[openstack-dev] [Networking] OpenStack Networking VPN first step

Qin Li qili at vmware.com
Thu Apr 25 02:44:38 UTC 2013

Hi Nachi,

I would like to provide some of my comments below.
For [1]
As we know, there are two typical user scenarios for VPN, site to site and
client to site. For site to site, IPSec is suggested(for IPSec and SSLVPN
here). It is mature and may be widely deployed in existing datacenter. In
general, the IPSec tunnel would be efficient than SSLVPN since it has no
switching between L3 and L4 layer.  For client to site, SSLVPN is
suggested. It is flexible. It has rich features for client to site mode
like rich client authentication solutions, no client installation,
supporting all kinds of terminals, supporting L7,L4,L3 accessing. I would
suggest to support site-to-site scenarios and IPSec VPN in the first


-----Original Message-----
From: Nachi Ueno [mailto:nachi at ntti3.com]
Sent: 2013年4月25日 7:53
To: OpenStack Development Mailing List
Subject: [openstack-dev] [Networking] OpenStack Networking VPN first step

Hi folks

I would like to ask your opinions.
[1] Nova parity VPN (Cloudpipe) is OpenStack Networking VPN first step.
Amazon VPC compatible api(*) is also great candidate to start.
And it is using IPSec.
The IPSec has more widely used than SSL-VPN in industry.
so, How about start with IPSec?

Currently, Cloudpipe is using SSL-VPN, However, Cloudpipe was intended to
let users to access to the VLAN, so I tend to think any VPN method is OK
if we can accomplish it.

so if you want to start with SSL-VPN, please let us know.
In that case, we will start with SSL-VPN.

(*) may be not fully same API, but similer model

[2] Generic VPN Service model
It looks like there is no strong opinion to have "mode" attribute on
Generic VPN Service.
so we would like to remove this attribute.

I registered the BP for Generic VPN service here.

Is this OK for you guys?


OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org

More information about the OpenStack-dev mailing list