description DESCRIPTION] --vpn_type
                                 	VPN_TYPE [--router_id ROUTER_ID]
                                     --subnet_id SUBNET_ID [--port_id PORT_ID]

  • vpn_type: One of predefined vpn service types, for the first release only "ipsec" supported.
  • tenant-id: ID of the Tenant that owns the VPN Service.
  • subnet-id: ID of the Subnet to which the VPN will provide service.
  • router-id: ID of the router to which the VPN will be attached to.
  • port-id: ID of the port to which the VPN address will be associated with.


Delete a given vpnservice object.

quantum vpn-vpnservice-delete [-h] [--request-format {json,xml}] VPNSERVICE
  • VPNSERVICE: Unique identifier that identifies the VPN Service to be deleted.


Show list of VPN Service objects available to tenant.

quantum vpn-vpnservice-list


Shows information about a given VPN Service object.

quantum vpn-vpnservice-show [-h] [-f {shell,table}] [-c COLUMN]
                                   [--variable VARIABLE] [--prefix PREFIX]
                                   [--request-format {json,xml}] [-D]
                                   [-F FIELD]


Update information of a given VPN Service Object.

quantum vpn-vpnservice-update [-h] [--request-format {json,xml}] VPNSERVICE


Create a new ikepolicy object

quantum vpn-ikepolicy-create [-h] [-f {shell,table}] [-c COLUMN]
              [--variable VARIABLE] [--prefix PREFIX]
              [--request-format {json,xml}]
              [--tenant-id TENANT_ID] --name NAME
              [--description DESCRIPTION]
              [--auth_algorithm AUTH_ALGORITHM]
              [--encryption_algorithm ENCRYPTION_ALGORITHM]
              [--phase1_negotiation_mode PHASE1_NEGOTIATION_MODE]
              [--lifetime_units LIFETIME_UNITS]
              [--lifetime_value LIFETIME_VALUE]
              [--pfs PFS]

  • name: Friendly name of the IKEPolicy used in IPsec VPN Service Connections
  • description: Friendly description of the IKEPolicy used in IPsec VPN Service Connections
  • tenant-id: ID of the Tenant that owns the VPN Service.
  • auth_algorithm: Authentication algorithm used in the IKEPolicy.
  • encryption_algorithm: Encryption algorithm used in the IKEPolicy.
  • phase1_negotiation_mode: Phase1 negotiation mode for IKE either 'Main' or 'Aggressive'.
  • lifetime_units: Specify the unit of measurement for the lifetime either 'seconds' or 'kilobytes'.
  • lifetime_value: Specify the lifetime value based on the unit selected.


Delete a given IKEPolicy object.

quantum vpn-ikepolicy-delete [-h] [--request-format {json,xml}]
  • IKEPOLICY: Unique identifier that identifies the IKEPolicy to be deleted.


Show list of IKEPolicy objects available to tenant.

quantum vpn-ikepolicy-list


Shows information about a given IKEPolicy object.

quantum vpn-ikepolicy-show [-h] [-f {shell,table}] [-c COLUMN]
                                  [--variable VARIABLE] [--prefix PREFIX]
                                  [--request-format {json,xml}] [-D]
                                  [-F FIELD]


Update information of a given IKEPolicy Object.

quantum vpn-ikepolicy-delete [-h] [--request-format {json,xml}]


Create a new ipsecpolicy object

quantum vpn-ipsecpolicy-create [-h] [-f {shell,table}] [-c COLUMN]
                [--variable VARIABLE] [--prefix PREFIX]
                [--request-format {json,xml}]
                [--tenant-id TENANT_ID] --name NAME
               	 [--description DESCRIPTION]
                 --transform_protocol TRANSFORM_PROTOCOL
                [--auth_algorithm AUTH_ALGORITHM]
                [--encryption_algorithm ENCRYPTION_ALGORITHM]
                [--encapsulation_mode ENCAPSULATION_MODE]
                [--lifetime_units LIFETIME_UNITS]
                [--lifetime_value LIFETIME_VALUE]
   	        [--pfs PFS]

  • name: Friendly name of the IPsecPolicy used in IPsec VPN Service Connections
  • description: Friendly description of the IPsecPolicy used in IPsec VPN Service Connections
  • tenant-id: ID of the Tenant that owns the VPN Service.
  • auth_algorithm: Authentication algorithm used in the IPsecPolicy.
  • encryption_algorithm: Encryption algorithm used in the IPsecPolicy.
  • encapsulation_mode: Encapsulation mode for IPsec tunnel either 'tunnel' or 'transport'.
  • transfrom_protocol: IPsec Transform Protocol either 'ESP' or 'AH'.
  • lifetime_units: Specify the unit of measurement for the lifetime either 'seconds' or 'kilobytes'.
  • lifetime_value: Specify the lifetime value based on the unit selected.


Delete a given IPsecPolicy object.

quantum vpn-ipsecpolicy-delete [-h] [--request-format {json,xml}]
  • IPSECPOLICY: Unique identifier that identifies the IPSECPolicy to be deleted.


Show list of IPSECPolicy objects available to tenant.

quantum vpn-ipsecpolicy-list


Shows information about a given IPsecPolicy object.

quantum vpn-ipsecpolicy-show [-h] [-f {shell,table}] [-c COLUMN]
                                  [--variable VARIABLE] [--prefix PREFIX]
                                  [--request-format {json,xml}] [-D]
                                  [-F FIELD]


Update information of a given IPsecPolicy Object.

quantum vpn-ipsecpolicy-delete [-h] [--request-format {json,xml}]


Create a new vpnserviceconnection object

quantum vpn-vpnserviceconnection-create [-h] [-f {shell,table}]
                               [-c COLUMN]
                               [--variable VARIABLE]
      	                        [--prefix PREFIX]
                                [--request-format {json,xml}]
                                [--tenant-id TENANT_ID]
                                [--admin-state-down] --name NAME
                                [--description DESCRIPTION]
                                 --peer_address PEER_ADDRESS
                                 --peer_id PEER_ID --peer_cidrs
                                PEER_CIDRS --local_cidrs
                                LOCAL_CIDRS [--mtu MTU]
                                [--dpd_action DPD_ACTION]
                                [--dpd_interval DPD_INTERVAL]
                                [--dpd_timeout DPD_TIMEOUT]
                                [--route_mode ROUTE_MODE]
                     	         [--auth_mode AUTH_MODE] [--psk PSK]
                                [--initiator INITIATOR]
                                 vpnservice ikepolicy  ipsecpolicy

  • peer_address: Remote Peer IP Address for the VPN Connection.
  • tenant-id: ID of the Tenant that owns the VPN Service.
  • peer_id: Peer identifier string.
  • peer_cidrs: Remote Peer Subnet with mask in CIDR format.
  • local-cidrs: Local Subnet with mask in CIDR format.
  • mtu: MTU for fragmentation
  • dpd_action: Dead peer detection action.
  • dpd_interval: Dead peer detection interval.
  • dpd_timeout: Dead peer detection timeout.
  • route_mode: Routing mode either 'static' or 'dynamic' - for first release only 'static supported.
  • auth_mode: Authentication mode either 'PSK' or 'CERTS'
  • psk: Peer identifier string.
  • initiator: Initiator mode either 'bi-directional' or 'responder'.
  • vpnservice: Unique Identifier to the VPN Service Object.
  • ikepolicy: Unique Identifier to the IKE Policy Object.
  • ipsecpolicy: Unique Identifier to the IPsec Policy Object.


Delete a given vpnserviceconnection object.

quantum vpn-vpnserviceconnection-delete [-h]
                                               [--request-format {json,xml}]

  • VPNSERVICECONNECTION: Unique identifier that identifies the VPN Service Connection to be deleted.


Show list of VPN Service Connection objects available to tenant.

quantum vpn-vpnserviceconnection-list


Shows information about a given VPN Service Connection object.

quantum vpn-vpnserviceconnection-show [-h] [-f {shell,table}] [-c COLUMN]
                                   [--variable VARIABLE] [--prefix PREFIX]
                                   [--request-format {json,xml}] [-D]
                                   [-F FIELD]


Update information of a given VPN Service Connection Object.

quantum vpn-vpnserviceconnection-update [-h] [--request-format {json,xml}] VPNSERVICECONNECTION


VPN as a Service ( VPNaaS) APIs, DataModel and Use Cases

Havana Plan