Re: [Openstack-operators] [neutron] Any users of Neutron's VPN advanced service?
On Fri, Aug 7, 2015 at 4:48 AM, Nick Jones wrote: > We've had several users on our public OpenStack installation make use the > VPNaaS facility to fulfil their VPN requirements with varying degrees of > success. Use cases have ranged, one particular company made extensive use > in order to connect different projects together for example. We've > recommended to a few people that they're often better served by using an > instance and configuring that as an endpoint, but obviously there's a cost > associated with that (we don't charge for VPNaaS). We've crafted a few > documents as well in order to help our users to get started that cover a > few scenarios we've encountered: > > > https://docs.datacentred.io/display/compute/VPNs+with+OpenStack+VPNaaS+and+Juniper+SRX > > https://docs.datacentred.io/display/compute/VPNs+with+OpenStack+VPNaaS+and+StrongSwan > https://docs.datacentred.io/display/compute/OpenStack+to+OpenStack+VPNaaS > > From an operational standpoint, one thing I will say is that it can be > awkward to troubleshoot when something goes wrong. We're currently on Juno > with several network nodes and VPN creation on at least one of them fails > consistently for reasons that we've not yet been able to discern. Package > versions, configuration, etc. are all exactly the same. Log levels are set > to debug but as yet we've not been able to track down the exact root cause. > We would love to incorporate more admin and configuration docs on docs.openstack.org. This bug tracks the need for docs in the Cloud Admin Guide: https://launchpad.net/bugs/1257018 I realize it's a big ask, but let us know how we can help, and if any of those docs make sense to be donated to upstream? Thanks, Anne > -- > > -Nick > > On 6 August 2015 at 15:19, Kevin Bringard (kevinbri) > wrote: > >> I've got to agree. We don't really use the included VPNaaS for many of the >> reasons listed below. Most of our users put appliance VM to establish >> tunnels and behave as their subnet's router, same as Sam. >> >> On 8/6/15, 7:52 AM, "Sam Stoelinga" wrote: >> >> >I'm running VPN servers in VMs. Neutron VPNaaS only supports site-to-site >> >IPSec based VPNs and it seemed quite troublesome to setup >> (opinion-based). >> > >> > >> >Sam Stoelinga >> > >> > >> >On Thu, Aug 6, 2015 at 2:51 PM, Edgar Magana >> > wrote: >> > >> >I know I can¹t wear both hats but in this case as Operator as one of the >> >constant moderators for the neutron-related sessions, I can say that I >> >have never received a report about the VPNaaS code from the Operators. >> >This could be means two things, the code >> > is terrific and nobody has issues with it or basically nobody uses it. >> > >> > >> >Thanks, >> > >> > >> >Edgar >> > >> > >> > >> > >> > >> > >> > >> >From: Kyle Mestery >> >Date: Wednesday, August 5, 2015 at 12:56 PM >> >To: "openstack-operators@lists.openstack.org" >> >Cc: Paul Michali, Doug Wiegley >> >Subject: [Openstack-operators] [neutron] Any users of Neutron's VPN >> >advanced service? >> > >> > >> > >> >Operators: >> > >> > >> >We (myself, Paul and Doug) are looking to better understand who might be >> >using Neutron's VPNaaS code. We're looking for what version you're using, >> >how long you're using it, and if you plan to continue deploying it with >> >future upgrades. Any information operators >> > can provide here would be fantastic! >> > >> > >> >Thank you! >> > >> >Kyle >> > > DataCentred Limited registered in England and Wales no. 05611763 > ___ > OpenStack-operators mailing list > OpenStack-operators@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > > -- Anne Gentle Rackspace Principal Engineer www.justwriteclick.com ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] [neutron] Any users of Neutron's VPN advanced service?
Hi Kyle, We deployed VPNaaS(OpenSwan driver) in the Catalyst Cloud just over a year ago when it was running Havana. We are in the middle of Icehouse -> Juno upgrades and consider this a must-have feature (we also look forward to the RFE to enable VPN+HA routers.) Aside from typical site-to-site tunnel mode IPsec use cases, we also use it to deliver multi-region anycast services directly into our corporate WAN. Cheers, James On 06/08/15 10:21, Tamanna Z Sait wrote: > Hi Kyle > > We have been actively using Neutron VPNaaS code from icehouse, juno, kilo > releases and have plans to upstream bug fixes as well as enhancements in > this neurton's VPNaaS area moving forward. > We have been using the feature for over 1 year now and plan to continue to > use it and deploy it. > > > > Kyle Mestery mestery at mestery.com > Wed Aug 5 19:56:01 UTC 2015 > Previous message: [Openstack-operators] [hpc] Tuning KVM > Next message: [Openstack-operators] [neutron] Any users of Neutron's VPN > advanced service? > Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] > > Operators: > > We (myself, Paul and Doug) are looking to better understand who might be > using Neutron's VPNaaS code. We're looking for what version you're using, > how long you're using it, and if you plan to continue deploying it with > future upgrades. Any information operators can provide here would be > fantastic! > > Thank you! > Kyle -- James Dempsey Senior Cloud Engineer Catalyst IT Limited +64 4 803 2264 -- ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] [neutron] Any users of Neutron's VPN advanced service?
Most likely the latter, with due respects to the code. Most likely that VPNaaS is not required for current usage scenarios. On Wed, 5 Aug 2015 11:56 pm Edgar Magana wrote: > I know I can’t wear both hats but in this case as Operator as one of the > constant moderators for the neutron-related sessions, I can say that I have > never received a report about the VPNaaS code from the Operators. This > could be means two things, the code is terrific and nobody has issues with > it or basically nobody uses it. > > Thanks, > > Edgar > > > From: Kyle Mestery > Date: Wednesday, August 5, 2015 at 12:56 PM > To: "openstack-operators@lists.openstack.org" > Cc: Paul Michali, Doug Wiegley > Subject: [Openstack-operators] [neutron] Any users of Neutron's VPN > advanced service? > > Operators: > > We (myself, Paul and Doug) are looking to better understand who might be > using Neutron's VPNaaS code. We're looking for what version you're using, > how long you're using it, and if you plan to continue deploying it with > future upgrades. Any information operators can provide here would be > fantastic! > > Thank you! > Kyle > ___ > OpenStack-operators mailing list > OpenStack-operators@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] [neutron] Any users of Neutron's VPN advanced service?
We've had several users on our public OpenStack installation make use the VPNaaS facility to fulfil their VPN requirements with varying degrees of success. Use cases have ranged, one particular company made extensive use in order to connect different projects together for example. We've recommended to a few people that they're often better served by using an instance and configuring that as an endpoint, but obviously there's a cost associated with that (we don't charge for VPNaaS). We've crafted a few documents as well in order to help our users to get started that cover a few scenarios we've encountered: https://docs.datacentred.io/display/compute/VPNs+with+OpenStack+VPNaaS+and+Juniper+SRX https://docs.datacentred.io/display/compute/VPNs+with+OpenStack+VPNaaS+and+StrongSwan https://docs.datacentred.io/display/compute/OpenStack+to+OpenStack+VPNaaS >From an operational standpoint, one thing I will say is that it can be awkward to troubleshoot when something goes wrong. We're currently on Juno with several network nodes and VPN creation on at least one of them fails consistently for reasons that we've not yet been able to discern. Package versions, configuration, etc. are all exactly the same. Log levels are set to debug but as yet we've not been able to track down the exact root cause. -- -Nick On 6 August 2015 at 15:19, Kevin Bringard (kevinbri) wrote: > I've got to agree. We don't really use the included VPNaaS for many of the > reasons listed below. Most of our users put appliance VM to establish > tunnels and behave as their subnet's router, same as Sam. > > On 8/6/15, 7:52 AM, "Sam Stoelinga" wrote: > > >I'm running VPN servers in VMs. Neutron VPNaaS only supports site-to-site > >IPSec based VPNs and it seemed quite troublesome to setup (opinion-based). > > > > > >Sam Stoelinga > > > > > >On Thu, Aug 6, 2015 at 2:51 PM, Edgar Magana > > wrote: > > > >I know I can¹t wear both hats but in this case as Operator as one of the > >constant moderators for the neutron-related sessions, I can say that I > >have never received a report about the VPNaaS code from the Operators. > >This could be means two things, the code > > is terrific and nobody has issues with it or basically nobody uses it. > > > > > >Thanks, > > > > > >Edgar > > > > > > > > > > > > > > > >From: Kyle Mestery > >Date: Wednesday, August 5, 2015 at 12:56 PM > >To: "openstack-operators@lists.openstack.org" > >Cc: Paul Michali, Doug Wiegley > >Subject: [Openstack-operators] [neutron] Any users of Neutron's VPN > >advanced service? > > > > > > > >Operators: > > > > > >We (myself, Paul and Doug) are looking to better understand who might be > >using Neutron's VPNaaS code. We're looking for what version you're using, > >how long you're using it, and if you plan to continue deploying it with > >future upgrades. Any information operators > > can provide here would be fantastic! > > > > > >Thank you! > > > >Kyle > -- DataCentred Limited registered in England and Wales no. 05611763 ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] [neutron] Any users of Neutron's VPN advanced service?
On 06/08/15 07:56, Kyle Mestery wrote: > Operators: > > We (myself, Paul and Doug) are looking to better understand who might > be using Neutron's VPNaaS code. We're looking for what version you're > using, how long you're using it, and if you plan to continue deploying > it with future upgrades. Any information operators can provide here > would be fantastic! We're running it since Icehouse, and there's one or two issues which are known bugs with upstream fixes in progress, but overall we're happy with it. It's miles easier for our customers to drive than VPN inside VMs, and the ease helps us retain our only-too-scarce IPv4 space. Our customers would be very upset if we discontinued use. ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] [neutron] Any users of Neutron's VPN advanced service?
I've got to agree. We don't really use the included VPNaaS for many of the reasons listed below. Most of our users put appliance VM to establish tunnels and behave as their subnet's router, same as Sam. On 8/6/15, 7:52 AM, "Sam Stoelinga" wrote: >I'm running VPN servers in VMs. Neutron VPNaaS only supports site-to-site >IPSec based VPNs and it seemed quite troublesome to setup (opinion-based). > > >Sam Stoelinga > > >On Thu, Aug 6, 2015 at 2:51 PM, Edgar Magana > wrote: > >I know I can¹t wear both hats but in this case as Operator as one of the >constant moderators for the neutron-related sessions, I can say that I >have never received a report about the VPNaaS code from the Operators. >This could be means two things, the code > is terrific and nobody has issues with it or basically nobody uses it. > > >Thanks, > > >Edgar > > > > > > > >From: Kyle Mestery >Date: Wednesday, August 5, 2015 at 12:56 PM >To: "openstack-operators@lists.openstack.org" >Cc: Paul Michali, Doug Wiegley >Subject: [Openstack-operators] [neutron] Any users of Neutron's VPN >advanced service? > > > >Operators: > > >We (myself, Paul and Doug) are looking to better understand who might be >using Neutron's VPNaaS code. We're looking for what version you're using, >how long you're using it, and if you plan to continue deploying it with >future upgrades. Any information operators > can provide here would be fantastic! > > >Thank you! > >Kyle > > > > > > > >___ >OpenStack-operators mailing list >OpenStack-operators@lists.openstack.org >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > > > > > > ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] [neutron] Any users of Neutron's VPN advanced service?
I'm running VPN servers in VMs. Neutron VPNaaS only supports site-to-site IPSec based VPNs and it seemed quite troublesome to setup (opinion-based). Sam Stoelinga On Thu, Aug 6, 2015 at 2:51 PM, Edgar Magana wrote: > I know I can’t wear both hats but in this case as Operator as one of the > constant moderators for the neutron-related sessions, I can say that I have > never received a report about the VPNaaS code from the Operators. This > could be means two things, the code is terrific and nobody has issues with > it or basically nobody uses it. > > Thanks, > > Edgar > > > From: Kyle Mestery > Date: Wednesday, August 5, 2015 at 12:56 PM > To: "openstack-operators@lists.openstack.org" > Cc: Paul Michali, Doug Wiegley > Subject: [Openstack-operators] [neutron] Any users of Neutron's VPN > advanced service? > > Operators: > > We (myself, Paul and Doug) are looking to better understand who might be > using Neutron's VPNaaS code. We're looking for what version you're using, > how long you're using it, and if you plan to continue deploying it with > future upgrades. Any information operators can provide here would be > fantastic! > > Thank you! > Kyle > > ___ > OpenStack-operators mailing list > OpenStack-operators@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > > ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] [neutron] Any users of Neutron's VPN advanced service?
I know I can’t wear both hats but in this case as Operator as one of the constant moderators for the neutron-related sessions, I can say that I have never received a report about the VPNaaS code from the Operators. This could be means two things, the code is terrific and nobody has issues with it or basically nobody uses it. Thanks, Edgar From: Kyle Mestery Date: Wednesday, August 5, 2015 at 12:56 PM To: "openstack-operators@lists.openstack.org<mailto:openstack-operators@lists.openstack.org>" Cc: Paul Michali, Doug Wiegley Subject: [Openstack-operators] [neutron] Any users of Neutron's VPN advanced service? Operators: We (myself, Paul and Doug) are looking to better understand who might be using Neutron's VPNaaS code. We're looking for what version you're using, how long you're using it, and if you plan to continue deploying it with future upgrades. Any information operators can provide here would be fantastic! Thank you! Kyle ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
[Openstack-operators] [neutron] Any users of Neutron's VPN advanced service?
Hi Kyle We have been actively using Neutron VPNaaS code from icehouse, juno, kilo releases and have plans to upstream bug fixes as well as enhancements in this neurton's VPNaaS area moving forward. We have been using the feature for over 1 year now and plan to continue to use it and deploy it. Kyle Mestery mestery at mestery.com Wed Aug 5 19:56:01 UTC 2015 Previous message: [Openstack-operators] [hpc] Tuning KVM Next message: [Openstack-operators] [neutron] Any users of Neutron's VPN advanced service? Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] Operators: We (myself, Paul and Doug) are looking to better understand who might be using Neutron's VPNaaS code. We're looking for what version you're using, how long you're using it, and if you plan to continue deploying it with future upgrades. Any information operators can provide here would be fantastic! Thank you! Kyle -- next part -- An HTML attachment was scrubbed... URL: < http://lists.openstack.org/pipermail/openstack-operators/attachments/20150805/e38465b2/attachment.html > ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] [neutron] Any users of Neutron's VPN advanced service?
I attempted to run it in Juno a while back and had very little success. I would love to be able to use it though, and will give it another shot once upgraded to Kilo. My issue was that several of the options coded into it for firing up a connection were specific to Freeswan which was deprecated, at least in CentOS 7, in favor of Libreswan. Even after hacking in the changes, it still failed to start due to some locking or permissions issue that I could never resolve. Given that we run isolated tenant networks with overlapping IP space for a number of enterprise customers, having a working self-service VPN would be great to have, and I'm looking forward to some future success with it. -Erik On Wed, Aug 5, 2015 at 3:56 PM, Kyle Mestery wrote: > Operators: > > We (myself, Paul and Doug) are looking to better understand who might be > using Neutron's VPNaaS code. We're looking for what version you're using, > how long you're using it, and if you plan to continue deploying it with > future upgrades. Any information operators can provide here would be > fantastic! > > Thank you! > Kyle > > ___ > OpenStack-operators mailing list > OpenStack-operators@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
[Openstack-operators] [neutron] Any users of Neutron's VPN advanced service?
Operators: We (myself, Paul and Doug) are looking to better understand who might be using Neutron's VPNaaS code. We're looking for what version you're using, how long you're using it, and if you plan to continue deploying it with future upgrades. Any information operators can provide here would be fantastic! Thank you! Kyle ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
