Jump to: navigation, search

Difference between revisions of "Neutron/VPNaaS/SSLVPN"

(Current Proposed API for SSLVPN Extension "Neutron/VPNaaS/SSLVPN/API")
(SSLVPNConnection Resource)
 
(12 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
= Overview =
 
= Overview =
 
This page describes SSL-VPN extension feature in OpenStack Networking for the IceHouse release.
 
This page describes SSL-VPN extension feature in OpenStack Networking for the IceHouse release.
 
+
Please also check how to use sslvpn extension features [[Neutron/VPNaaS/SSLVPN/HowToUse|HowToUse]]
  
 
== DataModel ==
 
== DataModel ==
Line 31: Line 31:
 
|-
 
|-
 
| vpnservice_id || uuid-str || yes || CR || valid vpn service id || N/A || UUID for VPNService
 
| vpnservice_id || uuid-str || yes || CR || valid vpn service id || N/A || UUID for VPNService
 +
|-
 +
| port_no || int || no || CRU || non-negative || N/A || port number which sslvpn listen on
 
|-
 
|-
 
|}
 
|}
Line 55: Line 57:
 
| dh ||string||yes||CR||N/A||N/A|| PEM encoded dh key  
 
| dh ||string||yes||CR||N/A||N/A|| PEM encoded dh key  
 
|-
 
|-
| crl ||string||yes||CR||N/A||N/A|| PEM encoded crl key  
+
| crl ||string||no||CRU||None||N/A|| PEM encoded crl key  
 
|-
 
|-
 
|}
 
|}
  
== Current Proposed API for SSLVPN Extension ==
+
== Commands ==
 
This section describes commands that will be introduced into python-neutronclient in order to support SSLVPN services
 
This section describes commands that will be introduced into python-neutronclient in order to support SSLVPN services
 
<pre><nowiki>
 
<pre><nowiki>
Line 80: Line 82:
 
== vpn-credential-create ==
 
== vpn-credential-create ==
  
Create a new vpnservice
+
Create a new vpn credential
  
 
<pre><nowiki>
 
<pre><nowiki>
  
neutron vpn-service-create [-h] [-f {shell,table}] [-c COLUMN]
+
usage: neutron vpn-credential-create [-h] [-f {shell,table}] [-c COLUMN]
 
                                     [--variable VARIABLE] [--prefix PREFIX]
 
                                     [--variable VARIABLE] [--prefix PREFIX]
 
                                     [--request-format {json,xml}]
 
                                     [--request-format {json,xml}]
 
                                     [--tenant-id TENANT_ID]
 
                                     [--tenant-id TENANT_ID]
                                     [--admin-state-down] [--name NAME]
+
                                     [--admin-state-down] [--name NAME] --ca
                                     [--description DESCRIPTION]  
+
                                     CA --server_certificate
                                     ROUTER
+
                                    SERVER_CERTIFICATE --server_key
                                    SUBNET
+
                                    SERVER_KEY --dh DH --crl CRL
 +
</nowiki></pre>
 +
 
 +
Sample
 +
 
 +
<pre><nowiki>
 +
neutron vpn-credential-create --name test --ca ca.crt --server_certificate east-server.crt --server_key east-server.key --dh dh1024.pem
 +
</nowiki></pre>
 +
 
 +
== vpn-credential-list ==
 +
 
 +
Create a new vpn credential
 +
 
 +
<pre><nowiki>
 +
 
 +
usage: neutron vpn-credential-list
 +
 
 +
</nowiki></pre>
 +
 
 +
== vpn-credential-list ==
 +
 
 +
Liste  new vpn credentials
 +
 
 +
<pre><nowiki>
 +
 
 +
usage: neutron vpn-credential-list
 +
 
 +
</nowiki></pre>
 +
 
 +
== vpn-credential-show ==
 +
 
 +
Show a new vpn credential
 +
<pre><nowiki>
 +
 
 +
usage: neutron vpn-credential-show [-h] [-f {shell,table}] [-c COLUMN]
 +
                                  [--variable VARIABLE] [--prefix PREFIX]
 +
                                  [--request-format {json,xml}] [-D]
 +
                                  [-F FIELD]
 +
                                  VPN_CREDENTIAL
 +
 
 +
</nowiki></pre>
 +
 
 +
== vpn-credential-delete ==
 +
 
 +
Delete a vpn credential
 +
 
 +
<pre><nowiki>
 +
usage: neutron vpn-credential-delete [-h] [--request-format {json,xml}]
 +
                                     VPN_CREDENTIAL
 +
</nowiki></pre>
 +
 
 +
== ssl-vpn-connection-create ==
  
 +
<pre><nowiki>
 +
usage: neutron ssl-vpn-connection-create [-h] [-f {shell,table}] [-c COLUMN]
 +
                                        [--variable VARIABLE]
 +
                                        [--prefix PREFIX]
 +
                                        [--request-format {json,xml}]
 +
                                        [--tenant-id TENANT_ID]
 +
                                        [--admin-state-down] [--name NAME]
 +
                                        [--client_address_pool_cidr CLIENT_ADDRESS_POOL_CIDR]
 +
                                        VPNSERVICE VPNCREDENTIAL
 
</nowiki></pre>
 
</nowiki></pre>
  
 +
== ssl-vpn-connection-list ==
  
* '''tenant-id''': ID of the Tenant that owns the VPN Service.
+
List ssl vpn connections
* '''router''':  Unique identifier of the Router (either 'name' or 'id')  to which the VPN will be attached to.
 
* '''subnet''': Unique identifier of the Subnet (either 'name' or 'id') to which the VPN will provide service. (*)
 
  
 +
<pre><nowiki>
  
= REST API (TBD) =
+
usage: neutron ssl-vpn-connection-list
  
== High-Level Task Flow ==
+
</nowiki></pre>
The high-level task flow for using SSLVPN API to configure SSL VPN is as follows:
+
 
 +
== ssl-vpn-connection-list ==
 +
 
 +
show a ssl vpn connections
 +
 
 +
<pre><nowiki>
 +
 
 +
usage: neutron ssl-vpn-connection-show [-h] [-f {shell,table}] [-c COLUMN]
 +
                                      [--variable VARIABLE] [--prefix PREFIX]
 +
                                      [--request-format {json,xml}] [-D]
 +
                                      [-F FIELD]
 +
                                      SSL_VPN_CONNECTION
  
* The tenant creates a VPNService, without any connections.
+
</nowiki></pre>
* The tenant creates one or more VPNCredential.
 
* The tenant creates one or more SSLVPnConnection and associates with the VPNService id, VPNCredential id
 
  
 +
== ssl-vpn-connection-update==
  
==VPNService APIs==
+
update a ssl vpn connections
  
 
<pre><nowiki>
 
<pre><nowiki>
  
GET
+
usage: neutron ssl-vpn-connection-update [-h] [--request-format {json,xml}]
/v1.0/vpnservices/
+
                                        SSL_VPN_CONNECTION
GET
 
/v1.0/vpnservices/vpnservice-id
 
POST
 
/v1.0/vpnservices
 
UPDATE
 
/v1.0/vpnservices/vpnservice-id
 
DELETE
 
/v1.0/vpnservices/vpnservice-id
 
 
</nowiki></pre>
 
</nowiki></pre>
  
 +
== ssl-vpn-connection-delete==
  
===VPNService Create===
+
delete a ssl vpn connections
====JSON Request====
 
  
 
<pre><nowiki>
 
<pre><nowiki>
#!highlight javascript numbers=disable
 
POST /v1.0/vpnservices
 
Content-Type: application/json
 
Accept: application/json
 
X-Auth-Token:xyz
 
Content-Length: abc
 
  
{
+
usage: neutron ssl-vpn-connection-delete [-h] [--request-format {json,xml}]
  "vpnservice": {
+
                                        SSL_VPN_CONNECTION
         
 
          "tenant_id": "310df60f-2a10-4ee5-9554-98393092194c",
 
          "name": "cloud_vpn",
 
          "subnet": "96a4386a-f8c3-42ed-afce-d7954eee77b3",
 
  "router": "8acda86a-f8c3-42ed-afce-d7954eee77b3",
 
          }
 
}
 
 
</nowiki></pre>
 
</nowiki></pre>
  
====JSON Response====
+
= REST API =
 +
CREATE VPN Credential:
 +
<pre><nowiki>
 +
curl -X POST -H "X-Auth-Token: $auth_token" -H "Content-type:application/json" -d '{"vpn_credential": {"name": "cred1", "ca":"CA certificate in PEM format", "server_certificate":"server certificate in PEM format", "server_key":"server key in PEM format", "dh":"dh in PEM format", "crl":"crl in pem format"} }' $q_url/vpn/vpn-credentials
 +
</nowiki></pre>
  
 +
CREATE SSL VPN Connection:
 
<pre><nowiki>
 
<pre><nowiki>
#!highlight javascript numbers=disable
+
curl -X POST -H "X-Auth-Token: $auth_token" -H "Content-type:application/json" -d '{"ssl_vpn_connection":{"name":"conn1", "client_address_pool_cidr":"10.8.0.0/24", "credential_id": "434a9843-ecc0-4653-8f3a-e604d9d7aadc", "admin_state_up": "True", "vpnservice_id":"cc91b7af-8304-4aff-ad07-86bdbaae2e93"}}' $q_url/vpn/ssl-vpn-connections
HTTP/1.1 202 Accepted
+
</nowiki></pre>
Content-Type: application/json
 
Content-Length: abc
 
  
{
+
LIST VPN Credentials:
  "vpnservice": {
+
<pre><nowiki>
          "id": "02b1fef7-16f5-4917-bf19-c40a9af805ed",
+
curl -X GET -H "X-Auth-Token: $auth_token" $q_url/vpn/vpn-credentials
          "tenant-id": "310df60f-2a10-4ee5-9554-98393092194c",
 
          "name": "cloud_vpn",
 
          "subnet-id": "96a4386a-f8c3-42ed-afce-d7954eee77b3",
 
  "router-id": "8acda86a-f8c3-42ed-afce-d7954eee77b3",
 
          "admin_state_up": true,
 
          "status": "PENDING_CREATE"
 
          }
 
}
 
 
</nowiki></pre>
 
</nowiki></pre>
 +
 +
LIST SSL VPN Connections:
 +
<pre><nowiki>
 +
curl -X GET -H "X-Auth-Token: $auth_token" $q_url/vpn/ssl-vpn-connections
 +
</nowiki></pre>
 +
 +
DELETE VPN Credential:
 +
<pre><nowiki>
 +
curl -X DELETE -H "X-Auth-Token: $auth_token"  $q_url/vpn/vpn-credentials/336fb70e-8ce1-469a-9f6f-04f696d030cf
 +
</nowiki></pre>
 +
 +
DELETE SSL VPN Connection:
 +
<pre><nowiki>
 +
curl -X DELETE -H "X-Auth-Token: $auth_token"  $q_url/vpn/ssl-vpn-connections/336523b8-edd9-4c22-9f62-a45f7cd39f59
 +
</nowiki></pre>
 +
 +
= High-Level Task Flow =
 +
The high-level task flow for using SSLVPN API to configure SSL VPN is as follows:
 +
 +
* The tenant creates a VPNService, without any connections.
 +
* The tenant creates one or more VPNCredential.
 +
* The tenant creates one or more SSLVPnConnection and associates with the VPNService id, VPNCredential id
 +
  
 
= Blueprints =
 
= Blueprints =
 
https://blueprints.launchpad.net/neutron/+spec/neutron-ssl-vpn
 
https://blueprints.launchpad.net/neutron/+spec/neutron-ssl-vpn

Latest revision as of 05:27, 29 April 2014

Overview

This page describes SSL-VPN extension feature in OpenStack Networking for the IceHouse release. Please also check how to use sslvpn extension features HowToUse

DataModel

SSLVPNConnection Resource

Attribute Type Required CRUD DefaultValue Validation Constraint Notes
id uuid-str N/A R generated N/A UUID for VPNService Object
tenant_id uuid-str Yes CR None valid tenant_id UUID of the tenant for the vpn service
name string no CRU None N/A name of the VPN Service
status string N/A R N/A N/A Indicates whether ipsec vpnservice is currently operational. Possible values include:

ACTIVE DOWN BUILD ERROR

admin_state_up bool N/A CRU TRUE true/false Administrative state of vpnservice. If false (down), port does not forward packets
client_address_pool_cidr cidr yes CR N/A Valid cidr Client address pool subnet which will be used by sslvpn client
credential_id uuid-str yes CR valid vpn credential id N/A UUID for VPNCredential
vpnservice_id uuid-str yes CR valid vpn service id N/A UUID for VPNService
port_no int no CRU non-negative N/A port number which sslvpn listen on

VPNCredential Resource

Attribute Type Required CRUD DefaultValue Validation Constraint Notes
id uuid-str N/A R generated N/A UUID for  the  IKEPolicy
tenant_id uuid-str Yes CR None valid tenant_id UUID for owner of the vpn service
name string yes CRU None N/A friendly name for the ikepolicy
ca string yes CR N/A N/A PEM encoded CA certificate
server_certificate string yes CR N/A N/A PEM encoded Server Certificate
server_key string yes CR N/A N/A PEM encoded Server Key
dh string yes CR N/A N/A PEM encoded dh key
crl string no CRU None N/A PEM encoded crl key

Commands

This section describes commands that will be introduced into python-neutronclient in order to support SSLVPN services


  vpn-credential-create          Create an VPNCredential.
  vpn-credential-delete          Delete a given VPNCredential.
  vpn-credential-list            List VPNCredentials that belong to a given tenant.
  vpn-credential-show            Show information of a given VPNCredential.
  vpn-credential-update          Update a given VPNCredential.

  ssl-vpn-connection-create      Create an SSLVPNConnection.
  ssl-vpn-connection-delete      Delete a given SSLVPNConnection.
  ssl-vpn-connection-list        List SSLVPNConnections that belong to a given tenant.
  ssl-vpn-connection-show        Show information of a given SSLVPNConnection.
  ssl-vpn-connection-update      Update a given SSLVPNConnection.

Command Specification (TBD)

vpn-credential-create

Create a new vpn credential


usage: neutron vpn-credential-create [-h] [-f {shell,table}] [-c COLUMN]
                                     [--variable VARIABLE] [--prefix PREFIX]
                                     [--request-format {json,xml}]
                                     [--tenant-id TENANT_ID]
                                     [--admin-state-down] [--name NAME] --ca
                                     CA --server_certificate
                                     SERVER_CERTIFICATE --server_key
                                     SERVER_KEY --dh DH --crl CRL

Sample

neutron vpn-credential-create --name test --ca ca.crt --server_certificate east-server.crt --server_key east-server.key --dh dh1024.pem

vpn-credential-list

Create a new vpn credential


usage: neutron vpn-credential-list

vpn-credential-list

Liste new vpn credentials


usage: neutron vpn-credential-list

vpn-credential-show

Show a new vpn credential


usage: neutron vpn-credential-show [-h] [-f {shell,table}] [-c COLUMN]
                                   [--variable VARIABLE] [--prefix PREFIX]
                                   [--request-format {json,xml}] [-D]
                                   [-F FIELD]
                                   VPN_CREDENTIAL

vpn-credential-delete

Delete a vpn credential

usage: neutron vpn-credential-delete [-h] [--request-format {json,xml}]
                                     VPN_CREDENTIAL

ssl-vpn-connection-create

usage: neutron ssl-vpn-connection-create [-h] [-f {shell,table}] [-c COLUMN]
                                         [--variable VARIABLE]
                                         [--prefix PREFIX]
                                         [--request-format {json,xml}]
                                         [--tenant-id TENANT_ID]
                                         [--admin-state-down] [--name NAME]
                                         [--client_address_pool_cidr CLIENT_ADDRESS_POOL_CIDR]
                                         VPNSERVICE VPNCREDENTIAL

ssl-vpn-connection-list

List ssl vpn connections


usage: neutron ssl-vpn-connection-list

ssl-vpn-connection-list

show a ssl vpn connections


usage: neutron ssl-vpn-connection-show [-h] [-f {shell,table}] [-c COLUMN]
                                       [--variable VARIABLE] [--prefix PREFIX]
                                       [--request-format {json,xml}] [-D]
                                       [-F FIELD]
                                       SSL_VPN_CONNECTION

ssl-vpn-connection-update

update a ssl vpn connections


usage: neutron ssl-vpn-connection-update [-h] [--request-format {json,xml}]
                                         SSL_VPN_CONNECTION

ssl-vpn-connection-delete

delete a ssl vpn connections


usage: neutron ssl-vpn-connection-delete [-h] [--request-format {json,xml}]
                                         SSL_VPN_CONNECTION

REST API

CREATE VPN Credential:

curl -X POST -H "X-Auth-Token: $auth_token" -H "Content-type:application/json" -d '{"vpn_credential": {"name": "cred1", "ca":"CA certificate in PEM format", "server_certificate":"server certificate in PEM format", "server_key":"server key in PEM format", "dh":"dh in PEM format", "crl":"crl in pem format"} }' $q_url/vpn/vpn-credentials

CREATE SSL VPN Connection:

curl -X POST -H "X-Auth-Token: $auth_token" -H "Content-type:application/json" -d '{"ssl_vpn_connection":{"name":"conn1", "client_address_pool_cidr":"10.8.0.0/24", "credential_id": "434a9843-ecc0-4653-8f3a-e604d9d7aadc", "admin_state_up": "True", "vpnservice_id":"cc91b7af-8304-4aff-ad07-86bdbaae2e93"}}' $q_url/vpn/ssl-vpn-connections

LIST VPN Credentials:

curl -X GET -H "X-Auth-Token: $auth_token" $q_url/vpn/vpn-credentials

LIST SSL VPN Connections:

curl -X GET -H "X-Auth-Token: $auth_token" $q_url/vpn/ssl-vpn-connections

DELETE VPN Credential:

curl -X DELETE -H "X-Auth-Token: $auth_token"  $q_url/vpn/vpn-credentials/336fb70e-8ce1-469a-9f6f-04f696d030cf

DELETE SSL VPN Connection:

curl -X DELETE -H "X-Auth-Token: $auth_token"  $q_url/vpn/ssl-vpn-connections/336523b8-edd9-4c22-9f62-a45f7cd39f59

High-Level Task Flow

The high-level task flow for using SSLVPN API to configure SSL VPN is as follows:

  • The tenant creates a VPNService, without any connections.
  • The tenant creates one or more VPNCredential.
  • The tenant creates one or more SSLVPnConnection and associates with the VPNService id, VPNCredential id


Blueprints

https://blueprints.launchpad.net/neutron/+spec/neutron-ssl-vpn