git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [DISCUSS] New VPN implementation based on IKEv2 backed by Vault


Khosrow thanks for the interesting feature. You mention two possible
methods to manage certificates; one using the CA framework, and other using
third party such as Vault and Let’s Encrypt.

Have you considered using the sshKeyPair API methods (is it part of the CA
framework?)? I mean, users already can generate key pairs via ACS, and then
they are presented with the private key. You could simply list these
certificates for the user when they want to configure a new certificate for
a VPN or generate one in runtime using this feature. Reading your feature
proposal I did not understand how you are binding certificated with a VPN
(are you always generating new ones and simply returning the private key to
users?).

Moreover, as the sshKeyPair methods, I do believe you should only return
the private key once. Therefore, you should not store it in ACS.

On Mon, Apr 2, 2018 at 4:36 PM, Khosrow Moossavi <kmoossavi@xxxxxxxxxxxx>
wrote:

> Hi Community
>
> I want to open up a discussion around the new Remote Access VPN
> implementation on VRs. Currently
> we have only L2TP implementation, which lacks different features (such as
> verbos logging), so we
> decided to start developing new implementation based on IKEv2 (on top of
> the existing strongSwan).
>
> We have this feature working locally for over a week now, and seems to be
> ready for opening up a
> PR on official repo. But before doing so we agreed to open up a discussion
> here first.
>
> The current implementation we use EAP + Public Key for authentication, so
> we need to have a PKI
> Engine somewhere. Rather than start re-inventing the wheel (and start
> extending the current CA Framework
> which was done by Rohit) we decided to delegate this functionality to
> HashiCorp Vault, which will act as
> a PKI backend engine for Cloudstack.
>
> The way I implemented this specific part of the code, is that it can easily
> be extended/implemented with other
> concrete classes or designs (such as going forward with in-house PKI
> engine, or even use external services
> such as Let's Encrypt), but at the end of the day we strongly suggest to
> use Vault, as it is really easy to use.
>
>
> Please find the design document here[1], and share your feedback. I will
> open up a PR -as is- soon to be able
> to have a source code to discuss around it as well.
>
> [1]:
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/
> VPN+Implementation+based+on+IKEv2+backed+by+Vault+as+PKI+Engine
>
>
> Thanks
>
> Khosrow Moossavi
>
> Cloud Infrastructure Developer
>
> t 514.447.3456
>
> <https://goo.gl/NYZ8KK>
>



-- 
Rafael Weingärtner


( ! ) Warning: include(msgfooter.php): failed to open stream: No such file or directory in /var/www/git/apache-cloudstack-development/msg07176.html on line 141
Call Stack
#TimeMemoryFunctionLocation
10.0009368840{main}( ).../msg07176.html:0

( ! ) Warning: include(): Failed opening 'msgfooter.php' for inclusion (include_path='.:/var/www/git') in /var/www/git/apache-cloudstack-development/msg07176.html on line 141
Call Stack
#TimeMemoryFunctionLocation
10.0009368840{main}( ).../msg07176.html:0