Hi Community I want to open up a discussion around the new Remote Access VPN implementation on VRs. Currently we have only L2TP implementation, which lacks different features (such as verbos logging), so we decided to start developing new implementation based on IKEv2 (on top of the existing strongSwan).
We have this feature working locally for over a week now, and seems to be ready for opening up a PR on official repo. But before doing so we agreed to open up a discussion here first. The current implementation we use EAP + Public Key for authentication, so we need to have a PKI Engine somewhere. Rather than start re-inventing the wheel (and start extending the current CA Framework which was done by Rohit) we decided to delegate this functionality to HashiCorp Vault, which will act as a PKI backend engine for Cloudstack. The way I implemented this specific part of the code, is that it can easily be extended/implemented with other concrete classes or designs (such as going forward with in-house PKI engine, or even use external services such as Let's Encrypt), but at the end of the day we strongly suggest to use Vault, as it is really easy to use. Please find the design document here[1], and share your feedback. I will open up a PR -as is- soon to be able to have a source code to discuss around it as well. [1]: https://cwiki.apache.org/confluence/display/CLOUDSTACK/VPN+Implementation+based+on+IKEv2+backed+by+Vault+as+PKI+Engine Thanks Khosrow Moossavi Cloud Infrastructure Developer t 514.447.3456 <https://goo.gl/NYZ8KK>
