incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sheng Yang <sh...@yasker.org>
Subject Re: F5 SRX in inline mode and Remote access vpn on SRX
Date Fri, 11 Jan 2013 19:13:21 GMT
Bump the inline mode discussion thread.

This also involved remote access VPN on SRX. But due to SRX doesn't support
multiple tenants for VPN, I am afraid we would drop the feature.

According to our research, Cisco ASA1000v looks like a good alternative for
remote access VPN.

--Sheng

On Tue, Oct 16, 2012 at 11:20 AM, Sheng Yang <sheng@yasker.org> wrote:

> On Fri, Oct 12, 2012 at 11:39 AM, Chiradeep Vittal
> <Chiradeep.Vittal@citrix.com> wrote:
> > One request:
> > Some answers seem guarded: "seems", "maybe", "probably". Of course we may
> > not have all answers, but how do we track these uncertainties as they get
> > resolved?
>
> We've identified SRX have some serious limitations on remote access
> VPN support. I'd like to call for a hold on this feature's testing
> plan now.
>
> We need more work on this part.
>
> --Sheng
>
> >
> > On 10/12/12 10:56 AM, "Sheng Yang" <sheng@yasker.org> wrote:
> >
> >>Hi Sanjeev,
> >>
> >>On Fri, Oct 12, 2012 at 4:52 AM, Sanjeev Neelarapu
> >><sanjeev.neelarapu@citrix.com> wrote:
> >>> Sheng,
> >>>
> >>> Following are the review comments on network-inline mode functional
> >>>spec:
> >>> 1.Feature Specifications:
> >>> Only support "per zone"(shared) Source NAT for SRX: Does this mean
> >>>traffic initiated from all the accounts guest vms will use only one ip
> >>>as source IP ?
> >>
> >>Yes.
> >>
> >>> 2.Is it supported in upgraded environment?
> >>
> >>No.
> >>
> >>> 3.After upgrade from 2.2.x to 3.0.x can we change parallel mode
> >>>deployment to inline mode (since we don't support upgrade from 2.2.x
> >>>inline mode)?
> >>
> >>No. Since the information is binding with F5 not the network offering,
> >>we cannot do that without adding a new F5 device.
> >>
> >>We can improve the feature later in future release to make it an
> >>option for network offering, thus we can change it for network.
> >>
> >>> 4.Can we create Static NAT and Load Balancing rule on the same public
> >>>IP(since conserve mode is on)?
> >>
> >>No. We cannot support conserve mode. It's due to static nat rule
> >>created on SRX prevent other rule to be applied on the same ip.
> >>
> >>> 5.Is it supported in VPC(Instead of vpcVR can we use SRX for all the
> >>>services in VPC Offering)?
> >>
> >>No.
> >>
> >>> 6.Are there any DB schema changes related to this feature?
> >>
> >>No.
> >>>
> >>> Following are review comments for "Remote access vpn on SRX":
> >>>
> >>> 1.      Is it supported on Source NAT IP?
> >>
> >>We may have one change here - we may possibly only support source NAT
> >>ip(in fact the external public ip of SRX), because seems SRX didn't
> >>support using other IP to communicate with VPN gateway. I am still
> >>working on this to try to find an solution.
> >>>
> >>> 2.      Is enabling Remote access vpn on SRX and adding VPN user
> >>>supported only by Admin ?
> >>
> >>Well, we have good reason to do so, since VPN is kind of precious
> >>resource on SRX(which user need to pay), but since network owned by
> >>the account, seems we still need to let user have the permission to do
> >>that.
> >>>
> >>> 3.      Any manual configuration is required on SRX to enable this
> >>>functionality?
> >>
> >>There are probably some manual configuration needed, e.g. set default
> >>policy for ike and ipsec. I am trying to keep it at minimal level.
> >>
> >>--Sheng
> >>>
> >>> Thanks,
> >>> Sanjeev
> >>>
> >>> From: Sheng Yang
> >>> Sent: Thursday, October 11, 2012 11:14 PM
> >>> To: Sanjeev Neelarapu
> >>> Cc: Haroon Abdelrahman; Sudha Ponnaganti; Srinivas Vejalla
> >>> Subject: RE: F5 SRX in inline mode and Remote access vpn on SRX
> >>>
> >>> They are already on cwiki.
> >>>
> >>>
> >>>
> https://cwiki.apache.org/CLOUDSTACK/network-inline-mode-functional-spec.h
> >>>tml
> >>>
> >>>
> https://cwiki.apache.org/CLOUDSTACK/remote-access-vpn-support-on-srx.html
> >>>
> >>> --Sheng
> >>>
> >>>
> >>> From: Sanjeev Neelarapu
> >>> Sent: Thursday, October 11, 2012 12:14 AM
> >>> To: Sheng Yang
> >>> Cc: Haroon Abdelrahman; Sudha Ponnaganti; Srinivas Vejalla
> >>> Subject: F5 SRX in inline mode and Remote access vpn on SRX
> >>>
> >>> Sheng,
> >>>
> >>> Can you place "F5 SRX in inline mode" and "Remote access vpn on SRX"
> >>>FSs on cwiki , so that I can use them to share my review comments on ML.
> >>> At present "Remote access vpn on SRX" FS is missing from cloud stack
> >>>wiki as well.
> >>>
> >>> Thanks,
> >>> Sanjeev
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message