Zhang Hua da95a047ae IPSec strongSwan VPNaaS Driver

Provide one choice for ubuntu customers to run strongSwan
ipsec vpn on it just as openswan does on Redhat.

Change-Id: I063fd81e29abb1b72c519606c2c9238811c0515d
Implements: blueprint ipsec-strongswan-driver

2014-12-18 16:44:03 +08:00

5.1 KiB

Raw Blame History

IPSec Strongswan VPNaaS Driver

https://blueprints.launchpad.net/neutron/+spec/ipsec-strongswan-driver

Problem Description

Ubuntu supports strongSwan in main as of release 14.04. This driver will provide the choice for the customers to run strongSwan on it.

Proposed Change

strongSwan driver is very similar with openswan driver in addition to quite difference of their configuration files.

So the currently implemented methods are:

We'd have to create a strongswan_opts based off openswan_opts.
Provide different configuration file template.
Create a StrongSwanProcess class based off OpenSwanProcess in the file neutron/services/vpn/device_drivers/ipsec.py (openswan uses pluto and whack, while strongSwan uses 'charon' and 'stroke' respectively).
The IPsecDriver._update_nat looks like it sets the right iptables ipsec needed rules for strongSwan.

Data Model Impact

None.

REST API Impact

The latest strongSwan 5.x has different attributes than the previous version. For example, 5.x has abandoned some configurations like plutostart, nat_traversal, virtual_private, pfs etc, and some configurations also have the default value like strictpolicy=no, charonstart=yes.

OpenSwan has more similiar attributes with the previous version of strongSwan 5.x, but not with strongSwan 5.x. Initial efforts only support 5.x and implement an equivalent psk net-to-net vpn service based on recommended configuration in the link [5] just as openSwan did in the past. Future blueprints will extend other features for strongSwan, like API, auth modes, roadwarrior-to-net etc.

So the capabilites provided by this initail implementation of the strongSwan driver are the same with openSwan driver [6]:

Net-to-Net Private Network connecting two private networks.
Multiple VPN connections per tenant.

But the parmeters are somewhat different, like:

only supporting IKEv2 policy, not support IKEv1.
only supporting default IPSec policy and DPD now, future blueprints will extend for more auth modes and more encryption algorithms.

Therefore, the resources API (service, ikepolicy, ipsecpolicy, ipsec-site-connection) will also do the corresponding code adjustment.

Security Impact

None.

Notifications Impact

None.

Other End User Impact

User will need to configure the INI file for the strongSwan driver.

Performance Impact

No effect to the VPNaaS performance.

IPv6 Impact

None

Other Deployer Impact

None.

Developer Impact

None.

Community Impact

None.

Alternatives

Other alternatives will be lack of community support.

Implementation

Assignee(s)

Primary assignee:: Zhang Hua <joshua.zhang@canonical.com>

Work Items

StrongSwanProcess code in neutron/services/vpn/device_drivers/ipsec.py
Work out a configuration file for best practice
Unit tests & Advanced Service tests
A netns wrapper to support running strongSwan in different namespace.
Update API documentation to reflect strongSwan capabilites.
Update user documentation to indicate how to use strongSwan option.

Dependencies

Testing

Unit tests
Advanced Service tests
Functional tests

Tempest Tests

Not applicable. use advanced service tests to cover.

Functional Tests

New neutron functional tests will be added to cover below scenario.

new a functional test named test_vpnagent_create_process
overide the configuration item vpn_device_driver= neutron.services.vpn.device_drivers.ipsec.StrongSwanDriver
invoke create_process method then to check if ipsec process has been started and strongSwan configuration file has been created correctly.

API Tests

Not applicable.

Documentation Impact

User Documentation

The default vpn_device_driver is still openSwan, so need to update vpn_device_driver to use strongSwan in the file /etc/neutron/vpn_agent.ini in addition to installing strongSwan package. vpn_device_driver=neutron.services.vpn.device_drivers.ipsec.StrongSwanDriver

API document mentioned above should also be updated, as part of this effort.

Developer Documentation

None.

References

[1] IPSec strongswan driver code: https://review.openstack.org/#/c/100791/
[2] IPSec openswan driver bluprint: https://blueprints.launchpad.net/neutron/+spec/ipsec-vpn-reference
[3] IPSec openswan driver code: https://review.openstack.org/#/c/33148/
[4] IPSec openswan driver spec: https://docs.google.com/presentation/d/1uoYMl2fAEHTpogAe27xtGpPcbhm7Y3tlHIw_G1Dy5aQ/edit
[5] http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/
[6] http://docs.openstack.org/api/openstack-network/2.0/content/vpnaas_ext.html

5.1 KiB Raw Blame History

IPSec Strongswan VPNaaS Driver

Problem Description

Proposed Change

Data Model Impact

REST API Impact

Security Impact

Notifications Impact

Other End User Impact

Performance Impact

IPv6 Impact

Other Deployer Impact

Developer Impact

Community Impact

Alternatives

Implementation

Assignee(s)

Work Items

Dependencies

Testing

Tempest Tests

Functional Tests

API Tests

Documentation Impact

User Documentation

Developer Documentation

References

5.1 KiB

Raw Blame History