33 KiB
Virtual Private Network as a Service (VPNaaS)
The VPNaaS extension provides OpenStack tenants with the ability to extend private networks across the public telecommunication infrastructure. The capabilities provided by this initial implementation of the VPNaaS extension are:
- Site-to-site Virtual Private Network connecting two private networks.
- Multiple VPN connections per tenant.
- Supporting IKEv1 policy with 3des, aes-128, aes-256, or aes-192 encryption.
- Supporting IPSec policy with 3des, aes-128, aes-256, or aes-192 encryption, sha1 authentication, ESP, AH, or AH-ESP transform protocol, and tunnel or transport mode encapsulation.
- Dead Peer Detection (DPD) allowing hold, clear, restart, disabled, or restart-by-peer actions.
This extension introduces new resources:
- service, a high level object that associates VPN with a specific subnet and router.
- ikepolicy, the Internet Key Exchange policy identifying the authentication and encryption algorithm used during phase one and phase two negotiation of a VPN connection.
- ipsecpolicy, the IP security policy specifying the authentication and encryption algorithm, and encapsulation mode used for the established VPN connection.
- ipsec-site-connection, has details for the site-to-site IPsec connection, including the peer CIDRs, MTU, authentication mode, peer address, DPD settings, and status.
Note
This extension is experimental for the Havana release. The API may change without backward compatibility.
Concepts
A VPN service relates the Virtual Private Network with a specific subnet and router for a tenant.
An IKE Policy is used for phase one and phase two negotiation of the VPN connection. Configuration selects the authentication and encryption algorithm used to establish a connection.
An IPsec Policy is used to specify the encryption algorithm, transform protocol, and mode (tunnel/transport) for the VPN connection.
A VPN connection represents the IPsec tunnel established between two sites for the tenant. This contains configuration settings specifying the policies used, peer information, MTU, and the DPD actions to take.
High-level flow
The high-level task flow for using VPNaaS API to configure a site-to-site Virtual Private Network is as follows:
- The tenant creates a VPN service specifying the router and subnet.
- The tenant creates an IKE Policy.
- The tenant creates an IPsec Policy.
- The tenant creates a VPN connection, specifying the VPN service, peer information, and IKE and IPsec policies.
VPN services
Manage a tenant's VPN service through this extension.
Table VPN Service Attributes
Attribute
Type
Required
CRUD :sup:[a]#ftn.vpnaas_service_crud_note
Default value
Validation constraints
Notes
id
uuid-str
N/A
R
generated
N/A
Unique identifier for the VPN Service object.
tenant_id
uuid-str
Yes
CR
Derived from Authentication token
valid tenant_id
Owner of the VPN service. Only admin users can specify a tenant identifier other than their own.
name
String
No
CRU
None
N/A
Human readable name for the VPN service. Does not have to be unique.
description
String
No
CRU
None
N/A
Human readable description for the VPN service.
status
String
N/A
R
N/A
N/A
Indicates whether IPsec VPN service is currently operational. Possible values include: ACTIVE, DOWN, BUILD, ERROR, PENDING_CREATE, PENDING_UPDATE, or PENDING_DELETE.
admin_state_up
Bool
N/A
CRU
true
{true false }
Administrative state of the vpnservice. If false (down), port does not forward packets.
subnet_id
uuid-str
Yes
CR
N/A
valid subnet ID
The subnet on which the tenant wants the VPN service. This may be extended in the future to support multiple subnets.
router_id
uuid-str
Yes
CR
N/A
valid router ID
Router ID to which the VPN service is inserted. This may change in the future, when router level insertion is available.
- `:sup:`[a]` <#vpnaas_service_crud_note>`__C. Use the attribute in create operations.
- R. This attribute is returned in response to show and list operations.
- U. You can update the value of this attribute.
- D. You can delete the value of this attribute.
List VPN services
GET /vpn/vpnservices
Lists VPN services.
Normal Response Code: 200
Error Response Codes: Unauthorized (401), Forbidden (403)
This operation does not require a request body.
This operation returns a response body.
Example List VPN Services: Request
GET /v2.0/vpn/vpnservices.json
User-Agent: python-neutronclient
Accept: application/json
Example List VPN Services: Response
{
"vpnservices": [
{
"router_id": "ec8619be-0ba8-4955-8835-3b49ddb76f89",
"status": "PENDING_CREATE",
"name": "myservice",
"admin_state_up": true,
"subnet_id": "f4fb4528-ed93-467c-a57b-11c7ea9f963e",
"tenant_id": "ccb81365fe36411a9011e90491fe1330",
"id": "9faaf49f-dd89-4e39-a8c6-101839aa49bc",
"description": ""
}
]
}
Show VPN service details
GET /vpn/vpnservices/``service-id``
Shows details about a specified VPN service.
Normal Response Code: 200
Error Response Codes: Unauthorized (401), Forbidden (403), Not Found (404)
This operation does not require a request body.
This operation returns a response body.
Example Show VPN Service: Request
GET /v2.0/vpn/vpnservices/9faaf49f-dd89-4e39-a8c6-101839aa49bc.json
User-Agent: python-neutronclient
Accept: application/json
Example Show VPN Service: Response
{
"vpnservice": {
"router_id": "ec8619be-0ba8-4955-8835-3b49ddb76f89",
"status": "PENDING_CREATE",
"name": "myservice",
"admin_state_up": true,
"subnet_id": "f4fb4528-ed93-467c-a57b-11c7ea9f963e",
"tenant_id": "ccb81365fe36411a9011e90491fe1330",
"id": "9faaf49f-dd89-4e39-a8c6-101839aa49bc",
"description": ""
}
}
Create VPN service
POST /vpn/vpnservices
Creates a VPN service.
Normal Response Code: 201
Error Response Codes: Unauthorized (401), Bad Request (400)
This operation requires a request body.
This operation returns a response body.
Example Create VPN Service: Request
POST /v2.0/vpn/vpnservices.json
User-Agent: python-neutronclient
Accept: application/json
{
"vpnservice": {
"subnet_id": "f4fb4528-ed93-467c-a57b-11c7ea9f963e",
"router_id": "ec8619be-0ba8-4955-8835-3b49ddb76f89",
"name": "myservice",
"admin_state_up": true
}
}
Example Create VPN: Response
HTTP/1.1 201 Created
Content-Type: application/json; charset=UTF-8
{
"vpnservice": {
"router_id": "ec8619be-0ba8-4955-8835-3b49ddb76f89",
"status": "PENDING_CREATE",
"name": "myservice",
"admin_state_up": true,
"subnet_id": "f4fb4528-ed93-467c-a57b-11c7ea9f963e",
"tenant_id": "ccb81365fe36411a9011e90491fe1330",
"id": "9faaf49f-dd89-4e39-a8c6-101839aa49bc",
"description": ""
}
}
Update VPN service
PUT /vpn/vpnservices/``service-id``
Updates a VPN service, provided status is not indicating a PENDING_* state.
Normal Response Code: 200
Error Response Codes: Unauthorized (401), Bad Request (400), Not Found (404)
Example Update VPN Service: Request
PUT /v2.0/vpn/vpnservices/41bfef97-af4e-4f6b-a5d3-4678859d2485.json
User-Agent: python-neutronclient
Accept: application/json
{
"vpnservice": {
"description": "Updated description"
}
}
Example Update VPN Service: Response
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
{
"vpnservice": {
"router_id": "881b7b30-4efb-407e-a162-5630a7af3595",
"status": "ACTIVE",
"name": "myvpn",
"admin_state_up": true,
"subnet_id": "25f8a35c-82d5-4f55-a45b-6965936b33f6",
"tenant_id": "26de9cd6cae94c8cb9f79d660d628e1f",
"id": "41bfef97-af4e-4f6b-a5d3-4678859d2485",
"description": "Updated description"
}
}
Delete VPN service
DELETE /vpn/vpnservices/``service-id``
Deletes a VPN service.
Normal Response Code: 204
Error Response Codes: Unauthorized (401), Not Found (404), Conflict (409)
This operation does not require a request body.
This operation does not return a response body.
Example Delete VPN Service: Request
DELETE /v2.0/vpn/vpnservices/1be5e5f7-c45e-49ba-85da-156575b60d50.json
User-Agent: python-neutronclient
Accept: application/json
Example Delete VPN Service: Response
HTTP/1.1 204 No Content
Content-Length: 0
IKE policies
Manage IKE policies through the VPN as a Service extension.
Table IKE Policy Attributes
Attribute
Type
Required
CRUD :sup:[a]#ftn.vpnaas_ikepolicy_crud_note
Default value
Validation constraints
Notes
id
uuid-str
N/A
R
generated
N/A
Unique identifier for the IKE policy.
tenant_id
uuid-str
Yes
CR
None
valid tenant_id
Unique identifier for owner of the VPN service.
name
string
yes
CRU
None
N/A
Friendly name for the IKE policy.
description
string
no
CRU
None
N/A
Description of the IKE policy.
auth_algorithm
string
no
CRU
sha1
N/A
Authentication Hash algorithms: sha1.
encryption_algorithm
string
no
CRU
aes-128
N/A
Encryption Algorithms: 3des, aes-128, aes-256, aes-192, etc.
phase1_negotiation_mode
string
no
CRU
Main Mode
N/A
IKE mode: Main Mode.
pfs
string
no
CRU
Group5
N/A
Perfect Forward Secrecy: Group2, Group5, or Group14.
ike_version
string
no
CRU
v1
N/A
Version: v1 or v2.
lifetime
dict
no
CRU
units: seconds, value: 3600.
Dictionary should be in this form: {'units': 'seconds', 'value': 2000}. Value is a positive integer.
Lifetime of the SA. Units in 'seconds'. Either units or value may be omitted.
- `:sup:`[a]` <#vpnaas_ikepolicy_crud_note>`__C. Use the attribute in create operations.
- R. This attribute is returned in response to show and list operations.
- U. You can update the value of this attribute.
- D. You can delete the value of this attribute.
List IKE policies
GET /vpn/ikepolicies
Lists IKE policies.
Normal Response Code: 200
Error Response Codes: Unauthorized (401), Forbidden (403)
This operation does not require a request body.
This operation returns a response body.
Example List IKE Policies: Request
GET /v2.0/vpn/ikepolicies.json
User-Agent: python-neutronclient
Accept: application/json
Example List IKE Policies: Response
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
{
"ikepolicies": [
{
"name": "ikepolicy1",
"tenant_id": "ccb81365fe36411a9011e90491fe1330",
"auth_algorithm": "sha1",
"encryption_algorithm": "aes-256",
"pfs": "group5",
"phase1_negotiation_mode": "main",
"lifetime": {
"units": "seconds",
"value": 3600
},
"ike_version": "v1",
"id": "5522aff7-1b3c-48dd-9c3c-b50f016b73db",
"description": ""
}
]
}
Show IKE policy details
GET /vpn/ikepolicies/``ikepolicy-id``
Shows details for a specified IKE policy.
Normal Response Code: 200
Error Response Codes: Unauthorized (401), Forbidden (403), Not Found (404)
This operation does not require a request body.
This operation returns a response body.
Example Show IKE Policy: Request
GET /v2.0/vpn/ikepolicies/5522aff7-1b3c-48dd-9c3c-b50f016b73db.json
User-Agent: python-neutronclient
Accept: application/json
Example Show IKE Policy: Response
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
{
"ikepolicy": {
"name": "ikepolicy1",
"tenant_id": "ccb81365fe36411a9011e90491fe1330",
"auth_algorithm": "sha1",
"encryption_algorithm": "aes-256",
"pfs": "group5",
"phase1_negotiation_mode": "main",
"lifetime": {
"units": "seconds",
"value": 3600
},
"ike_version": "v1",
"id": "5522aff7-1b3c-48dd-9c3c-b50f016b73db",
"description": ""
}
}
Create IKE policy
POST /vpn/ikepolicies
Creates an IKE policy.
Normal Response Code: 201
Error Response Codes: Unauthorized (401), Bad Request (400)
This operation requires a request body.
This operation returns a response body.
Example Create IKE Policy: Request
POST /v2.0/vpn/ikepolicies.json
User-Agent: python-neutronclient
Accept: application/json
{
"ikepolicy": {
"phase1_negotiation_mode": "main",
"auth_algorithm": "sha1",
"encryption_algorithm": "aes-128",
"pfs": "group5",
"lifetime": {
"units": "seconds",
"value": 7200
},
"ike_version": "v1",
"name": "ikepolicy1"
}
}
Example Create IKE Policy: Response
HTTP/1.1 201 Created
Content-Type: application/json; charset=UTF-8
{
"ikepolicy": {
"name": "ikepolicy1",
"tenant_id": "ccb81365fe36411a9011e90491fe1330",
"auth_algorithm": "sha1",
"encryption_algorithm": "aes-128",
"pfs": "group5",
"phase1_negotiation_mode": "main",
"lifetime": {
"units": "seconds",
"value": 7200
},
"ike_version": "v1",
"id": "5522aff7-1b3c-48dd-9c3c-b50f016b73db",
"description": ""
}
}
Update IKE policy
PUT /vpn/ikepolicies/``ikepolicy-id``
Updates an IKE policy.
Normal Response Code: 200
Error Response Codes: Unauthorized (401), Bad Request (400), Not Found (404)
Example Update IKE Policy: Request
PUT /v2.0/vpn/ikepolicies/5522aff7-1b3c-48dd-9c3c-b50f016b73db.json
User-Agent: python-neutronclient
Accept: application/json
{
"ikepolicy": {
"encryption_algorithm": "aes-256"
}
}
Example Update IKE Policy: Response
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
{
"ikepolicy": {
"name": "ikepolicy1",
"tenant_id": "ccb81365fe36411a9011e90491fe1330",
"auth_algorithm": "sha1",
"encryption_algorithm": "aes-256",
"pfs": "group5",
"phase1_negotiation_mode": "main",
"lifetime": {
"units": "seconds",
"value": 3600
},
"ike_version": "v1",
"id": "5522aff7-1b3c-48dd-9c3c-b50f016b73db",
"description": ""
}
}
Delete IKE policy
DELETE /vpn/ikepolicies/``ikepolicy-id``
Deletes an IKE policy.
Normal Response Code: 204
Error Response Codes: Unauthorized (401), Not Found (404), Conflict (409)
This operation does not require a request body.
This operation does not return a response body.
Example Delete IKE Policy: Request
DELETE /v2.0/vpn/ikepolicies/5522aff7-1b3c-48dd-9c3c-b50f016b73db.json
User-Agent: python-neutronclient
Accept: application/json
Example Delete IKE Policy: Response
HTTP/1.1 204 No Content
Content-Length: 0
IPSec policies
Manage IPSec policies through the VPN as a Service extension.
Table IPSec Policy Attributes
Attribute
Type
Required
CRUD :sup:[a]#ftn.vpnaas_ipsec_crud_note
Default value
Validation constraints
Notes
id
uuid-str
N/A
R
generated
N/A
Unique identifier for the IPsec policy.
tenant_id
uuid-str
Yes
CR
None
valid tenant_id
Unique identifier for owner of the VPN service.
name
string
yes
CRU
None
N/A
Friendly name for the IPsec policy.
description
string
no
CRU
None
N/A
Description of the IPSec policy.
transform_protocol
string
no
CRU
ESP
N/A
Transform protocol used: ESP, AH, or AH-ESP.
encapsulation_mode
string
no
CRU
tunnel
N/A
Encapsulation mode: tunnel or transport.
auth_algorithm
string
no
CRU
sha1
N/A
Authentication algorithm: sha1.
encryption_algorithm
string
no
CRU
aes-128
N/A
Encryption Algorithms: 3des, aes-128, aes-256, or aes-192.
pfs
string
no
CRU
group5
N/A
Perfect Forward Secrecy: group2, group5, or group14.
lifetime
dict
no
CRU
units: seconds, value: 3600.
Dictionary should be in this form: {'units': 'seconds', 'value': 2000}. Value is a positive integer.
Lifetime of the SA. Units in 'seconds'. Either units or value may be omitted.
- `:sup:`[a]` <#vpnaas_ipsec_crud_note>`__C. Use the attribute in create operations.
- R. This attribute is returned in response to show and list operations.
- U. You can update the value of this attribute.
- D. You can delete the value of this attribute.
List IPSec policies
GET /vpn/ipsecpolicies
Lists IPSec policies.
Normal Response Code: 200
Error Response Codes: Unauthorized (401), Forbidden (403)
This operation does not require a request body.
This operation returns a response body.
Example List IPSec Policies: Request
GET /v2.0/vpn/ipsecpolicies.json
User-Agent: python-neutronclient
Accept: application/json
Example List IPSec Policies: Response
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
{
"ipsecpolicies": [
{
"name": "ipsecpolicy1",
"transform_protocol": "esp",
"auth_algorithm": "sha1",
"encapsulation_mode": "tunnel",
"encryption_algorithm": "aes-128",
"pfs": "group14",
"tenant_id": "ccb81365fe36411a9011e90491fe1330",
"lifetime": {
"units": "seconds",
"value": 3600
},
"id": "5291b189-fd84-46e5-84bd-78f40c05d69c",
"description": ""
}
]
}
Show IPSec policy details
GET /vpn/ipsecpolicies/``ipsecpolicy-id``
Shows details for a specified IPSec policy.
Normal Response Code: 200
Error Response Codes: Unauthorized (401), Forbidden (403), Not Found (404)
This operation does not require a request body.
This operation returns a response body.
Example Show IPSec policy: Request
GET /v2.0/vpn/ipsecpolicies/5291b189-fd84-46e5-84bd-78f40c05d69c.json
User-Agent: python-neutronclient
Accept: application/json
Example Show IPSec policy: Response
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
{
"ipsecpolicy": {
"name": "ipsecpolicy1",
"transform_protocol": "esp",
"auth_algorithm": "sha1",
"encapsulation_mode": "tunnel",
"encryption_algorithm": "aes-128",
"pfs": "group14",
"tenant_id": "ccb81365fe36411a9011e90491fe1330",
"lifetime": {
"units": "seconds",
"value": 3600
},
"id": "5291b189-fd84-46e5-84bd-78f40c05d69c",
"description": ""
}
}
Create IPSec Policy
POST /vpn/ipsecpolicies
Creates an IPSec policy.
Normal Response Code: 201
Error Response Codes: Unauthorized (401), Bad Request (400)
This operation requires a request body.
This operation returns a response body.
Example Create IPSec policy: Request
POST /v2.0/vpn/ipsecpolicies.json
User-Agent: python-neutronclient
Accept: application/json
{
"ipsecpolicy": {
"name": "ipsecpolicy1",
"transform_protocol": "esp",
"auth_algorithm": "sha1",
"encapsulation_mode": "tunnel",
"encryption_algorithm": "aes-128",
"pfs": "group5",
"lifetime": {
"units": "seconds",
"value": 7200
}
}
}
Example Create IPSec policy: Response
HTTP/1.1 201 Created
Content-Type: application/json; charset=UTF-8
{
"ipsecpolicy": {
"name": "ipsecpolicy1",
"transform_protocol": "esp",
"auth_algorithm": "sha1",
"encapsulation_mode": "tunnel",
"encryption_algorithm": "aes-128",
"pfs": "group5",
"tenant_id": "ccb81365fe36411a9011e90491fe1330",
"lifetime": {
"units": "seconds",
"value": 7200
},
"id": "5291b189-fd84-46e5-84bd-78f40c05d69c",
"description": ""
}
}
Update IPSec Policy
PUT /vpn/ipsecpolicies/``ipsecpolicy-id``
Updates an IPSec policy.
Normal Response Code: 200
Error Response Codes: Unauthorized (401), Bad Request (400), Not Found (404)
Example Update IPSec policy: Request
PUT /v2.0/vpn/ipsecpolicies/5291b189-fd84-46e5-84bd-78f40c05d69c.json
User-Agent: python-neutronclient
Accept: application/json
{
"ipsecpolicy": {
"pfs": "group14"
}
}
Example Update IPSec policy: Response
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
{
"ipsecpolicy": {
"name": "ipsecpolicy1",
"transform_protocol": "esp",
"auth_algorithm": "sha1",
"encapsulation_mode": "tunnel",
"encryption_algorithm": "aes-128",
"pfs": "group14",
"tenant_id": "ccb81365fe36411a9011e90491fe1330",
"lifetime": {
"units": "seconds",
"value": 3600
},
"id": "5291b189-fd84-46e5-84bd-78f40c05d69c",
"description": ""
}
}
Delete IPSec policy
DELETE /vpn/ipsecpolicies/``ipsecpolicy-id``
Deletes an IPSec policy.
Normal Response Code: 204
Error Response Codes: Unauthorized (401), Not Found (404), Conflict (409)
This operation does not require a request body.
This operation does not return a response body.
Example Delete IPSec policy: Request
DELETE /v2.0/vpn/ipsecpolicies/5291b189-fd84-46e5-84bd-78f40c05d69c.json
User-Agent: python-neutronclient
Accept: application/json
Example Delete IPSec policy: Response
HTTP/1.1 204 No Content
Content-Length: 0
IPSec site connections
Manage IPSec site-to-site connections through the VPN as a Service extension.
Table IPSec site connection attributes
Attribute
Type
Required
CRUD :sup:[a]#ftn.vpnaas_ipsec_site_connection_crud_note
Default Value
Validation Constraints
Notes
id
uuid-str
N/A
R
generated
N/A
Unique identifier for the IPSec site-to-site connection.
tenant_id
uuid-str
Yes
CR
None
valid tenant_id
Unique identifier for owner of the VPN service.
name
string
no
CRU
None
N/A
Name for IPSec site-to-site connection.
description
string
no
CRU
None
N/A
Description of the IPSec site-to-site connection.
peer_address
string
yes
CRU
N/A
N/A
Peer gateway public IPv4/IPv6 address or FQDN.
peer_id
string
yes
CRU
N/A
N/A
Peer router identity for authentication. Can be IPv4/IPv6 address, e-mail address, key id, or FQDN.
peer_cidrs
list[string]
yes
CRU
N/A
unique list of valid cidr in the form <net_address>/<prefix>
Peer private CIDRs.
route_mode
string
no
R
static
static
Route mode: static. This will be extended in the future.
mtu
integer
no
CRU
1500
Integer. Minimum is 68 for IPv4 and 1280 for IPv6.
Maximum Transmission Unit to address fragmentation.
auth_mode
string
no
R
psk
psk/certs
Authentication mode: PSK or certificate.
psk
string
yes
CRU
N/A
NO
Pre Shared Key: any string.
initiator
string
no
CRU
bi-directional
bi-directional / response-only
Whether this VPN can only respond to connections or can initiate as well.
admin_state_up
bool
N/A
CRU
TRUE
true / false
Administrative state of VPN connection. If false (down), VPN connection does not forward packets.
status
string
N/A
R
N/A
N/A
Indicates whether VPN connection is currently operational. Possible values include: ACTIVE, DOWN, BUILD, ERROR, PENDING_CREATE, PENDING_UPDATE, or PENDING_DELETE.
ikepolicy_id
uuid
yes
CR
N/A
Unique identifier of IKE policy
Unique identifier of IKE policy.
ipsecpolicy_id
uuid
yes
CR
N/A
Unique identifier of IPSec policy
Unique identifier of IPSec policy.
vpnservice_id
uuid
yes
CR
N/A
Unique identifier of VPN service
Unique identifier of VPN service.
dpd
dict
no
CRU
action: hold, interval: 30, timeout: 120
Dictionary should be in this form: {'action': 'clear', 'interval': 20, 'timeout': 60}. Interval is positive integer. Timeout is greater than interval.
Dead Peer Detection protocol controls. Action: clear, hold, restart, disabled, or restart-by-peer. Interval and timeout in seconds.
- `:sup:`[a]` <#vpnaas_ipsec_site_connection_crud_note>`__C. Use the attribute in create operations.
- R. This attribute is returned in response to show and list operations.
- U. You can update the value of this attribute.
- D. You can delete the value of this attribute.
List IPSec site connections
GET
/vpn/ipsec-site-connections
Lists the IPSec site-to-site connections.
Normal Response Code: 200
Error Response Codes: Unauthorized (401), Forbidden (403)
This operation does not require a request body.
This operation returns a response body.
Example List IPSec site connections: Request
GET /v2.0/vpn/ipsec-site-connections.json
User-Agent: python-neutronclient
Accept: application/json
Example List IPSec site connections: Response
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
{
"ipsec_site_connections": [
{
"status": "PENDING_CREATE",
"psk": "secret",
"initiator": "bi-directional",
"name": "vpnconnection1",
"admin_state_up": true,
"tenant_id": "ccb81365fe36411a9011e90491fe1330",
"description": "",
"auth_mode": "psk",
"peer_cidrs": [
"10.1.0.0/24"
],
"mtu": 1500,
"ikepolicy_id": "bf5612ac-15fb-460c-9b3d-6453da2fafa2",
"dpd": {
"action": "hold",
"interval": 30,
"timeout": 120
},
"route_mode": "static",
"vpnservice_id": "c2f3178d-5530-4c4a-89fc-050ecd552636",
"peer_address": "172.24.4.226",
"peer_id": "172.24.4.226",
"id": "cbc152a0-7e93-4f98-9f04-b085a4bf2511",
"ipsecpolicy_id": "8ba867b2-67eb-4835-bb61-c226804a1584"
}
]
}
Show IPSec site connection details
GET
/vpn/ipsec-site-connections/``connection-id``
Shows details about a specified IPSec site-to-site connection.
Normal Response Code: 200
Error Response Codes: Unauthorized (401), Forbidden (403), Not Found (404)
This operation does not require a request body.
This operation returns a response body.
Example Show IPSec site connection: Request
GET /v2.0/vpn/ipsec-site-connections/cbc152a0-7e93-4f98-9f04-b085a4bf2511.json
User-Agent: python-neutronclient
Accept: application/json
Example Show IPSec site connection: Response
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
{
"ipsec_site_connection": {
"status": "PENDING_CREATE",
"psk": "secret",
"initiator": "bi-directional",
"name": "vpnconnection1",
"admin_state_up": true,
"tenant_id": "ccb81365fe36411a9011e90491fe1330",
"description": "",
"auth_mode": "psk",
"peer_cidrs": [
"10.1.0.0/24"
],
"mtu": 1500,
"ikepolicy_id": "bf5612ac-15fb-460c-9b3d-6453da2fafa2",
"dpd": {
"action": "hold",
"interval": 30,
"timeout": 120
},
"route_mode": "static",
"vpnservice_id": "c2f3178d-5530-4c4a-89fc-050ecd552636",
"peer_address": "172.24.4.226",
"peer_id": "172.24.4.226",
"id": "cbc152a0-7e93-4f98-9f04-b085a4bf2511",
"ipsecpolicy_id": "8ba867b2-67eb-4835-bb61-c226804a1584"
}
}
Create IPSec site connection
POST
/vpn/ipsec-site-connections
Creates an IPSec site connection.
Normal Response Code: 201
Error Response Codes: Unauthorized (401), Bad Request (400)
This operation requires a request body.
This operation returns a response body.
Example Create IPSec site connection: Request
POST /v2.0/vpn/ipsec-site-connections.json
User-Agent: python-neutronclient
Accept: application/json
{
"ipsec_site_connection": {
"psk": "secret",
"initiator": "bi-directional",
"ipsecpolicy_id": "22b8abdc-e822-45b3-90dd-f2c8512acfa5",
"admin_state_up": true,
"peer_cidrs": [
"10.2.0.0/24"
],
"mtu": "1500",
"ikepolicy_id": "d3f373dc-0708-4224-b6f8-676adf27dab8",
"dpd": {
"action": "disabled",
"interval": 60,
"timeout": 240
},
"vpnservice_id": "7b347d20-6fa3-4e22-b744-c49ee235ae4f",
"peer_address": "172.24.4.233",
"peer_id": "172.24.4.233",
"name": "vpnconnection1"
}
}
Example Create IPSec site connection: Response
HTTP/1.1 201 Created
Content-Type: application/json; charset=UTF-8
{
"ipsec_site_connection": {
"status": "PENDING_CREATE",
"psk": "secret",
"initiator": "bi-directional",
"name": "vpnconnection1",
"admin_state_up": true,
"tenant_id": "b6887d0b45b54a249b2ce3dee01caa47",
"description": "",
"auth_mode": "psk",
"peer_cidrs": [
"10.2.0.0/24"
],
"mtu": 1500,
"ikepolicy_id": "d3f373dc-0708-4224-b6f8-676adf27dab8",
"dpd": {
"action": "disabled",
"interval": 60,
"timeout": 240
},
"route_mode": "static",
"vpnservice_id": "7b347d20-6fa3-4e22-b744-c49ee235ae4f",
"peer_address": "172.24.4.233",
"peer_id": "172.24.4.233",
"id": "af44dfd7-cf91-4451-be57-cd4fdd96b5dc",
"ipsecpolicy_id": "22b8abdc-e822-45b3-90dd-f2c8512acfa5"
}
}
Update IPSec site connection
PUT
/vpn/ipsec-site-connections/``connection-id``
Updates an IPSec site-to-site connection, provided status is not indicating a PENDING_* state.
Normal Response Code: 200
Error Response Codes: Unauthorized (401), Bad Request (400), Not Found (404)
Example Update IPSec site connection: Request
PUT /v2.0/vpn/ipsec-site-connections/f7cf7305-f491-45f4-ad9c-8e7240fe3d72.json
User-Agent: python-neutronclient
Accept: application/json
{
"ipsec_site_connection": {
"mtu": "2000"
}
}
Example Update IPSec site connection: Response
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
{
"ipsec_site_connection": {
"status": "DOWN",
"psk": "secret",
"initiator": "bi-directional",
"name": "vpnconnection1",
"admin_state_up": true,
"tenant_id": "26de9cd6cae94c8cb9f79d660d628e1f",
"description": "",
"auth_mode": "psk",
"peer_cidrs": [
"10.2.0.0/24"
],
"mtu": 2000,
"ikepolicy_id": "771f081c-5ec8-4f9a-b041-015dfb7fbbe2",
"dpd": {
"action": "hold",
"interval": 30,
"timeout": 120
},
"route_mode": "static",
"vpnservice_id": "41bfef97-af4e-4f6b-a5d3-4678859d2485",
"peer_address": "172.24.4.233",
"peer_id": "172.24.4.233",
"id": "f7cf7305-f491-45f4-ad9c-8e7240fe3d72",
"ipsecpolicy_id": "9958d4fe-3719-4e8c-84e7-9893895b76b4"
}
}
Delete IPSec site connection
DELETE
/vpn/ipsec-site-connections/``connection-id``
Deletes an IPSec site-to-site connection.
Normal Response Code: 204
Error Response Codes: Unauthorized (401), Not Found (404), Conflict (409)
This operation does not require a request body.
This operation does not return a response body.
Example Delete IPSec site connection: Request
DELETE /v2.0/vpn/ipsec-site-connections/cbc152a0-7e93-4f98-9f04-b085a4bf2511.json
User-Agent: python-neutronclient
Accept: application/json
Example Delete IPSec site connection: Response
HTTP/1.1 204 No Content
Content-Length: 0