kiranchavala opened a new issue, #9707: URL: https://github.com/apache/cloudstack/issues/9707
ISSUE TYPE Enhancement/Improvement request COMPONENT NAME Component: VPC CLOUDSTACK VERSION Cloudstack version 4.19.1.1 SUMMARY Support the global setting "remote.access.vpn.client.iprange" for per vpc level Currently we support the setting "remote.access.vpn.client.iprange" at 1. Global settings 2. Account level There are limitaions in this case Limitation 1 ----- 1. Have Multiple VPC's in a account (VPC 1 and VPC2) VPC 1 Cidr >>> 10.0.0.0/8 VPC 2 Cidr >>> 172.16.0.0/16 2. Default account level setting of parameter "remote.access.vpn.client.iprange" >> "10.1.2.1-10.1.2.8" 3. Enable site to site vpn between the 2 vpc's or have a customer gateteway. 4. Enable VPN service in vpc 1 5. Connect a end user to vpn service of vpc1. End user will get succesfully connected to vpn network but the routing will not work. User cannot reach the vm's associated in vpc1, since the As per this rule if VR sees a packet matching src 10.0.0.0/8 dst 172.16.0.0/16 it will apply the IPsec policy routing for the S2S VPN As workaround Admin user has to change the value of parameter "remote.access.vpn.client.iprange" and Disable and enable the vpn Since this is at account level is could affect other vpc's present in the account Limitation 2 ------- 1. Have Multiple VPC's in a account (VPC 1 and VPC2) 2. Enable VPN service in both VPC's 3. The end user connects to vpc1 vpn service will be assigned a ip from remote.access.vpn.client.iprange 4. The end user connects to vpc2 vpn service will also be assigned a ip from remote.access.vpn.client.iprange If the setting is at vpc level, It will be easy of the admin/account user to identify the probelmatic vpc and troubleshoot the issue ---- Expected behaviour It would be beneficial for the end user if Cloudstack can provide an option of specifying the vpn client address range during the vpc creation time Also cloudstack should not allow to change the value till the lifetime of vpc Hyperscalers such as AWS, Azure support it at VPC level https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-getting-started.html https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal#addresspool -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
