Open Stack

I agree, it is kind of odd to restrict vpn-service to one "private" tenant
network. Particularly when the current VPN model does allow multiple remote
peer CIDRs to connect to,

neutron ipsec-site-connection-create --name ipsec0 --vpnservice-id vpnsvc0
--ikepolicy-id ike0 --ipsecpolicy-id esp0 --peer-address 192.168.110.21
--peer-id 192.168.110.21 --peer-cidr *13.1.0.0/24,14.1.0.0/24
<http://13.1.0.0/24,14.1.0.0/24>* --psk secret

Perhaps there is some history, may be Nachi might know?

- Sridhar

On Wed, Jan 28, 2015 at 6:26 AM, Paul Michali <pc at michali.net> wrote:

> I can try to comment on your questions... inline @PCM
>
>
> PCM (Paul Michali)
>
> IRC............ pc_m (irc.freenode.com)
> Twitter....... @pmichali
>
>
> On Tue, Jan 27, 2015 at 9:45 PM, shihanzhang <ayshihanzhang at 126.com>
> wrote:
>
>> Hi Stacker:
>>
>>     I am a novice, I want  use Neutron VPNaas, through my preliminary
>> understanding on this it, I have two questions about it:
>>         (1) why a 'vpnservices' can just has one subnet?
>>
>         (2) why the subnet of 'vpnservices' can't be changed?
>>
>
> @PCM Currently, the VPN service is designed to setup a site to site
> connection between two private subnets. The service is associated 1:1 with
> (and applies the connection to) a Neutron router that has a interface on
> the private network, and an interface on the public network. Changing the
> subnet for the service would effectively change the router. One would have
> to delete and recreate the service to use a different router.
>
> I don't know if the user can attach multiple "private" subnets to a
> router, and the VPN implementation assumes that there is only one private
> subnet.
>
>
>      As I know, the OpenSwan does not has these limitations.
>>     I've learned that there is a BP to do this:
>>
>> https://blueprints.launchpad.net/neutron/+spec/vpn-multiple-subnet
>>      but this BP has been no progress.
>>
>
>      I want to know whether this will do in next cycle or later, who can
>> help me to explain?
>>
>
> @PCM I don't know what happened with that BP, but it is effectively
> abandoned (even though status says 'new'). There has not been any activity
> on it for over a year, and since we are at a new release, a BP spec would
> have been required for Kilo. Also, the bug that drove the issue, has been
> placed into Invalid state by Mark McClain in March of last year.
>
> https://bugs.launchpad.net/neutron/+bug/1258375
>
>
> You could ask Mark for clarification, but I think it may be because the
> Neutron router doesn't support multiple subnets.
>
> Regards.
>
>
> Thanks.
>>
>> -shihanzhang
>>
>>
>>
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150128/29028e2f/attachment-0001.html>