Re: [Openstack] Reg. NAT

2017-03-20 Thread Vikram Chhibber 
Thanks for the pointer. Will try it out.

Vikram

On Mon, Mar 20, 2017 at 3:37 PM, John Petrini  wrote:

> Hi Vikram,
>
> You may want to look into provider networks. Here's some documentation for
> doing so in an Open vSwitch deployment.
>
> https://docs.openstack.org/liberty/networking-guide/
> scenario-provider-ovs.html
>
> Provider networks allow you to add existing networks outside of OpenStack
> to your cloud. Instances can be attached to these networks directly
> therefore bypassing the NAT that's required for floating IP's.
>
> These networks do not require a virtual router (warning: you can still
> create them!) as they rely on existing routing outside of OpenStack. For
> this reason they can only be created by an admin and you should also
> consider keeping them private and granting access to tenants using RBAC.
>
> We use them extensively and they work well. We're able to add new networks
> as needed by trunking the VLAN of the desired network to the compute and
> controller nodes and then creating the new provider type network in
> neutron. Providing a segmentation id when creating the network allows Open
> vSwitch to tag the traffic with the proper vlan before it leaves the
> compute node.
>
> Regards,
>
> John Petrini
>
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Reg. NAT

2017-03-20 Thread John Petrini 
Hi Vikram,

You may want to look into provider networks. Here's some documentation for
doing so in an Open vSwitch deployment.

https://docs.openstack.org/liberty/networking-guide/scenario-provider-ovs.html

Provider networks allow you to add existing networks outside of OpenStack
to your cloud. Instances can be attached to these networks directly
therefore bypassing the NAT that's required for floating IP's.

These networks do not require a virtual router (warning: you can still
create them!) as they rely on existing routing outside of OpenStack. For
this reason they can only be created by an admin and you should also
consider keeping them private and granting access to tenants using RBAC.

We use them extensively and they work well. We're able to add new networks
as needed by trunking the VLAN of the desired network to the compute and
controller nodes and then creating the new provider type network in
neutron. Providing a segmentation id when creating the network allows Open
vSwitch to tag the traffic with the proper vlan before it leaves the
compute node.

Regards,

John Petrini
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

[Openstack] Reg. NAT

2017-03-20 Thread Vikram Chhibber 
Hi All,

We are using Openstack Kilo release 1:2015.1.4-0ubuntu2. We are trying to
establish transport mode IPSec with one of the VM from outside.

We have a floating IP from 172.17/16 network assigned to this VM that has
private IP from 10.0/16 network.

The IPSec is failing and we are suspecting that the NAT is the culprit. The
sender is computing transport header checksum using 172.17.x.y destination
but the openstack is changing it to 10.0.x.y network and the checksum is
failing.

In this release of Openstack, is there a way to disable this nating or any
workarounds? Sender side, we cannot disable the checksum.

Thanks
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack