On Tue, Sep 4, 2012 at 1:47 PM, Alena Prokharchyk <alena.prokharc...@citrix.com> wrote: > On 9/4/12 1:11 PM, "Marcus Sorensen" <shadow...@gmail.com> wrote: > >>Thanks for replying. >> >>On Tue, Sep 4, 2012 at 1:41 PM, Alena Prokharchyk >><alena.prokharc...@citrix.com> wrote: >>> On 9/4/12 10:21 AM, "Marcus Sorensen" <shadow...@gmail.com> wrote: >>> >>>>I've been working on bringing KVM up to speed on the VPC stuff, and >>>>there are a few things I've come across that seem to be incomplete for >>>>Xen as well. I'd just like to get some feedback on the current state >>>>of VPC. I believe these are not specific issues to my implementation, >>>>but if they should be working please say something so I can find my >>>>problem. >>>> >>>>static routes - currently there doesn't seem to be anything creating >>>>ip rules to point to the static_route table, nor does there seem to be >>>>anything creating the static_route table, although vpc_staticroute.sh >>>>attempts to modify it >>> >>> Anthony, do we add static_route table automatically when the private >>> gateway is created? >>> >> >>I grepped through the code, and the only thing I could find adding ip >>rules was ipassoc.sh (the Table_eth* tables) and the only thing I >>could find doing stuff with a static_route routing table was >>vpc_staticroute.sh (which complains that table static_route doesn't >>exist). >> >>> >>>> >>>>vpn - there is a script vpc_vpn_l2tp.sh, but I can't find anything >>>>actually utilizing it. I assume there is no working vpn support in any >>>>platform's Vpc implementation. >>> >>> There is no RemoteAccessVPN support in VPC. We support S2S VPN only. >>> >> >>So that vpc_vpn_l2tp.sh is to be ignored/removed? I do see that there >>are existing Site2Site commands in both the Citrix resouce and the KVM >>one, I believe they are the existing ones that call ipsectunnel.sh, >>this will work with VPC without modification, or is the Xen stuff just >>not that far along yet? Or perhaps better stated, please tell me what >>VPN support Xen currently has with VPC and the associated commands so >>I may emulate them for KVM. > > It will be ignored. We are not removing it because remote access vpn is > supported in regular Isolated networks' Virtual Router. As we use the same > template for VPC/Regular Virtual router, we are just going to maintain 2 > sets of scripts, and call them based on context (based on the fact if > router belongs to VPC network or regular network) > > At the moment, We block Remote Access VPN commands to be executed against > vpc guest networks, on API level. Sheng, please confirm.
I think we just blocked them from UI now. Need to block it from API as well. --Sheng > > -Alena. > >> >>>> >>>>password - I've seen some emails regarding this, that the password >>>>server doesn't seem to be set up for the various private nics >>> >>> I'll put the fix to master branch today. >>> >>>> >>>>network ACLs - The functional spec states that all outgoing traffic >>>>for guest networks is allowed, however I don't see any acls whatsoever >>>>when creating new tiers >>> >>> >>> I suspect it wasn't merged to master branch yet. Anthony, please do it. >>>> >>> >>> >> > >
