I agree, it is kind of odd to restrict vpn-service to one "private" tenant network. Particularly when the current VPN model does allow multiple remote peer CIDRs to connect to,
neutron ipsec-site-connection-create --name ipsec0 --vpnservice-id vpnsvc0 --ikepolicy-id ike0 --ipsecpolicy-id esp0 --peer-address 192.168.110.21 --peer-id 192.168.110.21 --peer-cidr *13.1.0.0/24,14.1.0.0/24 <http://13.1.0.0/24,14.1.0.0/24>* --psk secret Perhaps there is some history, may be Nachi might know? - Sridhar On Wed, Jan 28, 2015 at 6:26 AM, Paul Michali <[email protected]> wrote: > I can try to comment on your questions... inline @PCM > > > PCM (Paul Michali) > > IRC............ pc_m (irc.freenode.com) > Twitter....... @pmichali > > > On Tue, Jan 27, 2015 at 9:45 PM, shihanzhang <[email protected]> > wrote: > >> Hi Stacker: >> >> I am a novice, I want use Neutron VPNaas, through my preliminary >> understanding on this it, I have two questions about it: >> (1) why a 'vpnservices' can just has one subnet? >> > (2) why the subnet of 'vpnservices' can't be changed? >> > > @PCM Currently, the VPN service is designed to setup a site to site > connection between two private subnets. The service is associated 1:1 with > (and applies the connection to) a Neutron router that has a interface on > the private network, and an interface on the public network. Changing the > subnet for the service would effectively change the router. One would have > to delete and recreate the service to use a different router. > > I don't know if the user can attach multiple "private" subnets to a > router, and the VPN implementation assumes that there is only one private > subnet. > > > As I know, the OpenSwan does not has these limitations. >> I've learned that there is a BP to do this: >> >> https://blueprints.launchpad.net/neutron/+spec/vpn-multiple-subnet >> but this BP has been no progress. >> > > I want to know whether this will do in next cycle or later, who can >> help me to explain? >> > > @PCM I don't know what happened with that BP, but it is effectively > abandoned (even though status says 'new'). There has not been any activity > on it for over a year, and since we are at a new release, a BP spec would > have been required for Kilo. Also, the bug that drove the issue, has been > placed into Invalid state by Mark McClain in March of last year. > > https://bugs.launchpad.net/neutron/+bug/1258375 > > > You could ask Mark for clarification, but I think it may be because the > Neutron router doesn't support multiple subnets. > > Regards. > > > Thanks. >> >> -shihanzhang >> >> >> >> >> __________________________________________________________________________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: >> [email protected]?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: [email protected]?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
