cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From swill <...@git.apache.org>
Subject [GitHub] cloudstack issue #1741: Updated StrongSwan VPN Implementation
Date Thu, 03 Nov 2016 20:38:40 GMT
Github user swill commented on the issue:

    https://github.com/apache/cloudstack/pull/1741
  
    @murali-reddy I have tested with Isolated Guest Networks.  The problem that we experienced
with the SourceNAT IP not being primary on the public nic if more than one public IP exists
does not exist for Isolated Guest Networks.  I have tested my change to the `cs_ip.py` file
with Isolated Guest Networks and it does not change the functionality and still works in that
case.  That `cs_ip.py` change is looking good so far in our testing.
    
    We are currently going through the `l2tp.conf` and `ipsec.conf` files and removing everything
that is now deprecated for StrongSwan 5.x so the configuration is cleaner and does not include
old legacy options that are not required anymore.
    
    I am also going to see if I can upgrade the IKE policy to IKEv2 instead of IKEv1 for Remote
Access VPN since it provides better security.  I am also looking to see if I can change the
hashing algorithm from `sha1` to something like `sha256` for Remote Access VPN, also to improve
security.
    
    I will not be able to make these change for S2S VPN initially because the configuration
fields are different enough between IKEv1 and IKEv2 in that case that I would have to go through
and modify a lot more code.  That will have to wait for phase two of this implementation.
    
    We are continuing to test and improve the implementation, but it is looking pretty good
so far.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

Mime
View raw message