[DISCUSS] New VPN implementation based on IKEv2 backed by Vault
I want to open up a discussion around the new Remote Access VPN
implementation on VRs. Currently
we have only L2TP implementation, which lacks different features (such as
verbos logging), so we
decided to start developing new implementation based on IKEv2 (on top of
the existing strongSwan).
We have this feature working locally for over a week now, and seems to be
ready for opening up a
PR on official repo. But before doing so we agreed to open up a discussion
The current implementation we use EAP + Public Key for authentication, so
we need to have a PKI
Engine somewhere. Rather than start re-inventing the wheel (and start
extending the current CA Framework
which was done by Rohit) we decided to delegate this functionality to
HashiCorp Vault, which will act as
a PKI backend engine for Cloudstack.
The way I implemented this specific part of the code, is that it can easily
be extended/implemented with other
concrete classes or designs (such as going forward with in-house PKI
engine, or even use external services
such as Let's Encrypt), but at the end of the day we strongly suggest to
use Vault, as it is really easy to use.
Please find the design document here, and share your feedback. I will
open up a PR -as is- soon to be able
to have a source code to discuss around it as well.
Cloud Infrastructure Developer