On Fri, Oct 12, 2012 at 11:39 AM, Chiradeep Vittal <chiradeep.vit...@citrix.com> wrote: > One request: > Some answers seem guarded: "seems", "maybe", "probably". Of course we may > not have all answers, but how do we track these uncertainties as they get > resolved?
We've identified SRX have some serious limitations on remote access VPN support. I'd like to call for a hold on this feature's testing plan now. We need more work on this part. --Sheng > > On 10/12/12 10:56 AM, "Sheng Yang" <sh...@yasker.org> wrote: > >>Hi Sanjeev, >> >>On Fri, Oct 12, 2012 at 4:52 AM, Sanjeev Neelarapu >><sanjeev.neelar...@citrix.com> wrote: >>> Sheng, >>> >>> Following are the review comments on network-inline mode functional >>>spec: >>> 1.Feature Specifications: >>> Only support "per zone"(shared) Source NAT for SRX: Does this mean >>>traffic initiated from all the accounts guest vms will use only one ip >>>as source IP ? >> >>Yes. >> >>> 2.Is it supported in upgraded environment? >> >>No. >> >>> 3.After upgrade from 2.2.x to 3.0.x can we change parallel mode >>>deployment to inline mode (since we don't support upgrade from 2.2.x >>>inline mode)? >> >>No. Since the information is binding with F5 not the network offering, >>we cannot do that without adding a new F5 device. >> >>We can improve the feature later in future release to make it an >>option for network offering, thus we can change it for network. >> >>> 4.Can we create Static NAT and Load Balancing rule on the same public >>>IP(since conserve mode is on)? >> >>No. We cannot support conserve mode. It's due to static nat rule >>created on SRX prevent other rule to be applied on the same ip. >> >>> 5.Is it supported in VPC(Instead of vpcVR can we use SRX for all the >>>services in VPC Offering)? >> >>No. >> >>> 6.Are there any DB schema changes related to this feature? >> >>No. >>> >>> Following are review comments for "Remote access vpn on SRX": >>> >>> 1. Is it supported on Source NAT IP? >> >>We may have one change here - we may possibly only support source NAT >>ip(in fact the external public ip of SRX), because seems SRX didn't >>support using other IP to communicate with VPN gateway. I am still >>working on this to try to find an solution. >>> >>> 2. Is enabling Remote access vpn on SRX and adding VPN user >>>supported only by Admin ? >> >>Well, we have good reason to do so, since VPN is kind of precious >>resource on SRX(which user need to pay), but since network owned by >>the account, seems we still need to let user have the permission to do >>that. >>> >>> 3. Any manual configuration is required on SRX to enable this >>>functionality? >> >>There are probably some manual configuration needed, e.g. set default >>policy for ike and ipsec. I am trying to keep it at minimal level. >> >>--Sheng >>> >>> Thanks, >>> Sanjeev >>> >>> From: Sheng Yang >>> Sent: Thursday, October 11, 2012 11:14 PM >>> To: Sanjeev Neelarapu >>> Cc: Haroon Abdelrahman; Sudha Ponnaganti; Srinivas Vejalla >>> Subject: RE: F5 SRX in inline mode and Remote access vpn on SRX >>> >>> They are already on cwiki. >>> >>> >>>https://cwiki.apache.org/CLOUDSTACK/network-inline-mode-functional-spec.h >>>tml >>> >>>https://cwiki.apache.org/CLOUDSTACK/remote-access-vpn-support-on-srx.html >>> >>> --Sheng >>> >>> >>> From: Sanjeev Neelarapu >>> Sent: Thursday, October 11, 2012 12:14 AM >>> To: Sheng Yang >>> Cc: Haroon Abdelrahman; Sudha Ponnaganti; Srinivas Vejalla >>> Subject: F5 SRX in inline mode and Remote access vpn on SRX >>> >>> Sheng, >>> >>> Can you place "F5 SRX in inline mode" and "Remote access vpn on SRX" >>>FSs on cwiki , so that I can use them to share my review comments on ML. >>> At present "Remote access vpn on SRX" FS is missing from cloud stack >>>wiki as well. >>> >>> Thanks, >>> Sanjeev >
