Bump the inline mode discussion thread. This also involved remote access VPN on SRX. But due to SRX doesn't support multiple tenants for VPN, I am afraid we would drop the feature.
According to our research, Cisco ASA1000v looks like a good alternative for remote access VPN. --Sheng On Tue, Oct 16, 2012 at 11:20 AM, Sheng Yang <sh...@yasker.org> wrote: > On Fri, Oct 12, 2012 at 11:39 AM, Chiradeep Vittal > <chiradeep.vit...@citrix.com> wrote: > > One request: > > Some answers seem guarded: "seems", "maybe", "probably". Of course we may > > not have all answers, but how do we track these uncertainties as they get > > resolved? > > We've identified SRX have some serious limitations on remote access > VPN support. I'd like to call for a hold on this feature's testing > plan now. > > We need more work on this part. > > --Sheng > > > > > On 10/12/12 10:56 AM, "Sheng Yang" <sh...@yasker.org> wrote: > > > >>Hi Sanjeev, > >> > >>On Fri, Oct 12, 2012 at 4:52 AM, Sanjeev Neelarapu > >><sanjeev.neelar...@citrix.com> wrote: > >>> Sheng, > >>> > >>> Following are the review comments on network-inline mode functional > >>>spec: > >>> 1.Feature Specifications: > >>> Only support "per zone"(shared) Source NAT for SRX: Does this mean > >>>traffic initiated from all the accounts guest vms will use only one ip > >>>as source IP ? > >> > >>Yes. > >> > >>> 2.Is it supported in upgraded environment? > >> > >>No. > >> > >>> 3.After upgrade from 2.2.x to 3.0.x can we change parallel mode > >>>deployment to inline mode (since we don't support upgrade from 2.2.x > >>>inline mode)? > >> > >>No. Since the information is binding with F5 not the network offering, > >>we cannot do that without adding a new F5 device. > >> > >>We can improve the feature later in future release to make it an > >>option for network offering, thus we can change it for network. > >> > >>> 4.Can we create Static NAT and Load Balancing rule on the same public > >>>IP(since conserve mode is on)? > >> > >>No. We cannot support conserve mode. It's due to static nat rule > >>created on SRX prevent other rule to be applied on the same ip. > >> > >>> 5.Is it supported in VPC(Instead of vpcVR can we use SRX for all the > >>>services in VPC Offering)? > >> > >>No. > >> > >>> 6.Are there any DB schema changes related to this feature? > >> > >>No. > >>> > >>> Following are review comments for "Remote access vpn on SRX": > >>> > >>> 1. Is it supported on Source NAT IP? > >> > >>We may have one change here - we may possibly only support source NAT > >>ip(in fact the external public ip of SRX), because seems SRX didn't > >>support using other IP to communicate with VPN gateway. I am still > >>working on this to try to find an solution. > >>> > >>> 2. Is enabling Remote access vpn on SRX and adding VPN user > >>>supported only by Admin ? > >> > >>Well, we have good reason to do so, since VPN is kind of precious > >>resource on SRX(which user need to pay), but since network owned by > >>the account, seems we still need to let user have the permission to do > >>that. > >>> > >>> 3. Any manual configuration is required on SRX to enable this > >>>functionality? > >> > >>There are probably some manual configuration needed, e.g. set default > >>policy for ike and ipsec. I am trying to keep it at minimal level. > >> > >>--Sheng > >>> > >>> Thanks, > >>> Sanjeev > >>> > >>> From: Sheng Yang > >>> Sent: Thursday, October 11, 2012 11:14 PM > >>> To: Sanjeev Neelarapu > >>> Cc: Haroon Abdelrahman; Sudha Ponnaganti; Srinivas Vejalla > >>> Subject: RE: F5 SRX in inline mode and Remote access vpn on SRX > >>> > >>> They are already on cwiki. > >>> > >>> > >>> > https://cwiki.apache.org/CLOUDSTACK/network-inline-mode-functional-spec.h > >>>tml > >>> > >>> > https://cwiki.apache.org/CLOUDSTACK/remote-access-vpn-support-on-srx.html > >>> > >>> --Sheng > >>> > >>> > >>> From: Sanjeev Neelarapu > >>> Sent: Thursday, October 11, 2012 12:14 AM > >>> To: Sheng Yang > >>> Cc: Haroon Abdelrahman; Sudha Ponnaganti; Srinivas Vejalla > >>> Subject: F5 SRX in inline mode and Remote access vpn on SRX > >>> > >>> Sheng, > >>> > >>> Can you place "F5 SRX in inline mode" and "Remote access vpn on SRX" > >>>FSs on cwiki , so that I can use them to share my review comments on ML. > >>> At present "Remote access vpn on SRX" FS is missing from cloud stack > >>>wiki as well. > >>> > >>> Thanks, > >>> Sanjeev > > >
