[openstack-dev] [neutron][vpnaas][barbican] What types of authentication to support?

Paul Michali pc at michali.net
Tue Jun 9 18:19:38 UTC 2015


There is a Request for Feature Enhancement [1] to support authentication
certifications for VPNaaS IPSec site to site connections, by using
Barbican, in a manner similar to what was done for LBaaS listeners.

Currently, VPNaaS only supports pre-shared keys for authentication, but the
reference StrongSwan implementation of VPN supports several types of
authentication. [2]

Looking at IPsec site-to-site connections, there are examples [3] for PSK
and X.509 certificates.

Should we just do X.509 certificates for now?
Are there other methods that we should support?
Can Barbican support such methods?

The plan is to support other VPN types in the future (e.g. DM VPN), so we
want to make sure this will be extendable.



Paul Michali (pc_m)

[1] https://bugs.launchpad.net/neutron/+bug/1459427
[2] https://wiki.strongswan.org/projects/strongswan/wiki/IpsecSecrets
[3] https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2Examples (see
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150609/c1ace4a8/attachment.html>

More information about the OpenStack-dev mailing list