incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sheng Yang <sh...@yasker.org>
Subject Re: F5 SRX in inline mode and Remote access vpn on SRX
Date Tue, 16 Oct 2012 18:20:29 GMT
On Fri, Oct 12, 2012 at 11:39 AM, Chiradeep Vittal
<Chiradeep.Vittal@citrix.com> wrote:
> One request:
> Some answers seem guarded: "seems", "maybe", "probably". Of course we may
> not have all answers, but how do we track these uncertainties as they get
> resolved?

We've identified SRX have some serious limitations on remote access
VPN support. I'd like to call for a hold on this feature's testing
plan now.

We need more work on this part.

--Sheng

>
> On 10/12/12 10:56 AM, "Sheng Yang" <sheng@yasker.org> wrote:
>
>>Hi Sanjeev,
>>
>>On Fri, Oct 12, 2012 at 4:52 AM, Sanjeev Neelarapu
>><sanjeev.neelarapu@citrix.com> wrote:
>>> Sheng,
>>>
>>> Following are the review comments on network-inline mode functional
>>>spec:
>>> 1.Feature Specifications:
>>> Only support "per zone"(shared) Source NAT for SRX: Does this mean
>>>traffic initiated from all the accounts guest vms will use only one ip
>>>as source IP ?
>>
>>Yes.
>>
>>> 2.Is it supported in upgraded environment?
>>
>>No.
>>
>>> 3.After upgrade from 2.2.x to 3.0.x can we change parallel mode
>>>deployment to inline mode (since we don't support upgrade from 2.2.x
>>>inline mode)?
>>
>>No. Since the information is binding with F5 not the network offering,
>>we cannot do that without adding a new F5 device.
>>
>>We can improve the feature later in future release to make it an
>>option for network offering, thus we can change it for network.
>>
>>> 4.Can we create Static NAT and Load Balancing rule on the same public
>>>IP(since conserve mode is on)?
>>
>>No. We cannot support conserve mode. It's due to static nat rule
>>created on SRX prevent other rule to be applied on the same ip.
>>
>>> 5.Is it supported in VPC(Instead of vpcVR can we use SRX for all the
>>>services in VPC Offering)?
>>
>>No.
>>
>>> 6.Are there any DB schema changes related to this feature?
>>
>>No.
>>>
>>> Following are review comments for "Remote access vpn on SRX":
>>>
>>> 1.      Is it supported on Source NAT IP?
>>
>>We may have one change here - we may possibly only support source NAT
>>ip(in fact the external public ip of SRX), because seems SRX didn't
>>support using other IP to communicate with VPN gateway. I am still
>>working on this to try to find an solution.
>>>
>>> 2.      Is enabling Remote access vpn on SRX and adding VPN user
>>>supported only by Admin ?
>>
>>Well, we have good reason to do so, since VPN is kind of precious
>>resource on SRX(which user need to pay), but since network owned by
>>the account, seems we still need to let user have the permission to do
>>that.
>>>
>>> 3.      Any manual configuration is required on SRX to enable this
>>>functionality?
>>
>>There are probably some manual configuration needed, e.g. set default
>>policy for ike and ipsec. I am trying to keep it at minimal level.
>>
>>--Sheng
>>>
>>> Thanks,
>>> Sanjeev
>>>
>>> From: Sheng Yang
>>> Sent: Thursday, October 11, 2012 11:14 PM
>>> To: Sanjeev Neelarapu
>>> Cc: Haroon Abdelrahman; Sudha Ponnaganti; Srinivas Vejalla
>>> Subject: RE: F5 SRX in inline mode and Remote access vpn on SRX
>>>
>>> They are already on cwiki.
>>>
>>>
>>>https://cwiki.apache.org/CLOUDSTACK/network-inline-mode-functional-spec.h
>>>tml
>>>
>>>https://cwiki.apache.org/CLOUDSTACK/remote-access-vpn-support-on-srx.html
>>>
>>> --Sheng
>>>
>>>
>>> From: Sanjeev Neelarapu
>>> Sent: Thursday, October 11, 2012 12:14 AM
>>> To: Sheng Yang
>>> Cc: Haroon Abdelrahman; Sudha Ponnaganti; Srinivas Vejalla
>>> Subject: F5 SRX in inline mode and Remote access vpn on SRX
>>>
>>> Sheng,
>>>
>>> Can you place "F5 SRX in inline mode" and "Remote access vpn on SRX"
>>>FSs on cwiki , so that I can use them to share my review comments on ML.
>>> At present "Remote access vpn on SRX" FS is missing from cloud stack
>>>wiki as well.
>>>
>>> Thanks,
>>> Sanjeev
>

Mime
View raw message