Jump to: navigation, search

Neutron/VPNaaS/SSLVPN

< Neutron‎ | VPNaaS
Revision as of 23:16, 30 January 2014 by Nachi Ueno (talk | contribs) (Command Specification (TBD))

Overview

This page describes SSL-VPN extension feature in OpenStack Networking for the IceHouse release.


DataModel

SSLVPNConnection Resource

Attribute Type Required CRUD DefaultValue Validation Constraint Notes
id uuid-str N/A R generated N/A UUID for VPNService Object
tenant_id uuid-str Yes CR None valid tenant_id UUID of the tenant for the vpn service
name string no CRU None N/A name of the VPN Service
status string N/A R N/A N/A Indicates whether ipsec vpnservice is currently operational. Possible values include:

ACTIVE DOWN BUILD ERROR

admin_state_up bool N/A CRU TRUE true/false Administrative state of vpnservice. If false (down), port does not forward packets
client_address_pool_cidr cidr yes CR N/A Valid cidr Client address pool subnet which will be used by sslvpn client
credential_id uuid-str yes CR valid vpn credential id N/A UUID for VPNCredential
vpnservice_id uuid-str yes CR valid vpn service id N/A UUID for VPNService

VPNCredential Resource

Attribute Type Required CRUD DefaultValue Validation Constraint Notes
id uuid-str N/A R generated N/A UUID for  the  IKEPolicy
tenant_id uuid-str Yes CR None valid tenant_id UUID for owner of the vpn service
name string yes CRU None N/A friendly name for the ikepolicy
ca string yes CR N/A N/A PEM encoded CA certificate
server_certificate string yes CR N/A N/A PEM encoded Server Certificate
server_key string yes CR N/A N/A PEM encoded Server Key
dh string yes CR N/A N/A PEM encoded dh key
crl string no CRU None N/A PEM encoded crl key

Commands

This section describes commands that will be introduced into python-neutronclient in order to support SSLVPN services


  vpn-credential-create          Create an VPNCredential.
  vpn-credential-delete          Delete a given VPNCredential.
  vpn-credential-list            List VPNCredentials that belong to a given tenant.
  vpn-credential-show            Show information of a given VPNCredential.
  vpn-credential-update          Update a given VPNCredential.

  ssl-vpn-connection-create      Create an SSLVPNConnection.
  ssl-vpn-connection-delete      Delete a given SSLVPNConnection.
  ssl-vpn-connection-list        List SSLVPNConnections that belong to a given tenant.
  ssl-vpn-connection-show        Show information of a given SSLVPNConnection.
  ssl-vpn-connection-update      Update a given SSLVPNConnection.

Command Specification (TBD)

vpn-credential-create

Create a new vpn credential


usage: neutron vpn-credential-create [-h] [-f {shell,table}] [-c COLUMN]
                                     [--variable VARIABLE] [--prefix PREFIX]
                                     [--request-format {json,xml}]
                                     [--tenant-id TENANT_ID]
                                     [--admin-state-down] [--name NAME] --ca
                                     CA --server_certificate
                                     SERVER_CERTIFICATE --server_key
                                     SERVER_KEY --dh DH --crl CRL

Sample

neutron vpn-credential-create --name test --ca ca.crt --server_certificate east-server.crt --server_key east-server.key --dh dh1024.pem

vpn-credential-list

Create a new vpn credential


usage: neutron vpn-credential-list

vpn-credential-update

Update a new vpn credential


usage: neutron vpn-credential-update [-h] [--request-format {json,xml}]
                                     VPN_CREDENTIAL

vpn-credential-delete

Delete a vpn credential

usage: neutron vpn-credential-delete [-h] [--request-format {json,xml}]
                                     VPN_CREDENTIAL

ssl-vpn-connection-create

usage: neutron ssl-vpn-connection-create [-h] [-f {shell,table}] [-c COLUMN]
                                         [--variable VARIABLE]
                                         [--prefix PREFIX]
                                         [--request-format {json,xml}]
                                         [--tenant-id TENANT_ID]
                                         [--admin-state-down] [--name NAME]
                                         [--client_address_pool_cidr CLIENT_ADDRESS_POOL_CIDR]
                                         VPNSERVICE VPNCREDENTIAL

REST API (TBD)

High-Level Task Flow

The high-level task flow for using SSLVPN API to configure SSL VPN is as follows:

  • The tenant creates a VPNService, without any connections.
  • The tenant creates one or more VPNCredential.
  • The tenant creates one or more SSLVPnConnection and associates with the VPNService id, VPNCredential id


VPNService APIs


GET
/v1.0/vpnservices/
GET
/v1.0/vpnservices/vpnservice-id
POST
/v1.0/vpnservices
UPDATE
/v1.0/vpnservices/vpnservice-id
DELETE
/v1.0/vpnservices/vpnservice-id


VPNService Create

JSON Request

#!highlight javascript numbers=disable
POST /v1.0/vpnservices
Content-Type: application/json
Accept: application/json
X-Auth-Token:xyz
Content-Length: abc

{
  "vpnservice": {
           
           "tenant_id": "310df60f-2a10-4ee5-9554-98393092194c",
           "name": "cloud_vpn",
           "subnet": "96a4386a-f8c3-42ed-afce-d7954eee77b3",
	   "router": "8acda86a-f8c3-42ed-afce-d7954eee77b3",
           }
}

JSON Response

#!highlight javascript numbers=disable
HTTP/1.1 202 Accepted
Content-Type: application/json
Content-Length: abc

{
  "vpnservice": {
           "id": "02b1fef7-16f5-4917-bf19-c40a9af805ed",
           "tenant-id": "310df60f-2a10-4ee5-9554-98393092194c",
           "name": "cloud_vpn",
           "subnet-id": "96a4386a-f8c3-42ed-afce-d7954eee77b3",
	   "router-id": "8acda86a-f8c3-42ed-afce-d7954eee77b3",
           "admin_state_up": true,
           "status": "PENDING_CREATE"
           }
}

Blueprints

https://blueprints.launchpad.net/neutron/+spec/neutron-ssl-vpn