Difference between revisions of "Neutron/VPNaaS/SSLVPN"
Nachi Ueno (talk | contribs) (→Current Proposed API for SSLVPN Extension "Neutron/VPNaaS/SSLVPN/API") |
Zang MingJie (talk | contribs) (→SSLVPNConnection Resource) |
||
(12 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
= Overview = | = Overview = | ||
This page describes SSL-VPN extension feature in OpenStack Networking for the IceHouse release. | This page describes SSL-VPN extension feature in OpenStack Networking for the IceHouse release. | ||
− | + | Please also check how to use sslvpn extension features [[Neutron/VPNaaS/SSLVPN/HowToUse|HowToUse]] | |
== DataModel == | == DataModel == | ||
Line 31: | Line 31: | ||
|- | |- | ||
| vpnservice_id || uuid-str || yes || CR || valid vpn service id || N/A || UUID for VPNService | | vpnservice_id || uuid-str || yes || CR || valid vpn service id || N/A || UUID for VPNService | ||
+ | |- | ||
+ | | port_no || int || no || CRU || non-negative || N/A || port number which sslvpn listen on | ||
|- | |- | ||
|} | |} | ||
Line 55: | Line 57: | ||
| dh ||string||yes||CR||N/A||N/A|| PEM encoded dh key | | dh ||string||yes||CR||N/A||N/A|| PEM encoded dh key | ||
|- | |- | ||
− | | crl ||string|| | + | | crl ||string||no||CRU||None||N/A|| PEM encoded crl key |
|- | |- | ||
|} | |} | ||
− | == | + | == Commands == |
This section describes commands that will be introduced into python-neutronclient in order to support SSLVPN services | This section describes commands that will be introduced into python-neutronclient in order to support SSLVPN services | ||
<pre><nowiki> | <pre><nowiki> | ||
Line 80: | Line 82: | ||
== vpn-credential-create == | == vpn-credential-create == | ||
− | Create a new | + | Create a new vpn credential |
<pre><nowiki> | <pre><nowiki> | ||
− | neutron vpn- | + | usage: neutron vpn-credential-create [-h] [-f {shell,table}] [-c COLUMN] |
[--variable VARIABLE] [--prefix PREFIX] | [--variable VARIABLE] [--prefix PREFIX] | ||
[--request-format {json,xml}] | [--request-format {json,xml}] | ||
[--tenant-id TENANT_ID] | [--tenant-id TENANT_ID] | ||
− | [--admin-state-down] [--name NAME] | + | [--admin-state-down] [--name NAME] --ca |
− | [-- | + | CA --server_certificate |
− | + | SERVER_CERTIFICATE --server_key | |
− | + | SERVER_KEY --dh DH --crl CRL | |
+ | </nowiki></pre> | ||
+ | |||
+ | Sample | ||
+ | |||
+ | <pre><nowiki> | ||
+ | neutron vpn-credential-create --name test --ca ca.crt --server_certificate east-server.crt --server_key east-server.key --dh dh1024.pem | ||
+ | </nowiki></pre> | ||
+ | |||
+ | == vpn-credential-list == | ||
+ | |||
+ | Create a new vpn credential | ||
+ | |||
+ | <pre><nowiki> | ||
+ | |||
+ | usage: neutron vpn-credential-list | ||
+ | |||
+ | </nowiki></pre> | ||
+ | |||
+ | == vpn-credential-list == | ||
+ | |||
+ | Liste new vpn credentials | ||
+ | |||
+ | <pre><nowiki> | ||
+ | |||
+ | usage: neutron vpn-credential-list | ||
+ | |||
+ | </nowiki></pre> | ||
+ | |||
+ | == vpn-credential-show == | ||
+ | |||
+ | Show a new vpn credential | ||
+ | <pre><nowiki> | ||
+ | |||
+ | usage: neutron vpn-credential-show [-h] [-f {shell,table}] [-c COLUMN] | ||
+ | [--variable VARIABLE] [--prefix PREFIX] | ||
+ | [--request-format {json,xml}] [-D] | ||
+ | [-F FIELD] | ||
+ | VPN_CREDENTIAL | ||
+ | |||
+ | </nowiki></pre> | ||
+ | |||
+ | == vpn-credential-delete == | ||
+ | |||
+ | Delete a vpn credential | ||
+ | |||
+ | <pre><nowiki> | ||
+ | usage: neutron vpn-credential-delete [-h] [--request-format {json,xml}] | ||
+ | VPN_CREDENTIAL | ||
+ | </nowiki></pre> | ||
+ | |||
+ | == ssl-vpn-connection-create == | ||
+ | <pre><nowiki> | ||
+ | usage: neutron ssl-vpn-connection-create [-h] [-f {shell,table}] [-c COLUMN] | ||
+ | [--variable VARIABLE] | ||
+ | [--prefix PREFIX] | ||
+ | [--request-format {json,xml}] | ||
+ | [--tenant-id TENANT_ID] | ||
+ | [--admin-state-down] [--name NAME] | ||
+ | [--client_address_pool_cidr CLIENT_ADDRESS_POOL_CIDR] | ||
+ | VPNSERVICE VPNCREDENTIAL | ||
</nowiki></pre> | </nowiki></pre> | ||
+ | == ssl-vpn-connection-list == | ||
− | + | List ssl vpn connections | |
− | |||
− | |||
+ | <pre><nowiki> | ||
− | + | usage: neutron ssl-vpn-connection-list | |
− | == | + | </nowiki></pre> |
− | + | ||
+ | == ssl-vpn-connection-list == | ||
+ | |||
+ | show a ssl vpn connections | ||
+ | |||
+ | <pre><nowiki> | ||
+ | |||
+ | usage: neutron ssl-vpn-connection-show [-h] [-f {shell,table}] [-c COLUMN] | ||
+ | [--variable VARIABLE] [--prefix PREFIX] | ||
+ | [--request-format {json,xml}] [-D] | ||
+ | [-F FIELD] | ||
+ | SSL_VPN_CONNECTION | ||
− | + | </nowiki></pre> | |
− | |||
− | |||
+ | == ssl-vpn-connection-update== | ||
− | + | update a ssl vpn connections | |
<pre><nowiki> | <pre><nowiki> | ||
− | + | usage: neutron ssl-vpn-connection-update [-h] [--request-format {json,xml}] | |
− | + | SSL_VPN_CONNECTION | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
</nowiki></pre> | </nowiki></pre> | ||
+ | == ssl-vpn-connection-delete== | ||
− | + | delete a ssl vpn connections | |
− | |||
<pre><nowiki> | <pre><nowiki> | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | usage: neutron ssl-vpn-connection-delete [-h] [--request-format {json,xml}] | |
− | + | SSL_VPN_CONNECTION | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
</nowiki></pre> | </nowiki></pre> | ||
− | == | + | = REST API = |
+ | CREATE VPN Credential: | ||
+ | <pre><nowiki> | ||
+ | curl -X POST -H "X-Auth-Token: $auth_token" -H "Content-type:application/json" -d '{"vpn_credential": {"name": "cred1", "ca":"CA certificate in PEM format", "server_certificate":"server certificate in PEM format", "server_key":"server key in PEM format", "dh":"dh in PEM format", "crl":"crl in pem format"} }' $q_url/vpn/vpn-credentials | ||
+ | </nowiki></pre> | ||
+ | CREATE SSL VPN Connection: | ||
<pre><nowiki> | <pre><nowiki> | ||
− | + | curl -X POST -H "X-Auth-Token: $auth_token" -H "Content-type:application/json" -d '{"ssl_vpn_connection":{"name":"conn1", "client_address_pool_cidr":"10.8.0.0/24", "credential_id": "434a9843-ecc0-4653-8f3a-e604d9d7aadc", "admin_state_up": "True", "vpnservice_id":"cc91b7af-8304-4aff-ad07-86bdbaae2e93"}}' $q_url/vpn/ssl-vpn-connections | |
− | + | </nowiki></pre> | |
− | Content- | ||
− | |||
− | + | LIST VPN Credentials: | |
− | + | <pre><nowiki> | |
− | + | curl -X GET -H "X-Auth-Token: $auth_token" $q_url/vpn/vpn-credentials | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
</nowiki></pre> | </nowiki></pre> | ||
+ | |||
+ | LIST SSL VPN Connections: | ||
+ | <pre><nowiki> | ||
+ | curl -X GET -H "X-Auth-Token: $auth_token" $q_url/vpn/ssl-vpn-connections | ||
+ | </nowiki></pre> | ||
+ | |||
+ | DELETE VPN Credential: | ||
+ | <pre><nowiki> | ||
+ | curl -X DELETE -H "X-Auth-Token: $auth_token" $q_url/vpn/vpn-credentials/336fb70e-8ce1-469a-9f6f-04f696d030cf | ||
+ | </nowiki></pre> | ||
+ | |||
+ | DELETE SSL VPN Connection: | ||
+ | <pre><nowiki> | ||
+ | curl -X DELETE -H "X-Auth-Token: $auth_token" $q_url/vpn/ssl-vpn-connections/336523b8-edd9-4c22-9f62-a45f7cd39f59 | ||
+ | </nowiki></pre> | ||
+ | |||
+ | = High-Level Task Flow = | ||
+ | The high-level task flow for using SSLVPN API to configure SSL VPN is as follows: | ||
+ | |||
+ | * The tenant creates a VPNService, without any connections. | ||
+ | * The tenant creates one or more VPNCredential. | ||
+ | * The tenant creates one or more SSLVPnConnection and associates with the VPNService id, VPNCredential id | ||
+ | |||
= Blueprints = | = Blueprints = | ||
https://blueprints.launchpad.net/neutron/+spec/neutron-ssl-vpn | https://blueprints.launchpad.net/neutron/+spec/neutron-ssl-vpn |
Latest revision as of 05:27, 29 April 2014
Overview
This page describes SSL-VPN extension feature in OpenStack Networking for the IceHouse release. Please also check how to use sslvpn extension features HowToUse
DataModel
SSLVPNConnection Resource
Attribute | Type | Required | CRUD | DefaultValue | Validation Constraint | Notes |
---|---|---|---|---|---|---|
id | uuid-str | N/A | R | generated | N/A | UUID for VPNService Object |
tenant_id | uuid-str | Yes | CR | None | valid tenant_id | UUID of the tenant for the vpn service |
name | string | no | CRU | None | N/A | name of the VPN Service |
status | string | N/A | R | N/A | N/A | Indicates whether ipsec vpnservice is currently operational. Possible values include:
ACTIVE DOWN BUILD ERROR |
admin_state_up | bool | N/A | CRU | TRUE | true/false | Administrative state of vpnservice. If false (down), port does not forward packets |
client_address_pool_cidr | cidr | yes | CR | N/A | Valid cidr | Client address pool subnet which will be used by sslvpn client |
credential_id | uuid-str | yes | CR | valid vpn credential id | N/A | UUID for VPNCredential |
vpnservice_id | uuid-str | yes | CR | valid vpn service id | N/A | UUID for VPNService |
port_no | int | no | CRU | non-negative | N/A | port number which sslvpn listen on |
VPNCredential Resource
Attribute | Type | Required | CRUD | DefaultValue | Validation Constraint | Notes |
---|---|---|---|---|---|---|
id | uuid-str | N/A | R | generated | N/A | UUID for the IKEPolicy |
tenant_id | uuid-str | Yes | CR | None | valid tenant_id | UUID for owner of the vpn service |
name | string | yes | CRU | None | N/A | friendly name for the ikepolicy |
ca | string | yes | CR | N/A | N/A | PEM encoded CA certificate |
server_certificate | string | yes | CR | N/A | N/A | PEM encoded Server Certificate |
server_key | string | yes | CR | N/A | N/A | PEM encoded Server Key |
dh | string | yes | CR | N/A | N/A | PEM encoded dh key |
crl | string | no | CRU | None | N/A | PEM encoded crl key |
Commands
This section describes commands that will be introduced into python-neutronclient in order to support SSLVPN services
vpn-credential-create Create an VPNCredential. vpn-credential-delete Delete a given VPNCredential. vpn-credential-list List VPNCredentials that belong to a given tenant. vpn-credential-show Show information of a given VPNCredential. vpn-credential-update Update a given VPNCredential. ssl-vpn-connection-create Create an SSLVPNConnection. ssl-vpn-connection-delete Delete a given SSLVPNConnection. ssl-vpn-connection-list List SSLVPNConnections that belong to a given tenant. ssl-vpn-connection-show Show information of a given SSLVPNConnection. ssl-vpn-connection-update Update a given SSLVPNConnection.
Command Specification (TBD)
vpn-credential-create
Create a new vpn credential
usage: neutron vpn-credential-create [-h] [-f {shell,table}] [-c COLUMN] [--variable VARIABLE] [--prefix PREFIX] [--request-format {json,xml}] [--tenant-id TENANT_ID] [--admin-state-down] [--name NAME] --ca CA --server_certificate SERVER_CERTIFICATE --server_key SERVER_KEY --dh DH --crl CRL
Sample
neutron vpn-credential-create --name test --ca ca.crt --server_certificate east-server.crt --server_key east-server.key --dh dh1024.pem
vpn-credential-list
Create a new vpn credential
usage: neutron vpn-credential-list
vpn-credential-list
Liste new vpn credentials
usage: neutron vpn-credential-list
vpn-credential-show
Show a new vpn credential
usage: neutron vpn-credential-show [-h] [-f {shell,table}] [-c COLUMN] [--variable VARIABLE] [--prefix PREFIX] [--request-format {json,xml}] [-D] [-F FIELD] VPN_CREDENTIAL
vpn-credential-delete
Delete a vpn credential
usage: neutron vpn-credential-delete [-h] [--request-format {json,xml}] VPN_CREDENTIAL
ssl-vpn-connection-create
usage: neutron ssl-vpn-connection-create [-h] [-f {shell,table}] [-c COLUMN] [--variable VARIABLE] [--prefix PREFIX] [--request-format {json,xml}] [--tenant-id TENANT_ID] [--admin-state-down] [--name NAME] [--client_address_pool_cidr CLIENT_ADDRESS_POOL_CIDR] VPNSERVICE VPNCREDENTIAL
ssl-vpn-connection-list
List ssl vpn connections
usage: neutron ssl-vpn-connection-list
ssl-vpn-connection-list
show a ssl vpn connections
usage: neutron ssl-vpn-connection-show [-h] [-f {shell,table}] [-c COLUMN] [--variable VARIABLE] [--prefix PREFIX] [--request-format {json,xml}] [-D] [-F FIELD] SSL_VPN_CONNECTION
ssl-vpn-connection-update
update a ssl vpn connections
usage: neutron ssl-vpn-connection-update [-h] [--request-format {json,xml}] SSL_VPN_CONNECTION
ssl-vpn-connection-delete
delete a ssl vpn connections
usage: neutron ssl-vpn-connection-delete [-h] [--request-format {json,xml}] SSL_VPN_CONNECTION
REST API
CREATE VPN Credential:
curl -X POST -H "X-Auth-Token: $auth_token" -H "Content-type:application/json" -d '{"vpn_credential": {"name": "cred1", "ca":"CA certificate in PEM format", "server_certificate":"server certificate in PEM format", "server_key":"server key in PEM format", "dh":"dh in PEM format", "crl":"crl in pem format"} }' $q_url/vpn/vpn-credentials
CREATE SSL VPN Connection:
curl -X POST -H "X-Auth-Token: $auth_token" -H "Content-type:application/json" -d '{"ssl_vpn_connection":{"name":"conn1", "client_address_pool_cidr":"10.8.0.0/24", "credential_id": "434a9843-ecc0-4653-8f3a-e604d9d7aadc", "admin_state_up": "True", "vpnservice_id":"cc91b7af-8304-4aff-ad07-86bdbaae2e93"}}' $q_url/vpn/ssl-vpn-connections
LIST VPN Credentials:
curl -X GET -H "X-Auth-Token: $auth_token" $q_url/vpn/vpn-credentials
LIST SSL VPN Connections:
curl -X GET -H "X-Auth-Token: $auth_token" $q_url/vpn/ssl-vpn-connections
DELETE VPN Credential:
curl -X DELETE -H "X-Auth-Token: $auth_token" $q_url/vpn/vpn-credentials/336fb70e-8ce1-469a-9f6f-04f696d030cf
DELETE SSL VPN Connection:
curl -X DELETE -H "X-Auth-Token: $auth_token" $q_url/vpn/ssl-vpn-connections/336523b8-edd9-4c22-9f62-a45f7cd39f59
High-Level Task Flow
The high-level task flow for using SSLVPN API to configure SSL VPN is as follows:
- The tenant creates a VPNService, without any connections.
- The tenant creates one or more VPNCredential.
- The tenant creates one or more SSLVPnConnection and associates with the VPNService id, VPNCredential id
Blueprints
https://blueprints.launchpad.net/neutron/+spec/neutron-ssl-vpn