This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

  • The software we used to support site-to-site VPN is OpenSwan.
  • Use preshared key(PSK).
  • The VPN protocol would be IPsec.
    • SSL is easier to penetrate firewall, but not interoperable standard.
  • Support Phase 1(ISAKMP) and phase 2(ESP) encryption/hash:
    • AES128, AES192, AES256, 3DES
    • MD5, SHA1
    • Diffie-Hellman: Group 2, Group 5.
  • Tables:
    • s2s_vpn_connection table
    • s2s_vpn_gateways
    • s2s_customer_gateways.
  • Remote subnets are needed, and traffic target to remote subnets would be sent to VPN. No routing-based VPN supported.
  • VPN connection monitor:
    • For every router.check.interval(30s by default), mgmt server would check the status of VPN connection. And if it's down, it would send out alert.
    • Mgmt server would only check the connections which states are "Connected" or "Disconnected". It would only change the state of VPN connection to one of these two states. It would not check connection in "Pending" or "Error" state.
    • One VPC router would only be checked if there are any implemented networks inside the VPC

...

Configuration Reference for Juniper SRX Router

SRX-S2S-VPN.pdf

Comments

  • Wiki MarkupIs there any provision in UI/API for enabling/disabling vpn for the accounts? \
    [Sheng\] No, because it should only be enabled for Admin
    • UDPATE: There is still no provision in UI/API for enable/disable VPN feature for accounts. But we would support it for normal users.
  • Wiki MarkupWhat are the VPN protocols supported by VR and supported algorithms as well? \
    [Sheng\] Would update that in the FS. Protocol is IPsec. Use pre-shared key for authentication. Support encryption including aes, des, 3des; hash including md5 and sha1.
  • Wiki MarkupDo we support both site-to-site vpn and remote access vpn on the VR at the same time?  \
     [Sheng\] No.
  • Wiki MarkupHow do we specify the datacenter device (another end of site-to-site vpn) details in CS ? \
    [Sheng\] Would update that in the FS.
  • Wiki MarkupDoes site-to-site vpn supported only on SourceNat IP or any aquired IP as well? \
    [Sheng\] It’s supported on all acquired (public) IP.
  • Could you explain the requirement :
  • Wiki MarkupAdd Route: As part of the configuration, users should be able to specify a list of routes. Traffic to these routes should be directed to the VPN tunnel interface \
    [Sheng\] Don’t need to do it anymore IIUC. VPN software would deal with that route. I would update the FS.
  • Wiki MarkupCould you give the details on usage tables to look for usage records for the VPN? \
    [Sheng\] Haven’t got it done. Would update the spec later.
  • Wiki MarkupCould you specify the log file details to look for vpn logs? \
    [Sheng\]Currently they’re at /var/log/auth.log and /var/log/daemon.log in the VR.
  • Wiki MarkupWe have Juniper SRX with JUNOS10.4 . Can we use it as one end point of the vpn? \
    [Sheng\]Should be fine. I have only tested with Cisco router now. Would test Juniper SRX soon.
  • Wiki MarkupWhat are the hypervisors we are supporting? \
    [Sheng\] All major ones.
  • Wiki MarkupWill S2S vpn supported in upgrade environment? \
    [Sheng\] I don’t think we support upgrade to VPC?
  • Wiki MarkupCan a customerVpnGateway participate in more than one s2s vpn ? Or one customerVpnGateway can have connections with multiple CS Vpn Gateways? \
    [Sheng\] Currently they are all 1:1.
  • Wiki MarkupIf a multitier architecture has 3 guest networks and all are attached to vpcVR, what are the networks included in vpn ? \
    [Sheng\] All. They should in the same CIDR covered by VPC.
  • Wiki MarkupI assume that the customerVpnGateway configuration details are supplied from the customer and we just give CS this information using createVpnCustomerGateway API will do this.
    We don’t configure the customerVpnGateway. Please let me know if my understanding is wrong. \
    [Sheng\] You’re right.
  • Wiki MarkupvpcVR has souceNat enabled by default. In general s2s Vpn will disable the source nat on the vpn gateway. Vpn gateway will encapsulate the IP packet with vpn ips.
    Could you explain the behavior in our s2s vpn implementation? \
    [Sheng\] NAT is not needed if you communicate between subnets, and it won’t affect the normal traffic to the outside. What’s the issue here?

Appendix

Appendix A:

Appendix B:

...