IPSec Strongswan VPNaaS Driver¶
Ubuntu supports strongSwan in main as of release 14.04. This driver will provide the choice for the customers to run strongSwan on it.
strongSwan driver is very similar with openswan driver in addition to quite difference of their configuration files.
So the currently implemented methods are:
- We’d have to create a strongswan_opts based off openswan_opts.
- Provide different configuration file template.
- Create a StrongSwanProcess class based off OpenSwanProcess in the file neutron/services/vpn/device_drivers/ipsec.py (openswan uses pluto and whack, while strongSwan uses ‘charon’ and ‘stroke’ respectively).
- The IPsecDriver._update_nat looks like it sets the right iptables ipsec needed rules for strongSwan.
Data Model Impact¶
REST API Impact¶
The latest strongSwan 5.x has different attributes than the previous version. For example, 5.x has abandoned some configurations like plutostart, nat_traversal, virtual_private, pfs etc, and some configurations also have the default value like strictpolicy=no, charonstart=yes.
OpenSwan has more similiar attributes with the previous version of strongSwan 5.x, but not with strongSwan 5.x. Initial efforts only support 5.x and implement an equivalent psk net-to-net vpn service based on recommended configuration in the link  just as openSwan did in the past. Future blueprints will extend other features for strongSwan, like API, auth modes, roadwarrior-to-net etc.
So the capabilites provided by this initail implementation of the strongSwan driver are the same with openSwan driver :
- Net-to-Net Private Network connecting two private networks.
- Multiple VPN connections per tenant.
But the parmeters are somewhat different, like:
- only supporting IKEv2 policy, not support IKEv1.
- only supporting default IPSec policy and DPD now, future blueprints will extend for more auth modes and more encryption algorithms.
Therefore, the resources API (service, ikepolicy, ipsecpolicy, ipsec-site-connection) will also do the corresponding code adjustment.
Other End User Impact¶
User will need to configure the INI file for the strongSwan driver.
No effect to the VPNaaS performance.
Other Deployer Impact¶
Other alternatives will be lack of community support.
- StrongSwanProcess code in neutron/services/vpn/device_drivers/ipsec.py
- Work out a configuration file for best practice
- Unit tests & Advanced Service tests
- A netns wrapper to support running strongSwan in different namespace.
- Update API documentation to reflect strongSwan capabilites.
- Update user documentation to indicate how to use strongSwan option.
- Unit tests
- Advanced Service tests
- Functional tests
Not applicable. use advanced service tests to cover.
New neutron functional tests will be added to cover below scenario.
- new a functional test named test_vpnagent_create_process
- overide the configuration item vpn_device_driver= neutron.services.vpn.device_drivers.ipsec.StrongSwanDriver
- invoke create_process method then to check if ipsec process has been started and strongSwan configuration file has been created correctly.
The default vpn_device_driver is still openSwan, so need to update vpn_device_driver to use strongSwan in the file /etc/neutron/vpn_agent.ini in addition to installing strongSwan package. vpn_device_driver=neutron.services.vpn.device_drivers.ipsec.StrongSwanDriver
API document mentioned above should also be updated, as part of this effort.
-  IPSec strongswan driver code: https://review.openstack.org/#/c/100791/
-  IPSec openswan driver bluprint: https://blueprints.launchpad.net/neutron/+spec/ipsec-vpn-reference
-  IPSec openswan driver code: https://review.openstack.org/#/c/33148/
-  IPSec openswan driver spec: https://docs.google.com/presentation/d/1uoYMl2fAEHTpogAe27xtGpPcbhm7Y3tlHIw_G1Dy5aQ/edit
-  http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/
-  http://docs.openstack.org/api/openstack-network/2.0/content/vpnaas_ext.html