You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Sanjeev Neelarapu <sa...@citrix.com> on 2012/10/10 09:09:19 UTC

RE: PRD Review on Byron Requirement: Remote-access VPN on External devices

+cloudstack-dev@incubator.apache.org

From: Chiradeep Vittal
Sent: Wednesday, October 10, 2012 12:35 PM
To: Sanjeev Neelarapu; Sheng Yang
Cc: #Cloud - Engineering
Subject: Re: PRD Review on Byron Requirement: Remote-access VPN on External devices

This discussion should happen on the ML

From: Sanjeev Neelarapu <sa...@citrix.com>>
Date: Wed, 10 Oct 2012 00:02:33 -0700
To: Sheng Yang <Sh...@citrix.com>>
Cc: #Cloud - Engineering <en...@cloud.com>>
Subject: PRD Review on Byron Requirement: Remote-access VPN on External devices

Sheng,

Following are the review comments on Byron Requirement: Remote-access VPN on External devices:


1.      What JUNOS version SRX should have for this feature to work?

2.      What protocol SRX uses for remote access vpn?

3.      In network-inline-mode FS ( http://wiki.cloudstack.org/display/RelOps/Network+inline+mode+functional+spec) use case 4 talks about network offering and it says vpn is not supported with the combination given there.
Does it mean if F5 and SRX are operating inline mode, remote access vpn can't be configured on srx?

4.      Is this feature hyper visor dependent? If yes please let me know the list of hypervisors supported.

5.      How many users can connect to SRX at a given time?

6.      From a single user how many concurrent connections are allowed?

7.      Do we have the limitation of only one instance of each external devices existed in one zone? If yes how do we limit the remote access to account specific.(In case of VR, each account will have a VR and remote access to VR's public IP will give access to guest vms present in the account).




Thanks,
Sanjeev

Re: PRD Review on Byron Requirement: Remote-access VPN on External devices

Posted by Sheng Yang <sh...@yasker.org>.
On Wed, Oct 10, 2012 at 11:11 AM, Sheng Yang <sh...@yasker.org> wrote:
> On Wed, Oct 10, 2012 at 12:09 AM, Sanjeev Neelarapu
> <sa...@citrix.com> wrote:
>> +cloudstack-dev@incubator.apache.org
>
> Hi Sanjeev,
>
>>
>> From: Chiradeep Vittal
>> Sent: Wednesday, October 10, 2012 12:35 PM
>> To: Sanjeev Neelarapu; Sheng Yang
>> Cc: #Cloud - Engineering
>> Subject: Re: PRD Review on Byron Requirement: Remote-access VPN on External devices
>>
>> This discussion should happen on the ML
>>
>> From: Sanjeev Neelarapu <sa...@citrix.com>>
>> Date: Wed, 10 Oct 2012 00:02:33 -0700
>> To: Sheng Yang <Sh...@citrix.com>>
>> Cc: #Cloud - Engineering <en...@cloud.com>>
>> Subject: PRD Review on Byron Requirement: Remote-access VPN on External devices
>>
>> Sheng,
>>
>> Following are the review comments on Byron Requirement: Remote-access VPN on External devices:
>>
>>
>> 1.      What JUNOS version SRX should have for this feature to work?
>
> 10.4 r1 or above. Added to wiki.
>>
>> 2.      What protocol SRX uses for remote access vpn?
>
> Ipsec. But in fact it's more like Juniper propriety combination, since
> we need to download client from SRX, and it would configure the client
> as well.
>>
>> 3.      In network-inline-mode FS ( http://wiki.cloudstack.org/display/RelOps/Network+inline+mode+functional+spec) use case 4 talks about network offering and it says vpn is not supported with the combination given there.
>> Does it mean if F5 and SRX are operating inline mode, remote access vpn can't be configured on srx?
>
> No, that is obsolete. Updated.
>>
>> 4.      Is this feature hyper visor dependent? If yes please let me know the list of hypervisors supported.
>
> It's hypervisor independent.
>>
>> 5.      How many users can connect to SRX at a given time?
>
> As stated in wiki, it's depends on SRX. Without purchasing new
> licenses from Juniper, the number is limited to 2.
>>
>> 6.      From a single user how many concurrent connections are allowed?
>
> It's still 2 without new licenses.
>>
>> 7.      Do we have the limitation of only one instance of each external devices existed in one zone? If yes how do we limit the remote access to account specific.(In case of VR, each account will have a VR and remote access to VR's public IP will give access to guest vms present in the account).
>
> The public ip is still owned by account. And the accessing to the
> public ip still gain the access to the guest network.
>
> Well, we don't have resource controlling of VPN user at this time.
> It's time to think about it.

Seems the license controlled the maximum number of concurrent
connection to the firewall(rather than user numbers), and we have no
way to control that. Would have to leave it to end user.

--Sheng
>
> --Sheng
>>
>>
>>
>>
>> Thanks,
>> Sanjeev
>>
>>
>>
>>

Re: PRD Review on Byron Requirement: Remote-access VPN on External devices

Posted by Sheng Yang <sh...@yasker.org>.
On Wed, Oct 10, 2012 at 12:09 AM, Sanjeev Neelarapu
<sa...@citrix.com> wrote:
> +cloudstack-dev@incubator.apache.org

Hi Sanjeev,

>
> From: Chiradeep Vittal
> Sent: Wednesday, October 10, 2012 12:35 PM
> To: Sanjeev Neelarapu; Sheng Yang
> Cc: #Cloud - Engineering
> Subject: Re: PRD Review on Byron Requirement: Remote-access VPN on External devices
>
> This discussion should happen on the ML
>
> From: Sanjeev Neelarapu <sa...@citrix.com>>
> Date: Wed, 10 Oct 2012 00:02:33 -0700
> To: Sheng Yang <Sh...@citrix.com>>
> Cc: #Cloud - Engineering <en...@cloud.com>>
> Subject: PRD Review on Byron Requirement: Remote-access VPN on External devices
>
> Sheng,
>
> Following are the review comments on Byron Requirement: Remote-access VPN on External devices:
>
>
> 1.      What JUNOS version SRX should have for this feature to work?

10.4 r1 or above. Added to wiki.
>
> 2.      What protocol SRX uses for remote access vpn?

Ipsec. But in fact it's more like Juniper propriety combination, since
we need to download client from SRX, and it would configure the client
as well.
>
> 3.      In network-inline-mode FS ( http://wiki.cloudstack.org/display/RelOps/Network+inline+mode+functional+spec) use case 4 talks about network offering and it says vpn is not supported with the combination given there.
> Does it mean if F5 and SRX are operating inline mode, remote access vpn can't be configured on srx?

No, that is obsolete. Updated.
>
> 4.      Is this feature hyper visor dependent? If yes please let me know the list of hypervisors supported.

It's hypervisor independent.
>
> 5.      How many users can connect to SRX at a given time?

As stated in wiki, it's depends on SRX. Without purchasing new
licenses from Juniper, the number is limited to 2.
>
> 6.      From a single user how many concurrent connections are allowed?

It's still 2 without new licenses.
>
> 7.      Do we have the limitation of only one instance of each external devices existed in one zone? If yes how do we limit the remote access to account specific.(In case of VR, each account will have a VR and remote access to VR's public IP will give access to guest vms present in the account).

The public ip is still owned by account. And the accessing to the
public ip still gain the access to the guest network.

Well, we don't have resource controlling of VPN user at this time.
It's time to think about it.

--Sheng
>
>
>
>
> Thanks,
> Sanjeev
>
>
>
>