The primary commands associated with VPNaaS in the Neutron CLI include:
vpn-ikepolicy-createvpn-ikepolicy-deletevpn-ikepolicy-listvpn-ikepolicy-showvpn-ikepolicy-updatevpn-ipsecpolicy-createvpn-ipsecpolicy-deletevpn-ipsecpolicy-listvpn-ipsecpolicy-showvpn-ipsecpolicy-updatevpn-service-createvpn-service-deletevpn-service-listvpn-service-showvpn-service-updateipsec-site-connection-createipsec-site-connection-deleteipsec-site-connection-listipsec-site-connection-showipsec-site-connection-update
IKE policies define the parameters used to establish phase 1 of an IPSec tunnel and are a required component of IPSec site connections.
To create an IKE policy in the CLI, use the Neutron vpn-ikepolicy-create command as shown in the following example:
usage: vpn-ikepolicy-create [--tenant-id TENANT_ID] [--description DESCRIPTION] [--auth-algorithm {sha1}] [--encryption-algorithm ENCRYPTION_ALGORITHM] [--phase1-negotiation-mode {main}] [--ike-version {v1,v2}] [--pfs {group2,group5,group14}] [--lifetime units=UNITS,value=VALUE] NAME
Here, the --tenant-id flag is optional and allows you to associate the IKE policy with the specified tenant.
The --description flag is optional and allows you to provide a description of the IKE policy.
The --auth-algorithm flag is also optional and allows you to specify the authentication algorithm. The default and only available option at this time is sha1.
The --encryption-algorithm flag is optional as well and allows you to specify the encryption algorithm. Available options include 3des, aes-128, aes-192, and aes-256. The default is aes-128.
The --phase1-negotiation-mode flag is optional and allows you to specify the IKE Phase 1 negotiation mode. The default and only available option at this time is main.
The --ike-version flag is optional and allows you to specify the IKE version. Available options include v1 or v2; the default is v1.
The --pfs flag is optional and allows you to specify the Perfect Forward Secrecy group. Available options include group2, group5, and group14. The default is group5.
The --lifetime flag is also optional and is used to specify the interval between phase 1 rekeys. The only unit of time available at this time is seconds. The default value is 3600 (one hour).
Finally, the NAME keyword is used to name the policy.
To delete an IKE policy in the CLI, use the Neutron vpn-ikepolicy-delete command as shown here:
usage: vpn-ikepolicy-delete IKEPOLICY
The keyword IKEPOLICY is used to represent the ID of the IKE policy to be deleted.
To list all IKE policies in the CLI, use the Neutron vpn-ikepolicy-list command as shown here:
usage: vpn-ikepolicy-list
The returned output includes the ID, name, authentication algorithm, encryption algorithm, IKE version, and PFS group number of the IKE policies within the tenant.
To show the details of an IKE policy within the CLI, use the Neutron vpn-ikepolicy-show command, as follows:
usage: vpn-ikepolicy-show IKEPOLICY
The returned output includes the name, authentication algorithm, encryption algorithm, IKE version, lifetime, PFS group number, and Phase 1 negotiation mode of the specified IKE policy.
Many of the attributes of an IKE policy are editable prior to the IKE policy being applied to an IPSec site connection. To update an attribute of an IKE policy in the CLI, use the Neutron vpn-ikepolicy-update command, as follows:
usage: vpn-ikepolicy-update NAME [--description DESCRIPTION] [--encryption-algorithm ENCRYPTION_ALGORITHM] [--ike-version {v1,v2}] [--pfs {group2,group5,group14}] [--lifetime units=UNITS,value=VALUE] [--name NEWNAME]
Once an IKE policy is applied to an IPSec site connection, none of the attributes can be modified.
IPSec policies define the parameters used to establish Phase 2 of an IPSec tunnel and are a required component of IPSec site connections.
To create an IPSec policy in the CLI, use the Neutron vpn-ipsecpolicy-create command, as follows:
usage: vpn-ipsecpolicy-create [--tenant-id TENANT_ID] [--description DESCRIPTION] [--transform-protocol {esp,ah,ah-esp}] [--auth-algorithm {sha1}] [--encryption-algorithm ENCRYPTION_ALGORITHM] [--encapsulation-mode {tunnel,transport}] [--pfs {group2,group5,group14}] [--lifetime units=UNITS,value=VALUE] NAME
Here, the --tenant-id flag is optional and allows you to associate the IKE policy with the specified tenant.
The --description flag is also optional and allows you to provide a description of the IKE policy.
The --transform-protocol flag is optional as well and allows you to specify the transform protocol. Available options include esp, ah, and ah-esp. The default is esp.
The --auth-algorithm flag is optional and allows you to specify the authentication algorithm. The default and only available option at this time is sha1.
The --encryption-algorithm flag is optional and allows you to specify the encryption algorithm. Available options include 3des, aes-128, aes-192, and aes-256. The default is aes-128.
The –encapsulation-mode flag is optional as well and allows you to specify the encapsulation mode. Available options include tunnel or transport. The default is tunnel.
The --pfs flag is also optional and allows you to specify the Perfect Forward Secrecy group. Available options include group2, group5, and group14. The default is group5.
The --lifetime flag is optional, and is used to specify the interval between Phase 2 rekeys. The only unit of time available at this time is seconds. The default value is 3600 (one hour).
Finally, the keyword NAME is used to name the policy.
To delete an IKE policy in the CLI, use the Neutron vpn-ipsecpolicy-delete command, as follows:
usage: vpn-ikepolicy-delete IPSECPOLICY
Here, the keyword IPSECPOLICY is used to represent the ID of the IPSec policy to be deleted.
To list all the IPSec policies in the CLI, use the Neutron vpn-ipsecpolicy-list command, as follows:
usage: vpn-ipsecpolicy-list
The returned output includes the ID, name, authentication algorithm, encryption algorithm, and PFS group number of the IPSec policies within the tenant.
To show the details of an IPSec policy within the CLI, use the Neutron vpn-ipsecpolicy-show command, as follows:
usage: vpn-ipsecpolicy-show IPSECPOLICY
The returned output includes the name, authentication algorithm, encapsulation mode, encryption algorithm, lifetime, PFS group number, and transform protocol of the specified IKE policy.
Many of the attributes of an IPSec policy are editable prior to the IPSec policy being applied to an IPSec site connection. To update an attribute of the IPSec policy in the CLI, use the Neutron vpn-ipsecpolicy-update command, as follows:
usage: vpn-ipsecpolicy-update NAME [--description DESCRIPTION] [--encapsulation-mode {tunnel,transport}] [--encryption-algorithm ENCRYPTION_ALGORITHM] [--pfs {group2,group5,group14}] [--lifetime units=UNITS,value=VALUE] [--transform-protocol {esp,ah,ah-esp}] [--name NEWNAME]
Once an IPSec policy is applied to an IPSec site connection, none of the attributes can be modified.
VPN services are profiles that define the local encryption domain in a site-to-site tunnel and are a required component of IPSec site connections.
To create a VPN service in the CLI, use the Neutron vpn-service-create command, as follows:
usage: vpn-service-create [--tenant-id TENANT_ID] [--description DESCRIPTION] [--name NAME] ROUTER SUBNET
Here, the --tenant-id flag is optional and allows you to associate the VPN service with the specified tenant.
The --description flag is optional and allows you to provide a description of the IKE policy.
The --name flag is also optional and allows you to specify a name for the service.
The keyword ROUTER is used to specify the router associated with the service and is a required component.
Finally, the keyword SUBNET is used to specify the subnet in the local encryption domain and is a required component. This must be a tenant subnet connected to the specified router.
To delete a VPN service in the CLI, use the Neutron vpn-service-delete command, as follows:
usage: vpn-service-delete VPNSERVICE
Here, the keyword VPNSERVICE is used to represent the ID of the VPN service to be deleted.
To list all the VPN services in the CLI, use the Neutron vpn-service-list command, as follows:
usage: vpn-service-list
The returned output includes the ID, name, associated router ID, and status of VPN services within the tenant.
An IPSec site connection is a profile that defines the parameters used to construct an IPSec site-to-site connection between a Neutron router and another peer.
To create an IPSec site connection in the CLI, use the Neutron ipsec-site-connection-create command, as follows:
usage: ipsec-site-connection-create [--tenant-id TENANT_ID] [--admin-state-down] [--name NAME] [--description DESCRIPTION] [--mtu MTU] [--initiator {bi-directional,response-only}] [--dpd action=ACTION,interval=INTERVAL,timeout=TIMEOUT] --vpnservice-id VPNSERVICE --ikepolicy-id IKEPOLICY --ipsecpolicy-id IPSECPOLICY --peer-address PEER_ADDRESS --peer-id PEER_ID --peer-cidr PEER_CIDRS --psk PSK
Here, the --tenant-id flag is optional and allows you to associate the connection with the specified tenant.
The --description flag is optional and allows you to provide a description of the connection.
The --name flag is also optional and allows you to specify a name for the connection.
The --initiator flag is optional as well and allows you to specify whether the local end of the connection can both initiate and respond to connection attempts or only respond. The default is bi-directional.
The --dpd flag is optional and allows you to specify dead peer detection attributes. Available actions include hold, clear, disabled, restart, and restart-by-peer. The default action is hold. Both interval and timeout values should be nonnegative integers, and the interval should be less than the timeout value. The default interval is 20 seconds and the default timeout is 30 seconds. More information on DPD can be found in RFC 3706, which is available at https://tools.ietf.org/html/rfc3706.
The --vpnservice-id flag is required and is used to associate a VPN service with the connection.
The --ikepolicy-id is required and is used to associate an IKE policy with the connection.
The --ipsecpolicy-id flag is also required and is used to associate an IPSEC policy with the connection.
The --peer-address flag is required as well and is used to specify the IP address of the peer device.
The --peer-id flag is required and is used to specify the identity of the peer device. Available options include an IPv4/IPv6 address, e-mail address, key ID, or FQDN. It is common to specify the peer address as the peer ID for site-to-site connections.
The --peer-cidr flag is required and is used to specify the remote encryption domain. One or more remote subnets can be specified in a comma-separated format.
Finally, the --psk flag is also required and is used to specify the preshared key. Both ends of the connection must be configured with the same preshared key for the connection to be successful.
To delete an IPSec site connection in the CLI, use the Neutron ipsec-site-connection-delete command, as follows:
usage: ipsec-site-connection-delete IPSEC_SITE_CONNECTION
The keyword IPSEC_SITE_CONNECTION is used to represent the ID of the IPSec site connection to be deleted.
To list all the IPSec site connections in the CLI, use the Neutron ipsec-site-connection-list command, as follows:
usage: ipsec-site-connection-list
Here, the returned output includes the ID, name, peer address, peer CIDRs, route mode, authentication mode, and status of the IPSec site connections within the tenant.
To show the details of an IPSec site connection within the CLI, use the Neutron ipsec-site-connection-show command, as follows:
usage: ipsec-site-connection-show IPSEC_SITE_CONNECTION
Here, the returned output includes the authentication mode, description, IKE policy, initiator status, IPSec policy, MTU, name, peer address, peer CIDRs, preshared key, route mode, VPN service, and status of the specified IPSec site connection.