neutron

Bug #1459423
Comment #0

Comment 0 for bug 1459423

Revision history for this message

Paul Michali (pcm) wrote on 2015-05-27:

Currently, VPNaaS IPsec site to site connections may be created with one or more peer (right side) subnets specified (as CIDRs). However, for the local (left) side, only a single subnet can be specified.

The reference OpenSwan/StrongSwan implementations will support multiple subnets on the local side, and this RFE is proposing to provide that support. This requires the following changes:

REST API
=======
Modify the API to not specify the local subnet on the VPN service create API, and instead, require the local subnet(s) to be specified on the IPSec connection API, in a similar fashion to what is done for remote CIDRs.

Validation can make sure that there is at least one local CIDR, and all subnets in the connection are using the same IP version.

This involves a backward incompatible API change, so will go to v2.0, and provide support for 1.0 in the code base.

NEUTRON CLIENT
==============

The CLI client could change from:
neutron vpn-service-create ROUTER SUBNET
neutron ipsec-site-connection-create ...
                                            --vpnservice-id VPNSERVICE
                                            --ikepolicy-id IKEPOLICY
                                            --ipsecpolicy-id IPSECPOLICY
                                            --peer-address PEER_ADDRESS
                                            --peer-id PEER_ID
                                            --peer-cidr PEER_CIDRS
                                            --psk PSK

to:
neutron vpn-service-create ROUTER
neutron ipsec-site-connection-create ...
                                            --vpnservice-id VPNSERVICE
                                            --ikepolicy-id IKEPOLICY
                                            --ipsecpolicy-id IPSECPOLICY
                                            --peer-address PEER_ADDRESS
                                            --peer-id PEER_ID
                                            --peer-cidr PEER_CIDRS
                                            --local-cidr LOCAL_CIDRS
                                            --psk PSK

DATABASE
=========
The local CIDRs could be added to the IPSec connection table. Migration needed for this change.

DRIVER
======
Besides passing the local CIDR information from service to device driver (along with existing info), the device driver needs to apply this information to the *Swan template in the same manner as is done for peer CIDR information.

DOCS
====
Update the API reference pages for VPN service create and IPSec connection create. Update existing Wiki how-to pages.

The reference OpenSwan/StrongSwan implementations will support multiple subnets on the local side, and this RFE is proposing to provide that support.  This requires the following changes:

Validation can make sure that there is at least one local CIDR, and all subnets in the connection are using the same IP version.

This involves a backward incompatible API change, so will go to v2.0, and provide support for 1.0 in the code base.

NEUTRON CLIENT
==============

DATABASE
=========
The local CIDRs could be added to the IPSec connection table. Migration needed for this change.

DOCS
====
Update the API reference pages for VPN service create and IPSec connection create. Update existing Wiki how-to pages.