[RFE] VPNaaS: handle local side's tunnel IP in ipsec-site-connection operations
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Confirmed
|
Wishlist
|
Unassigned |
Bug Description
During fixing bug #1464387, we stores local side's tunnel IP in the database for later retrieval, in order to support the use case that VPN service is provided outside of the Neutron router.
However, for the default IPsec service provider, the local tunnel IPs(external_v*_ip) are only set when A VPN service is created, and never have a chance to get updated. This leads to the following problems:
- User cannot create IPsec site connection with IPv6 peer address if the
router is not connected to an external IPv6 subnet upon the creation
of the VPN service, even though it is connected before the creation
of the IPsec site connection
- If router gateway's IP changes after the VPN service is created,
later-created IPsec site connections would still use the one that was
stored in the db instead of the new correct one
- Router gateway's IP cannot be changed even when it is not used by any
active/enabled IPsec site connections (related to bug #1743791)
- Currently there is no checking to ensure the VPN service has an
external IP with the same IP version as the peer address upon the
creation of IPsec site connection
As today the VPN endpoint groups separate the "what gets connected" from the "how to connect" for a VPN service. The local side's tunnel IP should be considered a part of "how to connect" and thus it should be handled during ipsec-site-
description: | updated |
Changed in neutron: | |
assignee: | nobody → Hunt Xu (huntxu) |
description: | updated |
tags: | added: rfe-confirmed |
tags: | added: rfe |
Changed in neutron: | |
importance: | Undecided → Wishlist |
summary: |
- VPNaaS: handle local side's tunnel IP in ipsec-site-connection + [RFE] VPNaaS: handle local side's tunnel IP in ipsec-site-connection operations |
Changed in neutron: | |
status: | New → Confirmed |
Changed in neutron: | |
assignee: | Hunt Xu (huntxu) → nobody |
do you have a suggestion how to improve it? connection?
add local_address field to ipsec-site-