The software we used to support site-to-site VPN is OpenSwan.
Use preshared key(PSK).
The VPN protocol would be IPsec.
SSL is easier to penetrate firewall, but not interoperable standard.
Support Phase 1(ISAKMP) and phase 2(ESP) encryption/hash:
AES128, AES192, AES256, 3DES
Diffie-Hellman: Group 2, Group 5.
Remote subnets are needed, and traffic target to remote subnets would be sent to VPN. No routing-based VPN supported.
VPN connection monitor:
For every router.check.interval(30s by default), mgmt server would check the status of VPN connection. And if it's down, it would send out alert.
Mgmt server would only check the connections which states are "Connected" or "Disconnected". It would only change the state of VPN connection to one of these two states. It would not check connection in "Pending" or "Error" state.
One VPC router would only be checked if there are any implemented networks inside the VPC
Is there any provision in UI/API for enabling/disabling vpn for the accounts?
\ [Sheng\] No, because it should only be enabled for Admin
UDPATE: There is still no provision in UI/API for enable/disable VPN feature for accounts. But we would support it for normal users.
What are the VPN protocols supported by VR and supported algorithms as well?
\ [Sheng\] Would update that in the FS. Protocol is IPsec. Use pre-shared key for authentication. Support encryption including aes, des, 3des; hash including md5 and sha1.
Do we support both site-to-site vpn and remote access vpn on the VR at the same time?
\ [Sheng\] No.
How do we specify the datacenter device (another end of site-to-site vpn) details in CS ?
\ [Sheng\] Would update that in the FS.
Does site-to-site vpn supported only on SourceNat IP or any aquired IP as well?
\ [Sheng\] It’s supported on all acquired (public) IP.
Could you explain the requirement :
Add Route: As part of the configuration, users should be able to specify a list of routes. Traffic to these routes should be directed to the VPN tunnel interface
\ [Sheng\] Don’t need to do it anymore IIUC. VPN software would deal with that route. I would update the FS.
Could you give the details on usage tables to look for usage records for the VPN?
\ [Sheng\] Haven’t got it done. Would update the spec later.
Could you specify the log file details to look for vpn logs?
\ [Sheng\]Currently they’re at /var/log/auth.log and /var/log/daemon.log in the VR.
We have Juniper SRX with JUNOS10.4 . Can we use it as one end point of the vpn?
\ [Sheng\]Should be fine. I have only tested with Cisco router now. Would test Juniper SRX soon.
What are the hypervisors we are supporting?
\ [Sheng\] All major ones.
Will S2S vpn supported in upgrade environment?
\ [Sheng\] I don’t think we support upgrade to VPC?
Can a customerVpnGateway participate in more than one s2s vpn ? Or one customerVpnGateway can have connections with multiple CS Vpn Gateways?
\ [Sheng\] Currently they are all 1:1.
If a multitier architecture has 3 guest networks and all are attached to vpcVR, what are the networks included in vpn ?
\ [Sheng\] All. They should in the same CIDR covered by VPC.
I assume that the customerVpnGateway configuration details are supplied from the customer and we just give CS this information using createVpnCustomerGateway API will do this. We don’t configure the customerVpnGateway. Please let me know if my understanding is wrong.
\ [Sheng\] You’re right.
vpcVR has souceNat enabled by default. In general s2s Vpn will disable the source nat on the vpn gateway. Vpn gateway will encapsulate the IP packet with vpn ips. Could you explain the behavior in our s2s vpn implementation?
\ [Sheng\] NAT is not needed if you communicate between subnets, and it won’t affect the normal traffic to the outside. What’s the issue here?
Powered by a free Atlassian Confluence Open Source Project License granted to Apache Software Foundation. Evaluate Confluence today.