The Virtual Private Network as a Service (VPNaaS) Extension

The VPNaaS extension provides OpenStack tenants with the ability to extend private networks across the public telecommunication infrastructure. The capabilities provided by this initial implementation of the VPNaaS extension are:

  • Site-to-site Virtual Private Network connecting two private networks.

  • Multiple VPN connections per tenant.

  • Supporting IKEv1 policy with 3des, aes-128, aes-256, or aes-192 encryption.

  • Supporting IPSec policy with 3des, aes-128, aes-256, or aes-192 encryption, sha1 authentication, ESP, AH, or AH-ESP transform protocol, and tunnel or transport mode encapsulation.

  • Dead Peer Detection (DPD) allowing hold, clear, restart, disabled, or restart-by-peer actions.

This extension introduces new resources:

  • service, a high level object that associates VPN with a specific subnet and router.

  • ikepolicy, the Internet Key Exchange policy identifying the authentication and encryption algorithm used during phase one and phase two negotiation of a VPN connection.

  • ipsecpolicy, the IP security policy specifying the authentication and encryption algorithm, and encapsulation mode used for the established VPN connection.

  • ipsec-site-connection, has details for the site-to-site IPsec connection, including the peer CIDRs, MTU, authentication mode, peer address, DPD settings, and status.

[Note]Note

This extension is experimental for the Havana release. The API may change without backward compatibility.

Questions? Discuss on ask.openstack.org
Found an error? Report a bug against this page


loading table of contents...