IPSec Strongswan VPNaaS Driver

https://blueprints.launchpad.net/neutron/+spec/ipsec-strongswan-driver

Problem Description

Ubuntu supports strongSwan in main as of release 14.04. This driver will provide the choice for the customers to run strongSwan on it.

Proposed Change

strongSwan driver is very similar with openswan driver in addition to quite difference of their configuration files.

So the currently implemented methods are:

  • We’d have to create a strongswan_opts based off openswan_opts.
  • Provide different configuration file template.
  • Create a StrongSwanProcess class based off OpenSwanProcess in the file neutron/services/vpn/device_drivers/ipsec.py (openswan uses pluto and whack, while strongSwan uses ‘charon’ and ‘stroke’ respectively).
  • The IPsecDriver._update_nat looks like it sets the right iptables ipsec needed rules for strongSwan.

Data Model Impact

None.

REST API Impact

The latest strongSwan 5.x has different attributes than the previous version. For example, 5.x has abandoned some configurations like plutostart, nat_traversal, virtual_private, pfs etc, and some configurations also have the default value like strictpolicy=no, charonstart=yes.

OpenSwan has more similiar attributes with the previous version of strongSwan 5.x, but not with strongSwan 5.x. Initial efforts only support 5.x and implement an equivalent psk net-to-net vpn service based on recommended configuration in the link [5] just as openSwan did in the past. Future blueprints will extend other features for strongSwan, like API, auth modes, roadwarrior-to-net etc.

So the capabilites provided by this initail implementation of the strongSwan driver are the same with openSwan driver [6]:

  • Net-to-Net Private Network connecting two private networks.
  • Multiple VPN connections per tenant.

But the parmeters are somewhat different, like:

  • only supporting IKEv2 policy, not support IKEv1.
  • only supporting default IPSec policy and DPD now, future blueprints will extend for more auth modes and more encryption algorithms.

Therefore, the resources API (service, ikepolicy, ipsecpolicy, ipsec-site-connection) will also do the corresponding code adjustment.

Security Impact

None.

Notifications Impact

None.

Other End User Impact

User will need to configure the INI file for the strongSwan driver.

Performance Impact

No effect to the VPNaaS performance.

IPv6 Impact

None

Other Deployer Impact

None.

Developer Impact

None.

Community Impact

None.

Alternatives

Other alternatives will be lack of community support.

Implementation

Assignee(s)

Primary assignee:
Zhang Hua <joshua.zhang@canonical.com>

Work Items

  • StrongSwanProcess code in neutron/services/vpn/device_drivers/ipsec.py
  • Work out a configuration file for best practice
  • Unit tests & Advanced Service tests
  • A netns wrapper to support running strongSwan in different namespace.
  • Update API documentation to reflect strongSwan capabilites.
  • Update user documentation to indicate how to use strongSwan option.

Dependencies

Testing

  • Unit tests
  • Advanced Service tests
  • Functional tests

Tempest Tests

Not applicable. use advanced service tests to cover.

Functional Tests

New neutron functional tests will be added to cover below scenario.

  • new a functional test named test_vpnagent_create_process
  • overide the configuration item vpn_device_driver= neutron.services.vpn.device_drivers.ipsec.StrongSwanDriver
  • invoke create_process method then to check if ipsec process has been started and strongSwan configuration file has been created correctly.

API Tests

Not applicable.

Documentation Impact

User Documentation

The default vpn_device_driver is still openSwan, so need to update vpn_device_driver to use strongSwan in the file /etc/neutron/vpn_agent.ini in addition to installing strongSwan package. vpn_device_driver=neutron.services.vpn.device_drivers.ipsec.StrongSwanDriver

API document mentioned above should also be updated, as part of this effort.

Developer Documentation

None.