Return-Path: X-Original-To: apmail-incubator-cloudstack-dev-archive@minotaur.apache.org Delivered-To: apmail-incubator-cloudstack-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 7E31AD1BA for ; Wed, 10 Oct 2012 22:03:23 +0000 (UTC) Received: (qmail 15231 invoked by uid 500); 10 Oct 2012 22:03:23 -0000 Delivered-To: apmail-incubator-cloudstack-dev-archive@incubator.apache.org Received: (qmail 15202 invoked by uid 500); 10 Oct 2012 22:03:23 -0000 Mailing-List: contact cloudstack-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: cloudstack-dev@incubator.apache.org Delivered-To: mailing list cloudstack-dev@incubator.apache.org Received: (qmail 15193 invoked by uid 99); 10 Oct 2012 22:03:23 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 10 Oct 2012 22:03:23 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [209.85.160.47] (HELO mail-pb0-f47.google.com) (209.85.160.47) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 10 Oct 2012 22:03:14 +0000 Received: by mail-pb0-f47.google.com with SMTP id ro12so1041382pbb.6 for ; Wed, 10 Oct 2012 15:02:53 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:content-type:content-transfer-encoding :x-gm-message-state; bh=52TWK8N8cPs5AsrU0zgk3IpxpJlenouk0wRBp6oy2GE=; b=Cd5FJKDruWCE3kmB+esjTK2z0/4JQm6DZbDY8qx6mRr0wN8X31yxtjknp6R8dA+HVw FNfj3nEU3M49+8FFHWKVDwIuSx2ebE4Ves6PWZVfKEDytga8gq7spnmz5HUeguGDOLZP mEUSGWlGCLH0V1dz9EyNcfKOywy193pCYO1K3S4PSkf4XsxMtkXipw6p4OgiXH6VJnXh T/1yV1Hyk5gyOvDgj40neyown8VAtVsXsraj7lQafHH2yTUlbtNrX6tOjB6SknPmZ3xi LaufAkEb5ut7kZvbWya4h0/DufKpNQUHHfRWjTZJOKicH0p5BhoaL3SeZZPDVlSz7ChW dt8A== MIME-Version: 1.0 Received: by 10.68.225.34 with SMTP id rh2mr77842079pbc.78.1349906572926; Wed, 10 Oct 2012 15:02:52 -0700 (PDT) Received: by 10.68.7.73 with HTTP; Wed, 10 Oct 2012 15:02:52 -0700 (PDT) X-Originating-IP: [63.110.51.11] In-Reply-To: References: <64FB1554ABC9B44FAA773FBD6CB889C2FE0FA7623E@BANPMAILBOX01.citrite.net> <64FB1554ABC9B44FAA773FBD6CB889C2FE0FA76242@BANPMAILBOX01.citrite.net> Date: Wed, 10 Oct 2012 15:02:52 -0700 Message-ID: Subject: Re: PRD Review on Byron Requirement: Remote-access VPN on External devices From: Sheng Yang To: cloudstack-dev@incubator.apache.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Gm-Message-State: ALoCoQkaq4auEYAQ5JttPfevuFl01GrcgJZkWQkS+M80b9vLo4vD543d3FOlo/FPNvLW1OgAXTcG On Wed, Oct 10, 2012 at 11:11 AM, Sheng Yang wrote: > On Wed, Oct 10, 2012 at 12:09 AM, Sanjeev Neelarapu > wrote: >> +cloudstack-dev@incubator.apache.org > > Hi Sanjeev, > >> >> From: Chiradeep Vittal >> Sent: Wednesday, October 10, 2012 12:35 PM >> To: Sanjeev Neelarapu; Sheng Yang >> Cc: #Cloud - Engineering >> Subject: Re: PRD Review on Byron Requirement: Remote-access VPN on Exter= nal devices >> >> This discussion should happen on the ML >> >> From: Sanjeev Neelarapu > >> Date: Wed, 10 Oct 2012 00:02:33 -0700 >> To: Sheng Yang > >> Cc: #Cloud - Engineering > >> Subject: PRD Review on Byron Requirement: Remote-access VPN on External = devices >> >> Sheng, >> >> Following are the review comments on Byron Requirement: Remote-access VP= N on External devices: >> >> >> 1. What JUNOS version SRX should have for this feature to work? > > 10.4 r1 or above. Added to wiki. >> >> 2. What protocol SRX uses for remote access vpn? > > Ipsec. But in fact it's more like Juniper propriety combination, since > we need to download client from SRX, and it would configure the client > as well. >> >> 3. In network-inline-mode FS ( http://wiki.cloudstack.org/display/R= elOps/Network+inline+mode+functional+spec) use case 4 talks about network o= ffering and it says vpn is not supported with the combination given there. >> Does it mean if F5 and SRX are operating inline mode, remote access vpn = can't be configured on srx? > > No, that is obsolete. Updated. >> >> 4. Is this feature hyper visor dependent? If yes please let me know= the list of hypervisors supported. > > It's hypervisor independent. >> >> 5. How many users can connect to SRX at a given time? > > As stated in wiki, it's depends on SRX. Without purchasing new > licenses from Juniper, the number is limited to 2. >> >> 6. From a single user how many concurrent connections are allowed? > > It's still 2 without new licenses. >> >> 7. Do we have the limitation of only one instance of each external = devices existed in one zone? If yes how do we limit the remote access to ac= count specific.(In case of VR, each account will have a VR and remote acces= s to VR's public IP will give access to guest vms present in the account). > > The public ip is still owned by account. And the accessing to the > public ip still gain the access to the guest network. > > Well, we don't have resource controlling of VPN user at this time. > It's time to think about it. Seems the license controlled the maximum number of concurrent connection to the firewall(rather than user numbers), and we have no way to control that. Would have to leave it to end user. --Sheng > > --Sheng >> >> >> >> >> Thanks, >> Sanjeev >> >> >> >>