From 2297098875f24289259f12012ab5f077d6051383 Mon Sep 17 00:00:00 2001 From: Patryk Jakuszew Date: Fri, 26 Mar 2021 07:43:08 +0100 Subject: [PATCH] Add ipsec.secrets reload function to strongSwan driver Currently, strongSwan driver only triggers "ipsec reload" command when a new IPsec Site Connection configuration is received. If that configuration uses a different PSK, it will not be picked up upon reload called by restart() function. This change introduces a separate reload_secrets() function which will call "ipsec rereadsecrets" before "ipsec reload". Closes-Bug: #1921514 Change-Id: Ia5458bbbb38b1d645547baf56ce3bb5ee2a97781 --- .../services/vpn/device_drivers/strongswan_ipsec.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/neutron_vpnaas/services/vpn/device_drivers/strongswan_ipsec.py b/neutron_vpnaas/services/vpn/device_drivers/strongswan_ipsec.py index b8d868e6f..708952a1f 100644 --- a/neutron_vpnaas/services/vpn/device_drivers/strongswan_ipsec.py +++ b/neutron_vpnaas/services/vpn/device_drivers/strongswan_ipsec.py @@ -158,8 +158,20 @@ class StrongSwanProcess(ipsec.BaseSwanProcess): def restart(self): """Restart the process.""" + self.reload_secrets() self.reload() + def reload_secrets(self): + """Reload the ipsec.secrets file. + + Flushes and rereads all secrets defined in ipsec.secrets. This needs + to be done each time when a new site connection is associated with + a VPN service which already hosts a site connection - 'ipsec reload' + does not reload the secrets and new connections will not authenticate + properly. + """ + self._execute([self.binary, 'rereadsecrets']) + def reload(self): """Reload the process.