Versions Compared

Old Version 4

changes.mady.by.user Khosrow Moossavi

Saved on

compared with

New Version 5

changes.mady.by.user Khosrow Moossavi

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Provide the new VPN implementation based on IKEv2 rather than using existing L2TP implementation.

References

  • relevant links

Document History

v1 - Khosrow Moossavi - April 2nd 2018

Feature Specifications

  • provide a global settings to switch between L2TP and IKEv2 (only one can be active throughout an installation)
  • out of the box configuration of ipsec will be provided in /etc/ipsec.d/ikev2.conf
  • authentication will be done with EAP and Public Key
  • it will use self-signed certificates per domain act as CA on VRs
  • PKI backend engine (out of the box support)
    • Vault by HashiCorp
    • Default internal implementation (TBD on dev@)
    • External Services (such as Let's Encrypt) (TBD on dev@)
  • explain configuration characteristics:
    • configuration parameters or files introduced/changed
    • branding parameters or files introduced/changed
    • highlight parameters for performance tweaking
    • highlight how installation/upgrade scenarios change
  • deployment requirements (fresh install vs. upgrade) if any
  • system requirements: no special requirements needed
  • interoperability and compatibility requirements:
    • Tested on Debian 7 on VR
    • All major OSes (Linux, Windows 10, Mac X) as client of VPN
  • list localization and internationalization specifications
    • one language key added (message.enabled.vpn.ca.certificate)
  • explain the impact and possible upgrade/migration solution introduced by the feature 
  • explain levels or types of users communities of this feature (e.g. admin, user, etc)
    • this will be used by both infra admin, customer admin and customer user as it will be the Remove Access VPN implementation

Architecture and Design description

  • the main feature is pretty straight forward, a global setting is added to distinguish between L2TP and IKEv2 implementation
  • the scripts changes on VR are pretty straight forward as well, the type of VPN added in the command being sent to VR and the corresponding ipsec config file will be loaded
  • the main part of the design document will be around using external or start implementing internal PKI backend engine. which we will have multiple options (at least two)
    • Using Vault as the PKI engine (recommended by author and fully implemented as of Apr 2018)
    • Using Cloudstack as a self contained PKI engine (it's not recommended and it's not implemented)
    • Using external services (such as Let's Encrypt) to generate and sign certificates (this is nice to have but will need to be discussed on ML)
  • discussion of alternatives amongst design ideas, their resources/time tradeoffs and limitations. Explain why a certain design idea is chosen over others
  • highlight architectural patterns being used (queues, async/sync, state machines, etc)
  • talk about main algorithms used
  • explain what components are being changed and what the dependent components are
  • regarding database: talk about tables being added/modified
  • performance implications: what are the improvements or risks introduced to capacity, response time, resources usage and other relevant KPIs
  • preferably show class diagrams, sequence diagrams and state diagrams
  • if possible, publish signatures of all methods classes and interfaces implement, and the explain the object information of different classes

Web Services APIs

list changes to existing web services APIs and new APIs introduced with signatures and throughout documentation

  • Added API
    • ListVpnCaCertificateCmd
      • input:
        • domain (uuid)
      • output (CertificateResponse)
        • certificate: The client certificate
        • privateKey: Private key for the certificate
        • caCertificate: The CA certificate(s)
  • Modified API
    • RemoteAccessVpnResponse: two additional fields
      • type: the type of remote access vpn implementation (e.g. l2tp or ikev2)
      • certificate: the client certificate

 

UI flow

  • either demonstrate it visually here or link to relevant mockupsthe only changes on the UI are the fact that we don't have Preshared Key anymore rather we will have Certificates (and user should be able to download them)

IP Clearance

...