incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chip Childers <chip.child...@sungard.com>
Subject Re: F5 SRX in inline mode and Remote access vpn on SRX
Date Fri, 11 Jan 2013 19:20:41 GMT
On Fri, Jan 11, 2013 at 2:13 PM, Sheng Yang <sheng@yasker.org> wrote:
> Bump the inline mode discussion thread.
>
> This also involved remote access VPN on SRX. But due to SRX doesn't support
> multiple tenants for VPN, I am afraid we would drop the feature.

How about just pushing it out?  I think that's what we did with the
associated Jira ticket.  The reason I say that, is that the virtual
SRX is probably the solution to the problem.

> According to our research, Cisco ASA1000v looks like a good alternative for
> remote access VPN.

Agreed that it should be implemented for the ASA1kv.

I *think* I saw discussion about how these types of virtual appliances
would operate.  Ideally, they would be spun up and down by cloudstack
itself, along with CS being able to manage their policy / config.

If that's the case, then the virtual SRX becomes a future option for
SRX-based remove access VPNs.

>
> --Sheng
>
> On Tue, Oct 16, 2012 at 11:20 AM, Sheng Yang <sheng@yasker.org> wrote:
>
>> On Fri, Oct 12, 2012 at 11:39 AM, Chiradeep Vittal
>> <Chiradeep.Vittal@citrix.com> wrote:
>> > One request:
>> > Some answers seem guarded: "seems", "maybe", "probably". Of course we may
>> > not have all answers, but how do we track these uncertainties as they get
>> > resolved?
>>
>> We've identified SRX have some serious limitations on remote access
>> VPN support. I'd like to call for a hold on this feature's testing
>> plan now.
>>
>> We need more work on this part.
>>
>> --Sheng
>>
>> >
>> > On 10/12/12 10:56 AM, "Sheng Yang" <sheng@yasker.org> wrote:
>> >
>> >>Hi Sanjeev,
>> >>
>> >>On Fri, Oct 12, 2012 at 4:52 AM, Sanjeev Neelarapu
>> >><sanjeev.neelarapu@citrix.com> wrote:
>> >>> Sheng,
>> >>>
>> >>> Following are the review comments on network-inline mode functional
>> >>>spec:
>> >>> 1.Feature Specifications:
>> >>> Only support "per zone"(shared) Source NAT for SRX: Does this mean
>> >>>traffic initiated from all the accounts guest vms will use only one ip
>> >>>as source IP ?
>> >>
>> >>Yes.
>> >>
>> >>> 2.Is it supported in upgraded environment?
>> >>
>> >>No.
>> >>
>> >>> 3.After upgrade from 2.2.x to 3.0.x can we change parallel mode
>> >>>deployment to inline mode (since we don't support upgrade from 2.2.x
>> >>>inline mode)?
>> >>
>> >>No. Since the information is binding with F5 not the network offering,
>> >>we cannot do that without adding a new F5 device.
>> >>
>> >>We can improve the feature later in future release to make it an
>> >>option for network offering, thus we can change it for network.
>> >>
>> >>> 4.Can we create Static NAT and Load Balancing rule on the same public
>> >>>IP(since conserve mode is on)?
>> >>
>> >>No. We cannot support conserve mode. It's due to static nat rule
>> >>created on SRX prevent other rule to be applied on the same ip.
>> >>
>> >>> 5.Is it supported in VPC(Instead of vpcVR can we use SRX for all the
>> >>>services in VPC Offering)?
>> >>
>> >>No.
>> >>
>> >>> 6.Are there any DB schema changes related to this feature?
>> >>
>> >>No.
>> >>>
>> >>> Following are review comments for "Remote access vpn on SRX":
>> >>>
>> >>> 1.      Is it supported on Source NAT IP?
>> >>
>> >>We may have one change here - we may possibly only support source NAT
>> >>ip(in fact the external public ip of SRX), because seems SRX didn't
>> >>support using other IP to communicate with VPN gateway. I am still
>> >>working on this to try to find an solution.
>> >>>
>> >>> 2.      Is enabling Remote access vpn on SRX and adding VPN user
>> >>>supported only by Admin ?
>> >>
>> >>Well, we have good reason to do so, since VPN is kind of precious
>> >>resource on SRX(which user need to pay), but since network owned by
>> >>the account, seems we still need to let user have the permission to do
>> >>that.
>> >>>
>> >>> 3.      Any manual configuration is required on SRX to enable this
>> >>>functionality?
>> >>
>> >>There are probably some manual configuration needed, e.g. set default
>> >>policy for ike and ipsec. I am trying to keep it at minimal level.
>> >>
>> >>--Sheng
>> >>>
>> >>> Thanks,
>> >>> Sanjeev
>> >>>
>> >>> From: Sheng Yang
>> >>> Sent: Thursday, October 11, 2012 11:14 PM
>> >>> To: Sanjeev Neelarapu
>> >>> Cc: Haroon Abdelrahman; Sudha Ponnaganti; Srinivas Vejalla
>> >>> Subject: RE: F5 SRX in inline mode and Remote access vpn on SRX
>> >>>
>> >>> They are already on cwiki.
>> >>>
>> >>>
>> >>>
>> https://cwiki.apache.org/CLOUDSTACK/network-inline-mode-functional-spec.h
>> >>>tml
>> >>>
>> >>>
>> https://cwiki.apache.org/CLOUDSTACK/remote-access-vpn-support-on-srx.html
>> >>>
>> >>> --Sheng
>> >>>
>> >>>
>> >>> From: Sanjeev Neelarapu
>> >>> Sent: Thursday, October 11, 2012 12:14 AM
>> >>> To: Sheng Yang
>> >>> Cc: Haroon Abdelrahman; Sudha Ponnaganti; Srinivas Vejalla
>> >>> Subject: F5 SRX in inline mode and Remote access vpn on SRX
>> >>>
>> >>> Sheng,
>> >>>
>> >>> Can you place "F5 SRX in inline mode" and "Remote access vpn on SRX"
>> >>>FSs on cwiki , so that I can use them to share my review comments on
ML.
>> >>> At present "Remote access vpn on SRX" FS is missing from cloud stack
>> >>>wiki as well.
>> >>>
>> >>> Thanks,
>> >>> Sanjeev
>> >
>>

Mime
View raw message