Re: [Openstack-operators] [neutron] Any users of Neutron's VPN advanced service?
On Fri, Aug 7, 2015 at 4:48 AM, Nick Jones nick.jo...@datacentred.co.uk wrote: We've had several users on our public OpenStack installation make use the VPNaaS facility to fulfil their VPN requirements with varying degrees of success. Use cases have ranged, one particular company made extensive use in order to connect different projects together for example. We've recommended to a few people that they're often better served by using an instance and configuring that as an endpoint, but obviously there's a cost associated with that (we don't charge for VPNaaS). We've crafted a few documents as well in order to help our users to get started that cover a few scenarios we've encountered: https://docs.datacentred.io/display/compute/VPNs+with+OpenStack+VPNaaS+and+Juniper+SRX https://docs.datacentred.io/display/compute/VPNs+with+OpenStack+VPNaaS+and+StrongSwan https://docs.datacentred.io/display/compute/OpenStack+to+OpenStack+VPNaaS From an operational standpoint, one thing I will say is that it can be awkward to troubleshoot when something goes wrong. We're currently on Juno with several network nodes and VPN creation on at least one of them fails consistently for reasons that we've not yet been able to discern. Package versions, configuration, etc. are all exactly the same. Log levels are set to debug but as yet we've not been able to track down the exact root cause. We would love to incorporate more admin and configuration docs on docs.openstack.org. This bug tracks the need for docs in the Cloud Admin Guide: https://launchpad.net/bugs/1257018 I realize it's a big ask, but let us know how we can help, and if any of those docs make sense to be donated to upstream? Thanks, Anne -- -Nick On 6 August 2015 at 15:19, Kevin Bringard (kevinbri) kevin...@cisco.com wrote: I've got to agree. We don't really use the included VPNaaS for many of the reasons listed below. Most of our users put appliance VM to establish tunnels and behave as their subnet's router, same as Sam. On 8/6/15, 7:52 AM, Sam Stoelinga sammiest...@gmail.com wrote: I'm running VPN servers in VMs. Neutron VPNaaS only supports site-to-site IPSec based VPNs and it seemed quite troublesome to setup (opinion-based). Sam Stoelinga On Thu, Aug 6, 2015 at 2:51 PM, Edgar Magana edgar.mag...@workday.com wrote: I know I can¹t wear both hats but in this case as Operator as one of the constant moderators for the neutron-related sessions, I can say that I have never received a report about the VPNaaS code from the Operators. This could be means two things, the code is terrific and nobody has issues with it or basically nobody uses it. Thanks, Edgar From: Kyle Mestery Date: Wednesday, August 5, 2015 at 12:56 PM To: openstack-operators@lists.openstack.org Cc: Paul Michali, Doug Wiegley Subject: [Openstack-operators] [neutron] Any users of Neutron's VPN advanced service? Operators: We (myself, Paul and Doug) are looking to better understand who might be using Neutron's VPNaaS code. We're looking for what version you're using, how long you're using it, and if you plan to continue deploying it with future upgrades. Any information operators can provide here would be fantastic! Thank you! Kyle DataCentred Limited registered in England and Wales no. 05611763 ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators -- Anne Gentle Rackspace Principal Engineer www.justwriteclick.com ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] [neutron] Any users of Neutron's VPN advanced service?
Hi Kyle, We deployed VPNaaS(OpenSwan driver) in the Catalyst Cloud just over a year ago when it was running Havana. We are in the middle of Icehouse - Juno upgrades and consider this a must-have feature (we also look forward to the RFE to enable VPN+HA routers.) Aside from typical site-to-site tunnel mode IPsec use cases, we also use it to deliver multi-region anycast services directly into our corporate WAN. Cheers, James On 06/08/15 10:21, Tamanna Z Sait wrote: Hi Kyle We have been actively using Neutron VPNaaS code from icehouse, juno, kilo releases and have plans to upstream bug fixes as well as enhancements in this neurton's VPNaaS area moving forward. We have been using the feature for over 1 year now and plan to continue to use it and deploy it. Kyle Mestery mestery at mestery.com Wed Aug 5 19:56:01 UTC 2015 Previous message: [Openstack-operators] [hpc] Tuning KVM Next message: [Openstack-operators] [neutron] Any users of Neutron's VPN advanced service? Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] Operators: We (myself, Paul and Doug) are looking to better understand who might be using Neutron's VPNaaS code. We're looking for what version you're using, how long you're using it, and if you plan to continue deploying it with future upgrades. Any information operators can provide here would be fantastic! Thank you! Kyle -- James Dempsey Senior Cloud Engineer Catalyst IT Limited +64 4 803 2264 -- ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] [neutron] Any users of Neutron's VPN advanced service?
We've had several users on our public OpenStack installation make use the VPNaaS facility to fulfil their VPN requirements with varying degrees of success. Use cases have ranged, one particular company made extensive use in order to connect different projects together for example. We've recommended to a few people that they're often better served by using an instance and configuring that as an endpoint, but obviously there's a cost associated with that (we don't charge for VPNaaS). We've crafted a few documents as well in order to help our users to get started that cover a few scenarios we've encountered: https://docs.datacentred.io/display/compute/VPNs+with+OpenStack+VPNaaS+and+Juniper+SRX https://docs.datacentred.io/display/compute/VPNs+with+OpenStack+VPNaaS+and+StrongSwan https://docs.datacentred.io/display/compute/OpenStack+to+OpenStack+VPNaaS From an operational standpoint, one thing I will say is that it can be awkward to troubleshoot when something goes wrong. We're currently on Juno with several network nodes and VPN creation on at least one of them fails consistently for reasons that we've not yet been able to discern. Package versions, configuration, etc. are all exactly the same. Log levels are set to debug but as yet we've not been able to track down the exact root cause. -- -Nick On 6 August 2015 at 15:19, Kevin Bringard (kevinbri) kevin...@cisco.com wrote: I've got to agree. We don't really use the included VPNaaS for many of the reasons listed below. Most of our users put appliance VM to establish tunnels and behave as their subnet's router, same as Sam. On 8/6/15, 7:52 AM, Sam Stoelinga sammiest...@gmail.com wrote: I'm running VPN servers in VMs. Neutron VPNaaS only supports site-to-site IPSec based VPNs and it seemed quite troublesome to setup (opinion-based). Sam Stoelinga On Thu, Aug 6, 2015 at 2:51 PM, Edgar Magana edgar.mag...@workday.com wrote: I know I can¹t wear both hats but in this case as Operator as one of the constant moderators for the neutron-related sessions, I can say that I have never received a report about the VPNaaS code from the Operators. This could be means two things, the code is terrific and nobody has issues with it or basically nobody uses it. Thanks, Edgar From: Kyle Mestery Date: Wednesday, August 5, 2015 at 12:56 PM To: openstack-operators@lists.openstack.org Cc: Paul Michali, Doug Wiegley Subject: [Openstack-operators] [neutron] Any users of Neutron's VPN advanced service? Operators: We (myself, Paul and Doug) are looking to better understand who might be using Neutron's VPNaaS code. We're looking for what version you're using, how long you're using it, and if you plan to continue deploying it with future upgrades. Any information operators can provide here would be fantastic! Thank you! Kyle -- DataCentred Limited registered in England and Wales no. 05611763 ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] [neutron] Any users of Neutron's VPN advanced service?
On 06/08/15 07:56, Kyle Mestery wrote: Operators: We (myself, Paul and Doug) are looking to better understand who might be using Neutron's VPNaaS code. We're looking for what version you're using, how long you're using it, and if you plan to continue deploying it with future upgrades. Any information operators can provide here would be fantastic! We're running it since Icehouse, and there's one or two issues which are known bugs with upstream fixes in progress, but overall we're happy with it. It's miles easier for our customers to drive than VPN inside VMs, and the ease helps us retain our only-too-scarce IPv4 space. Our customers would be very upset if we discontinued use. ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] [neutron] Any users of Neutron's VPN advanced service?
I know I can’t wear both hats but in this case as Operator as one of the constant moderators for the neutron-related sessions, I can say that I have never received a report about the VPNaaS code from the Operators. This could be means two things, the code is terrific and nobody has issues with it or basically nobody uses it. Thanks, Edgar From: Kyle Mestery Date: Wednesday, August 5, 2015 at 12:56 PM To: openstack-operators@lists.openstack.orgmailto:openstack-operators@lists.openstack.org Cc: Paul Michali, Doug Wiegley Subject: [Openstack-operators] [neutron] Any users of Neutron's VPN advanced service? Operators: We (myself, Paul and Doug) are looking to better understand who might be using Neutron's VPNaaS code. We're looking for what version you're using, how long you're using it, and if you plan to continue deploying it with future upgrades. Any information operators can provide here would be fantastic! Thank you! Kyle ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] [neutron] Any users of Neutron's VPN advanced service?
I've got to agree. We don't really use the included VPNaaS for many of the reasons listed below. Most of our users put appliance VM to establish tunnels and behave as their subnet's router, same as Sam. On 8/6/15, 7:52 AM, Sam Stoelinga sammiest...@gmail.com wrote: I'm running VPN servers in VMs. Neutron VPNaaS only supports site-to-site IPSec based VPNs and it seemed quite troublesome to setup (opinion-based). Sam Stoelinga On Thu, Aug 6, 2015 at 2:51 PM, Edgar Magana edgar.mag...@workday.com wrote: I know I can¹t wear both hats but in this case as Operator as one of the constant moderators for the neutron-related sessions, I can say that I have never received a report about the VPNaaS code from the Operators. This could be means two things, the code is terrific and nobody has issues with it or basically nobody uses it. Thanks, Edgar From: Kyle Mestery Date: Wednesday, August 5, 2015 at 12:56 PM To: openstack-operators@lists.openstack.org Cc: Paul Michali, Doug Wiegley Subject: [Openstack-operators] [neutron] Any users of Neutron's VPN advanced service? Operators: We (myself, Paul and Doug) are looking to better understand who might be using Neutron's VPNaaS code. We're looking for what version you're using, how long you're using it, and if you plan to continue deploying it with future upgrades. Any information operators can provide here would be fantastic! Thank you! Kyle ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] [neutron] Any users of Neutron's VPN advanced service?
I'm running VPN servers in VMs. Neutron VPNaaS only supports site-to-site IPSec based VPNs and it seemed quite troublesome to setup (opinion-based). Sam Stoelinga On Thu, Aug 6, 2015 at 2:51 PM, Edgar Magana edgar.mag...@workday.com wrote: I know I can’t wear both hats but in this case as Operator as one of the constant moderators for the neutron-related sessions, I can say that I have never received a report about the VPNaaS code from the Operators. This could be means two things, the code is terrific and nobody has issues with it or basically nobody uses it. Thanks, Edgar From: Kyle Mestery Date: Wednesday, August 5, 2015 at 12:56 PM To: openstack-operators@lists.openstack.org Cc: Paul Michali, Doug Wiegley Subject: [Openstack-operators] [neutron] Any users of Neutron's VPN advanced service? Operators: We (myself, Paul and Doug) are looking to better understand who might be using Neutron's VPNaaS code. We're looking for what version you're using, how long you're using it, and if you plan to continue deploying it with future upgrades. Any information operators can provide here would be fantastic! Thank you! Kyle ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] [neutron] Any users of Neutron's VPN advanced service?
I attempted to run it in Juno a while back and had very little success. I would love to be able to use it though, and will give it another shot once upgraded to Kilo. My issue was that several of the options coded into it for firing up a connection were specific to Freeswan which was deprecated, at least in CentOS 7, in favor of Libreswan. Even after hacking in the changes, it still failed to start due to some locking or permissions issue that I could never resolve. Given that we run isolated tenant networks with overlapping IP space for a number of enterprise customers, having a working self-service VPN would be great to have, and I'm looking forward to some future success with it. -Erik On Wed, Aug 5, 2015 at 3:56 PM, Kyle Mestery mest...@mestery.com wrote: Operators: We (myself, Paul and Doug) are looking to better understand who might be using Neutron's VPNaaS code. We're looking for what version you're using, how long you're using it, and if you plan to continue deploying it with future upgrades. Any information operators can provide here would be fantastic! Thank you! Kyle ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators