The primary commands associated with VPNaaS in the Neutron CLI include:
vpn-ikepolicy-create
vpn-ikepolicy-delete
vpn-ikepolicy-list
vpn-ikepolicy-show
vpn-ikepolicy-update
vpn-ipsecpolicy-create
vpn-ipsecpolicy-delete
vpn-ipsecpolicy-list
vpn-ipsecpolicy-show
vpn-ipsecpolicy-update
vpn-service-create
vpn-service-delete
vpn-service-list
vpn-service-show
vpn-service-update
ipsec-site-connection-create
ipsec-site-connection-delete
ipsec-site-connection-list
ipsec-site-connection-show
ipsec-site-connection-update
IKE policies define the parameters used to establish phase 1 of an IPSec tunnel and are a required component of IPSec site connections.
To create an IKE policy in the CLI, use the Neutron vpn-ikepolicy-create
command as shown in the following example:
usage: vpn-ikepolicy-create [--tenant-id TENANT_ID] [--description DESCRIPTION] [--auth-algorithm {sha1}] [--encryption-algorithm ENCRYPTION_ALGORITHM] [--phase1-negotiation-mode {main}] [--ike-version {v1,v2}] [--pfs {group2,group5,group14}] [--lifetime units=UNITS,value=VALUE] NAME
Here, the --tenant-id
flag is optional and allows you to associate the IKE policy with the specified tenant.
The --description
flag is optional and allows you to provide a description of the IKE policy.
The --auth-algorithm
flag is also optional and allows you to specify the authentication algorithm. The default and only available option at this time is sha1
.
The --encryption-algorithm
flag is optional as well and allows you to specify the encryption algorithm. Available options include 3des
, aes-128
, aes-192
, and aes-256
. The default is aes-128
.
The --phase1-negotiation-mode
flag is optional and allows you to specify the IKE Phase 1 negotiation mode. The default and only available option at this time is main
.
The --ike-version
flag is optional and allows you to specify the IKE version. Available options include v1
or v2
; the default is v1
.
The --pfs
flag is optional and allows you to specify the Perfect Forward Secrecy group. Available options include group2
, group5
, and group14
. The default is group5
.
The --lifetime
flag is also optional and is used to specify the interval between phase 1 rekeys. The only unit of time available at this time is seconds
. The default value is 3600
(one hour).
Finally, the NAME
keyword is used to name the policy.
To delete an IKE policy in the CLI, use the Neutron vpn-ikepolicy-delete
command as shown here:
usage: vpn-ikepolicy-delete IKEPOLICY
The keyword IKEPOLICY
is used to represent the ID of the IKE policy to be deleted.
To list all IKE policies in the CLI, use the Neutron vpn-ikepolicy-list
command as shown here:
usage: vpn-ikepolicy-list
The returned output includes the ID, name, authentication algorithm, encryption algorithm, IKE version, and PFS group number of the IKE policies within the tenant.
To show the details of an IKE policy within the CLI, use the Neutron vpn-ikepolicy-show
command, as follows:
usage: vpn-ikepolicy-show IKEPOLICY
The returned output includes the name, authentication algorithm, encryption algorithm, IKE version, lifetime, PFS group number, and Phase 1 negotiation mode of the specified IKE policy.
Many of the attributes of an IKE policy are editable prior to the IKE policy being applied to an IPSec site connection. To update an attribute of an IKE policy in the CLI, use the Neutron vpn-ikepolicy-update
command, as follows:
usage: vpn-ikepolicy-update NAME [--description DESCRIPTION] [--encryption-algorithm ENCRYPTION_ALGORITHM] [--ike-version {v1,v2}] [--pfs {group2,group5,group14}] [--lifetime units=UNITS,value=VALUE] [--name NEWNAME]
Once an IKE policy is applied to an IPSec site connection, none of the attributes can be modified.
IPSec policies define the parameters used to establish Phase 2 of an IPSec tunnel and are a required component of IPSec site connections.
To create an IPSec policy in the CLI, use the Neutron vpn-ipsecpolicy-create
command, as follows:
usage: vpn-ipsecpolicy-create [--tenant-id TENANT_ID] [--description DESCRIPTION] [--transform-protocol {esp,ah,ah-esp}] [--auth-algorithm {sha1}] [--encryption-algorithm ENCRYPTION_ALGORITHM] [--encapsulation-mode {tunnel,transport}] [--pfs {group2,group5,group14}] [--lifetime units=UNITS,value=VALUE] NAME
Here, the --tenant-id
flag is optional and allows you to associate the IKE policy with the specified tenant.
The --description
flag is also optional and allows you to provide a description of the IKE policy.
The --transform-protocol
flag is optional as well and allows you to specify the transform protocol. Available options include esp
, ah
, and ah-esp
. The default is esp
.
The --auth-algorithm
flag is optional and allows you to specify the authentication algorithm. The default and only available option at this time is sha1
.
The --encryption-algorithm
flag is optional and allows you to specify the encryption algorithm. Available options include 3des
, aes-128
, aes-192
, and aes-256
. The default is aes-128
.
The –encapsulation-mode
flag is optional as well and allows you to specify the encapsulation mode. Available options include tunnel
or transport
. The default is tunnel
.
The --pfs
flag is also optional and allows you to specify the Perfect Forward Secrecy group. Available options include group2
, group5
, and group14
. The default is group5
.
The --lifetime
flag is optional, and is used to specify the interval between Phase 2 rekeys. The only unit of time available at this time is seconds
. The default value is 3600
(one hour).
Finally, the keyword NAME
is used to name the policy.
To delete an IKE policy in the CLI, use the Neutron vpn-ipsecpolicy-delete
command, as follows:
usage: vpn-ikepolicy-delete IPSECPOLICY
Here, the keyword IPSECPOLICY
is used to represent the ID of the IPSec policy to be deleted.
To list all the IPSec policies in the CLI, use the Neutron vpn-ipsecpolicy-list
command, as follows:
usage: vpn-ipsecpolicy-list
The returned output includes the ID, name, authentication algorithm, encryption algorithm, and PFS group number of the IPSec policies within the tenant.
To show the details of an IPSec policy within the CLI, use the Neutron vpn-ipsecpolicy-show
command, as follows:
usage: vpn-ipsecpolicy-show IPSECPOLICY
The returned output includes the name, authentication algorithm, encapsulation mode, encryption algorithm, lifetime, PFS group number, and transform protocol of the specified IKE policy.
Many of the attributes of an IPSec policy are editable prior to the IPSec policy being applied to an IPSec site connection. To update an attribute of the IPSec policy in the CLI, use the Neutron vpn-ipsecpolicy-update
command, as follows:
usage: vpn-ipsecpolicy-update NAME [--description DESCRIPTION] [--encapsulation-mode {tunnel,transport}] [--encryption-algorithm ENCRYPTION_ALGORITHM] [--pfs {group2,group5,group14}] [--lifetime units=UNITS,value=VALUE] [--transform-protocol {esp,ah,ah-esp}] [--name NEWNAME]
Once an IPSec policy is applied to an IPSec site connection, none of the attributes can be modified.
VPN services are profiles that define the local encryption domain in a site-to-site tunnel and are a required component of IPSec site connections.
To create a VPN service in the CLI, use the Neutron vpn-service-create
command, as follows:
usage: vpn-service-create [--tenant-id TENANT_ID] [--description DESCRIPTION] [--name NAME] ROUTER SUBNET
Here, the --tenant-id
flag is optional and allows you to associate the VPN service with the specified tenant.
The --description
flag is optional and allows you to provide a description of the IKE policy.
The --name
flag is also optional and allows you to specify a name for the service.
The keyword ROUTER
is used to specify the router associated with the service and is a required component.
Finally, the keyword SUBNET
is used to specify the subnet in the local encryption domain and is a required component. This must be a tenant subnet connected to the specified router.
To delete a VPN service in the CLI, use the Neutron vpn-service-delete
command, as follows:
usage: vpn-service-delete VPNSERVICE
Here, the keyword VPNSERVICE
is used to represent the ID of the VPN service to be deleted.
To list all the VPN services in the CLI, use the Neutron vpn-service-list
command, as follows:
usage: vpn-service-list
The returned output includes the ID, name, associated router ID, and status of VPN services within the tenant.
An IPSec site connection is a profile that defines the parameters used to construct an IPSec site-to-site connection between a Neutron router and another peer.
To create an IPSec site connection in the CLI, use the Neutron ipsec-site-connection-create
command, as follows:
usage: ipsec-site-connection-create [--tenant-id TENANT_ID] [--admin-state-down] [--name NAME] [--description DESCRIPTION] [--mtu MTU] [--initiator {bi-directional,response-only}] [--dpd action=ACTION,interval=INTERVAL,timeout=TIMEOUT] --vpnservice-id VPNSERVICE --ikepolicy-id IKEPOLICY --ipsecpolicy-id IPSECPOLICY --peer-address PEER_ADDRESS --peer-id PEER_ID --peer-cidr PEER_CIDRS --psk PSK
Here, the --tenant-id
flag is optional and allows you to associate the connection with the specified tenant.
The --description
flag is optional and allows you to provide a description of the connection.
The --name
flag is also optional and allows you to specify a name for the connection.
The --initiator
flag is optional as well and allows you to specify whether the local end of the connection can both initiate and respond to connection attempts or only respond. The default is bi-directional
.
The --dpd
flag is optional and allows you to specify dead peer detection attributes. Available actions include hold
, clear
, disabled
, restart
, and restart-by-peer
. The default action is hold
. Both interval and timeout values should be nonnegative integers, and the interval should be less than the timeout value. The default interval is 20
seconds and the default timeout is 30
seconds. More information on DPD can be found in RFC 3706, which is available at https://tools.ietf.org/html/rfc3706.
The --vpnservice-id
flag is required and is used to associate a VPN service with the connection.
The --ikepolicy-id
is required and is used to associate an IKE policy with the connection.
The --ipsecpolicy-id
flag is also required and is used to associate an IPSEC policy with the connection.
The --peer-address
flag is required as well and is used to specify the IP address of the peer device.
The --peer-id
flag is required and is used to specify the identity of the peer device. Available options include an IPv4/IPv6 address, e-mail address, key ID, or FQDN. It is common to specify the peer address as the peer ID for site-to-site connections.
The --peer-cidr
flag is required and is used to specify the remote encryption domain. One or more remote subnets can be specified in a comma-separated format.
Finally, the --psk
flag is also required and is used to specify the preshared key. Both ends of the connection must be configured with the same preshared key for the connection to be successful.
To delete an IPSec site connection in the CLI, use the Neutron ipsec-site-connection-delete
command, as follows:
usage: ipsec-site-connection-delete IPSEC_SITE_CONNECTION
The keyword IPSEC_SITE_CONNECTION
is used to represent the ID of the IPSec site connection to be deleted.
To list all the IPSec site connections in the CLI, use the Neutron ipsec-site-connection-list
command, as follows:
usage: ipsec-site-connection-list
Here, the returned output includes the ID, name, peer address, peer CIDRs, route mode, authentication mode, and status of the IPSec site connections within the tenant.
To show the details of an IPSec site connection within the CLI, use the Neutron ipsec-site-connection-show
command, as follows:
usage: ipsec-site-connection-show IPSEC_SITE_CONNECTION
Here, the returned output includes the authentication mode, description, IKE policy, initiator status, IPSec policy, MTU, name, peer address, peer CIDRs, preshared key, route mode, VPN service, and status of the specified IPSec site connection.