GET'> PUT'> POST'> DELETE'> '> '> ]>

The VPNaaS extension provides OpenStack tenants with the ability to extend private networks across the public telecommunication infrastructure. The capabilities provided by this initial implementation of the VPNaaS extension are: Site-to-site Virtual Private Network connecting two private networks. Multiple VPN connections per tenant. Supporting IKEv1 policy with 3des, aes-128, aes-256, or aes-192 encryption. Supporting IPSec policy with 3des, aes-128, aes-256, or aes-192 encryption, sha1 authentication, ESP, AH, or AH-ESP transform protocol, and tunnel or transport mode encapsulation. Dead Peer Detection (DPD) allowing hold, clear, restart, disabled, or restart-by-peer actions. This extension introduces new resources: service, a high level object that associates VPN with a specific subnet and router. ikepolicy, the Internet Key Exchange policy identifying the authentication and encryption algorithm used during phase one and phase two negotiation of a VPN connection. ipsecpolicy, the IP security policy specifying the authentication and encryption algorithm, and encapsulation mode used for the established VPN connection. ipsec-site-connection, has details for the site-to-site IPsec connection, including the peer CIDRs, MTU, authentication mode, peer address, DPD settings, and status. This extension is experimental for the Havana release. The API may change without backward compatibility.

A VPN service relates the Virtual Private Network with a specific subnet and router for a tenant. An IKE Policy is used for phase one and phase two negotiation of the VPN connection. Configuration selects the authentication and encryption algorithm used to establish a connection. An IPsec Policy is used to specify the encryption algorithm, transform protocol, and mode (tunnel/transport) for the VPN connection. A VPN connection represents the IPsec tunnel established between two sites for the tenant. This contains configuration settings specifying the policies used, peer information, MTU, and the DPD actions to take.

The high-level task flow for using VPNaaS API to configure a site-to-site Virtual Private Network is as follows: The tenant creates a VPN service specifying the router and subnet. The tenant creates an IKE Policy. The tenant creates an IPsec Policy. The tenant creates a VPN connection, specifying the VPN service, peer information, and IKE and IPsec policies.

This section discusses operations for managing a tenant's VPN service through this extension.

VPN Service Attributes

Attribute	Type	Required	CRUD C. Use the attribute in create operations. R. This attribute is returned in response to show and list operations. U. You can update the value of this attribute. D. You can delete the value of this attribute.	Default Value	Validation Constraints	Notes
id	uuid-str	N/A	R	generated	N/A	Unique identifier for the VPN Service object.
tenant_id	uuid-str	Yes	CR	Derived from Authentication token	valid tenant_id	Owner of the VPN service. Only admin users can specify a tenant identifier other than their own.
name	String	No	CRU	None	N/A	Human readable name for the VPN service. Does not have to be unique.
description	String	No	CRU	None	N/A	Human readable description for the VPN service.
status	String	N/A	R	N/A	N/A	Indicates whether IPsec VPN service is currently operational. Possible values include: ACTIVE, DOWN, BUILD, ERROR, PENDING_CREATE, PENDING_UPDATE, or PENDING_DELETE.
admin_state_up	Bool	N/A	CRU	true	{true | false }	Administrative state of the vpnservice. If false (down), port does not forward packets.
subnet_id	uuid-str	Yes	CR	N/A	valid subnet ID	The subnet on which the tenant wants the VPN service. This may be extended in the future to support multiple subnets.
router_id	uuid-str	Yes	CR	N/A	valid router ID	Router ID to which the VPN service is inserted. This may change in the future, when router level insertion is available.

Verb URI Description &GET; /vpn/vpnservices Lists VPN services. Normal Response Code: 200 Error Response Codes: Unauthorized (401), Forbidden (403) This operation does not require a request body. This operation returns a response body. GET /v2.0/vpn/vpnservices.json User-Agent: python-neutronclient Accept: application/json

Verb URI Description &GET; /vpn/vpnservices/service-id Returns details about a specific VPN service. Normal Response Code: 200 Error Response Codes: Unauthorized (401), Forbidden (403), Not Found (404) This operation does not require a request body. This operation returns a response body. GET /v2.0/vpn/vpnservices/9faaf49f-dd89-4e39-a8c6-101839aa49bc.json User-Agent: python-neutronclient Accept: application/json

Verb URI Description &POST; /vpn/vpnservices Creates a new VPN service. Normal Response Code: 201 Error Response Codes: Unauthorized (401), Bad Request (400) This operation requires a request body. This operation returns a response body. POST /v2.0/vpn/vpnservices.json User-Agent: python-neutronclient Accept: application/json HTTP/1.1 201 Created Content-Type: application/json; charset=UTF-8

Verb URI Description &PUT; /vpn/vpnservices/service-id Updates a VPN service, provided status is not indicating a PENDING_* state. Normal Response Code: 200 Error Response Codes: Unauthorized (401), Bad Request (400), Not Found (404) PUT /v2.0/vpn/vpnservices/41bfef97-af4e-4f6b-a5d3-4678859d2485.json User-Agent: python-neutronclient Accept: application/json HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8

Verb URI Description &DELETE; /vpn/vpnservices/service-id Removes a VPN service. Normal Response Code: 204 Error Response Codes: Unauthorized (401), Not Found (404), Conflict (409) This operation does not require a request body. This operation does not return a response body. DELETE /v2.0/vpn/vpnservices/1be5e5f7-c45e-49ba-85da-156575b60d50.json User-Agent: python-neutronclient Accept: application/json HTTP/1.1 204 No Content Content-Length: 0

This section discusses operations for managing IKE Policies through the VPN as a Service extension.

IKE Policy Attributes

Attribute	Type	Required	CRUD C. Use the attribute in create operations. R. This attribute is returned in response to show and list operations. U. You can update the value of this attribute. D. You can delete the value of this attribute.	Default Value	Validation Constraints	Notes
id	uuid-str	N/A	R	generated	N/A	Unique identifier for the IKE policy.
tenant_id	uuid-str	Yes	CR	None	valid tenant_id	Unique identifier for owner of the VPN service.
name	string	yes	CRU	None	N/A	Friendly name for the IKE policy.
description	string	no	CRU	None	N/A	Description of the IKE policy.
auth_algorithm	string	no	CRU	sha1	N/A	Authentication Hash algorithms: sha1.
encryption_algorithm	string	no	CRU	aes-128	N/A	Encryption Algorithms: 3des, aes-128, aes-256, aes-192, etc.
phase1_negotiation_mode	string	no	CRU	Main Mode	N/A	IKE mode: Main Mode.
pfs	string	no	CRU	Group5	N/A	Perfect Forward Secrecy: Group2, Group5, or Group14.
ike_version	string	no	CRU	v1	N/A	Version: v1 or v2.
lifetime	dict	no	CRU	units: seconds, value: 3600.	Dictionary should be in this form: {'units': 'seconds', 'value': 2000}. Value is a positive integer.	Lifetime of the SA. Units in 'seconds'. Either units or value may be omitted.

Verb URI Description &GET; /vpn/ikepolicies Lists IKE policies. Normal Response Code: 200 Error Response Codes: Unauthorized (401), Forbidden (403) This operation does not require a request body. This operation returns a response body. GET /v2.0/vpn/ikepolicies.json User-Agent: python-neutronclient Accept: application/json HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8

Verb URI Description &GET; /vpn/ikepolicies/ikepolicy-id Returns details about a specific IKE policy. Normal Response Code: 200 Error Response Codes: Unauthorized (401), Forbidden (403), Not Found (404) This operation does not require a request body. This operation returns a response body. GET /v2.0/vpn/ikepolicies/5522aff7-1b3c-48dd-9c3c-b50f016b73db.json User-Agent: python-neutronclient Accept: application/json HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8

Verb URI Description &POST; /vpn/ikepolicies Creates a new IKE policy. Normal Response Code: 201 Error Response Codes: Unauthorized (401), Bad Request (400) This operation requires a request body. This operation returns a response body. POST /v2.0/vpn/ikepolicies.json User-Agent: python-neutronclient Accept: application/json HTTP/1.1 201 Created Content-Type: application/json; charset=UTF-8

Verb URI Description &PUT; /vpn/ikepolicies/ikepolicy-id Updates an IKE policy. Normal Response Code: 200 Error Response Codes: Unauthorized (401), Bad Request (400), Not Found (404) PUT /v2.0/vpn/ikepolicies/5522aff7-1b3c-48dd-9c3c-b50f016b73db.json User-Agent: python-neutronclient Accept: application/json HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8

Verb URI Description &DELETE; /vpn/ikepolicies/ikepolicy-id Removes an IKE policy. Normal Response Code: 204 Error Response Codes: Unauthorized (401), Not Found (404), Conflict (409) This operation does not require a request body. This operation does not return a response body. DELETE /v2.0/vpn/ikepolicies/5522aff7-1b3c-48dd-9c3c-b50f016b73db.json User-Agent: python-neutronclient Accept: application/json HTTP/1.1 204 No Content Content-Length: 0

This section discusses operations for managing IPSec policies through the VPN as a Service extension.

IPSec Policy Attributes

Attribute	Type	Required	CRUD C. Use the attribute in create operations. R. This attribute is returned in response to show and list operations. U. You can update the value of this attribute. D. You can delete the value of this attribute.	Default Value	Validation Constraints	Notes
id	uuid-str	N/A	R	generated	N/A	Unique identifier for the IPsec policy.
tenant_id	uuid-str	Yes	CR	None	valid tenant_id	Unique identifier for owner of the VPN service.
name	string	yes	CRU	None	N/A	Friendly name for the IPsec policy.
description	string	no	CRU	None	N/A	Description of the IPSec policy.
transform_protocol	string	no	CRU	ESP	N/A	Transform protocol used: ESP, AH, or AH-ESP.
encapsulation_mode	string	no	CRU	tunnel	N/A	Encapsulation mode: tunnel or transport.
auth_algorithm	string	no	CRU	sha1	N/A	Authentication algorithm: sha1.
encryption_algorithm	string	no	CRU	aes-128	N/A	Encryption Algorithms: 3des, aes-128, aes-256, or aes-192.
pfs	string	no	CRU	group5	N/A	Perfect Forward Secrecy: group2, group5, or group14.
lifetime	dict	no	CRU	units: seconds, value: 3600.	Dictionary should be in this form: {'units': 'seconds', 'value': 2000}. Value is a positive integer.	Lifetime of the SA. Units in 'seconds'. Either units or value may be omitted.

Verb URI Description &GET; /vpn/ipsecpolicies Lists IPSec policies. Normal Response Code: 200 Error Response Codes: Unauthorized (401), Forbidden (403) This operation does not require a request body. This operation returns a response body. GET /v2.0/vpn/ipsecpolicies.json User-Agent: python-neutronclient Accept: application/json HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8

Verb URI Description &GET; /vpn/ipsecpolicies/ipsecpolicy-id Returns details about a specific IPSec policy. Normal Response Code: 200 Error Response Codes: Unauthorized (401), Forbidden (403), Not Found (404) This operation does not require a request body. This operation returns a response body. GET /v2.0/vpn/ipsecpolicies/5291b189-fd84-46e5-84bd-78f40c05d69c.json User-Agent: python-neutronclient Accept: application/json HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8

Verb URI Description &POST; /vpn/ipsecpolicies Creates a new IPSec policy. Normal Response Code: 201 Error Response Codes: Unauthorized (401), Bad Request (400) This operation requires a request body. This operation returns a response body. POST /v2.0/vpn/ipsecpolicies.json User-Agent: python-neutronclient Accept: application/json HTTP/1.1 201 Created Content-Type: application/json; charset=UTF-8

Verb URI Description &PUT; /vpn/ipsecpolicies/ipsecpolicy-id Updates a IPSec policy. Normal Response Code: 200 Error Response Codes: Unauthorized (401), Bad Request (400), Not Found (404) PUT /v2.0/vpn/ipsecpolicies/5291b189-fd84-46e5-84bd-78f40c05d69c.json User-Agent: python-neutronclient Accept: application/json HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8

Verb URI Description &DELETE; /vpn/ipsecpolicies/ipsecpolicy-id Removes a IPSec policy. Normal Response Code: 204 Error Response Codes: Unauthorized (401), Not Found (404), Conflict (409) This operation does not require a request body. This operation does not return a response body. DELETE /v2.0/vpn/ipsecpolicies/5291b189-fd84-46e5-84bd-78f40c05d69c.json User-Agent: python-neutronclient Accept: application/json HTTP/1.1 204 No Content Content-Length: 0

This section discusses operations for managing IPSec site-to-site connections through the VPN as a Service extension.

IPSec Site Connection Attributes

Attribute	Type	Required	CRUD C. Use the attribute in create operations. R. This attribute is returned in response to show and list operations. U. You can update the value of this attribute. D. You can delete the value of this attribute.	Default Value	Validation Constraints	Notes
id	uuid-str	N/A	R	generated	N/A	Unique identifier for the IPSec site-to-site connection.
tenant_id	uuid-str	Yes	CR	None	valid tenant_id	Unique identifier for owner of the VPN service.
name	string	no	CRU	None	N/A	Name for IPSec site-to-site connection.
description	string	no	CRU	None	N/A	Description of the IPSec site-to-site connection.
peer_address	string	yes	CRU	N/A	N/A	Peer gateway public IPv4/IPv6 address or FQDN.
peer_id	string	yes	CRU	N/A	N/A	Peer router identity for authentication. Can be IPv4/IPv6 address, e-mail address, key id, or FQDN.
peer_cidrs	list[string]	yes	CRU	N/A	unique list of valid cidr in the form <net_address>/<prefix>	Peer private CIDRs.
route_mode	string	no	R	static	static	Route mode: static. This will be extended in the future.
mtu	integer	no	CRU	1500	Integer. Minimum is 68 for IPv4 and 1280 for IPv6.	Maximum Transmission Unit to address fragmentation.
auth_mode	string	no	R	psk	psk/certs	Authentication mode: PSK or certificate.
psk	string	yes	CRU	N/A	NO	Pre Shared Key: any string.
initiator	string	no	CRU	bi-directional	bi-directional / response-only	Whether this VPN can only respond to connections or can initiate as well.
admin_state_up	bool	N/A	CRU	TRUE	true / false	Administrative state of VPN connection. If false (down), VPN connection does not forward packets.
status	string	N/A	R	N/A	N/A	Indicates whether VPN connection is currently operational. Possible values include: ACTIVE, DOWN, BUILD, ERROR, PENDING_CREATE, PENDING_UPDATE, or PENDING_DELETE.
ikepolicy_id	uuid	yes	CR	N/A	Unique identifier of IKE policy	Unique identifier of IKE policy.
ipsecpolicy_id	uuid	yes	CR	N/A	Unique identifier of IPSec policy	Unique identifier of IPSec policy.
vpnservice_id	uuid	yes	CR	N/A	Unique identifier of VPN service	Unique identifier of VPN service.
dpd	dict	no	CRU	action: hold, interval: 30, timeout: 120	Dictionary should be in this form: {'action': 'clear', 'interval': 20, 'timeout': 60}. Interval is positive integer. Timeout is greater than interval.	Dead Peer Detection protocol controls. Action: clear, hold, restart, disabled, or restart-by-peer. Interval and timeout in seconds.

Verb URI Description &GET; /vpn/ipsec-site-connections Lists the IPSec site-to-site connections. Normal Response Code: 200 Error Response Codes: Unauthorized (401), Forbidden (403) This operation does not require a request body. This operation returns a response body. GET /v2.0/vpn/ipsec-site-connections.json User-Agent: python-neutronclient Accept: application/json HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8

Verb URI Description &GET; /vpn/ipsec-site-connections/connection-id Returns details about a specific IPSec site-to-site connection. Normal Response Code: 200 Error Response Codes: Unauthorized (401), Forbidden (403), Not Found (404) This operation does not require a request body. This operation returns a response body. GET /v2.0/vpn/ipsec-site-connections/cbc152a0-7e93-4f98-9f04-b085a4bf2511.json User-Agent: python-neutronclient Accept: application/json HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8

Verb URI Description &POST; /vpn/ipsec-site-connections Creates a new IPSec site connection. Normal Response Code: 201 Error Response Codes: Unauthorized (401), Bad Request (400) This operation requires a request body. This operation returns a response body. POST /v2.0/vpn/ipsec-site-connections.json User-Agent: python-neutronclient Accept: application/json HTTP/1.1 201 Created Content-Type: application/json; charset=UTF-8

Verb URI Description &PUT; /vpn/ipsec-site-connections/connection-id Updates an IPSec site-to-site connection, provided status is not indicating a PENDING_* state. Normal Response Code: 200 Error Response Codes: Unauthorized (401), Bad Request (400), Not Found (404) PUT /v2.0/vpn/ipsec-site-connections/f7cf7305-f491-45f4-ad9c-8e7240fe3d72.json User-Agent: python-neutronclient Accept: application/json HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8

Verb URI Description &DELETE; /vpn/ipsec-site-connections/connection-id Deletes a IPSec site-to-site connection. Normal Response Code: 204 Error Response Codes: Unauthorized (401), Not Found (404), Conflict (409) This operation does not require a request body. This operation does not return a response body. DELETE /v2.0/vpn/ipsec-site-connections/cbc152a0-7e93-4f98-9f04-b085a4bf2511.json User-Agent: python-neutronclient Accept: application/json HTTP/1.1 204 No Content Content-Length: 0