diff --git a/specs/kilo/ipsec-strongswan-driver.rst b/specs/kilo/ipsec-strongswan-driver.rst new file mode 100644 index 000000000..6e516fead --- /dev/null +++ b/specs/kilo/ipsec-strongswan-driver.rst @@ -0,0 +1,221 @@ +.. + This work is licensed under a Creative Commons Attribution 3.0 Unported + License. + + http://creativecommons.org/licenses/by/3.0/legalcode + +========================================== +IPSec Strongswan VPNaaS Driver +========================================== + +https://blueprints.launchpad.net/neutron/+spec/ipsec-strongswan-driver + + +Problem Description +=================== + +Ubuntu supports strongSwan in main as of release 14.04. This driver +will provide the choice for the customers to run strongSwan on it. + +Proposed Change +=============== + +strongSwan driver is very similar with openswan driver in addition to +quite difference of their configuration files. + +So the currently implemented methods are: + +* We'd have to create a strongswan_opts based off openswan_opts. + +* Provide different configuration file template. + +* Create a StrongSwanProcess class based off OpenSwanProcess in the + file neutron/services/vpn/device_drivers/ipsec.py (openswan uses pluto + and whack, while strongSwan uses 'charon' and 'stroke' respectively). + +* The IPsecDriver._update_nat looks like it sets the right iptables + ipsec needed rules for strongSwan. + +Data Model Impact +----------------- + +None. + + +REST API Impact +--------------- + +The latest strongSwan 5.x has different attributes than the previous +version. For example, 5.x has abandoned some configurations like +plutostart, nat_traversal, virtual_private, pfs etc, and some +configurations also have the default value like strictpolicy=no, +charonstart=yes. + +OpenSwan has more similiar attributes with the previous version of +strongSwan 5.x, but not with strongSwan 5.x. Initial efforts only +support 5.x and implement an equivalent psk net-to-net vpn service +based on recommended configuration in the link [5] just as openSwan +did in the past. Future blueprints will extend other features for +strongSwan, like API, auth modes, roadwarrior-to-net etc. + +So the capabilites provided by this initail implementation of the +strongSwan driver are the same with openSwan driver [6]: + +* Net-to-Net Private Network connecting two private networks. + +* Multiple VPN connections per tenant. + +But the parmeters are somewhat different, like: + +* only supporting IKEv2 policy, not support IKEv1. + +* only supporting default IPSec policy and DPD now, future blueprints + will extend for more auth modes and more encryption algorithms. + +Therefore, the resources API (service, ikepolicy, ipsecpolicy, +ipsec-site-connection) will also do the corresponding code adjustment. + +Security Impact +--------------- + +None. + + +Notifications Impact +-------------------- + +None. + + +Other End User Impact +--------------------- + +User will need to configure the INI file for the strongSwan driver. + + +Performance Impact +------------------ + +No effect to the VPNaaS performance. + + +IPv6 Impact +----------- + +None + + +Other Deployer Impact +--------------------- + +None. + + +Developer Impact +---------------- + +None. + + +Community Impact +---------------- + +None. + + +Alternatives +------------ + +Other alternatives will be lack of community support. + + +Implementation +============== + +Assignee(s) +----------- + +Primary assignee: + Zhang Hua + +Work Items +---------- + +* StrongSwanProcess code in neutron/services/vpn/device_drivers/ipsec.py +* Work out a configuration file for best practice +* Unit tests & Advanced Service tests +* A netns wrapper to support running strongSwan in different namespace. +* Update API documentation to reflect strongSwan capabilites. +* Update user documentation to indicate how to use strongSwan option. + +Dependencies +============ + + +Testing +======= + +* Unit tests +* Advanced Service tests +* Functional tests + +Tempest Tests +------------- + +Not applicable. use advanced service tests to cover. + + +Functional Tests +---------------- + +New neutron functional tests will be added to cover below scenario. + +* new a functional test named test_vpnagent_create_process +* overide the configuration item vpn_device_driver= + neutron.services.vpn.device_drivers.ipsec.StrongSwanDriver +* invoke create_process method then to check if ipsec process has been + started and strongSwan configuration file has been created correctly. + + +API Tests +--------- + +Not applicable. + + +Documentation Impact +==================== + +User Documentation +------------------ + +The default vpn_device_driver is still openSwan, so need to update +vpn_device_driver to use strongSwan in the file /etc/neutron/vpn_agent.ini +in addition to installing strongSwan package. +vpn_device_driver=neutron.services.vpn.device_drivers.ipsec.StrongSwanDriver + +API document mentioned above should also be updated, as part of this effort. + +Developer Documentation +----------------------- + +None. + + +References +========== + +* [1] IPSec strongswan driver code: https://review.openstack.org/#/c/100791/ + +* [2] IPSec openswan driver bluprint: + https://blueprints.launchpad.net/neutron/+spec/ipsec-vpn-reference + +* [3] IPSec openswan driver code: https://review.openstack.org/#/c/33148/ + +* [4] IPSec openswan driver spec: + https://docs.google.com/presentation/d/1uoYMl2fAEHTpogAe27xtGpPcbhm7Y3tlHIw_G1Dy5aQ/edit + +* [5] http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/ + +* [6] http://docs.openstack.org/api/openstack-network/2.0/content/vpnaas_ext.html +