From 310ecf6cda791e60b1f97cfd8ca36a2a83ff381c Mon Sep 17 00:00:00 2001
From: Maximilian Sesterhenn <maximilian.sesterhenn@wiit.cloud>
Date: Thu, 9 Oct 2025 10:13:45 +0200
Subject: [PATCH] Add dialect map to support AEAD algorithms with Libreswan

This adds the missing dialect map for Libreswan to support the new AEAD ciphers.

Closes-Bug: #2127159
Co-authored-by: Maximilian Stinsky <maximilian.stinsky-damke@wiit.cloud>
Signed-off-by: Maximilian Sesterhenn <maximilian.sesterhenn@wiit.cloud>
Change-Id: I1f6e9e6a46c8c148708e080bf4cbfb8ab37a9b90
---
 .../vpn/device_drivers/libreswan_ipsec.py     | 33 +++++++++++++++++++
 ...breswan-aead-ciphers-23fca20ad7da7214.yaml |  5 +++
 2 files changed, 38 insertions(+)
 create mode 100644 releasenotes/notes/add-missing-dialect-map-libreswan-aead-ciphers-23fca20ad7da7214.yaml

diff --git a/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py b/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py
index 2284118bf..502e3f5f4 100644
--- a/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py
+++ b/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py
@@ -25,8 +25,41 @@ class LibreSwanProcess(ipsec.OpenSwanProcess):
     """
     IPSEC_CONF_NAT_TRAVERSAL = None
 
+    DIALECT_MAP = dict(ipsec.BaseSwanProcess.DIALECT_MAP)
+
     # pylint: disable=useless-super-delegation
     def __init__(self, conf, process_id, vpnservice, namespace):
+        dialect_map_update = {
+            # ENCR_AES_CTR
+            'aes-128-ctr': 'aes_ctr128',
+            'aes-192-ctr': 'aes_ctr192',
+            'aes-256-ctr': 'aes_ctr256',
+            # ENCR_AES_CCM_8
+            'aes-128-ccm-8': 'aes_ccm_a128',
+            'aes-192-ccm-8': 'aes_ccm_a192',
+            'aes-256-ccm-8': 'aes_ccm_a256',
+            # ENCR_AES_CCM_12
+            'aes-128-ccm-12': 'aes_ccm_b128',
+            'aes-192-ccm-12': 'aes_ccm_b192',
+            'aes-256-ccm-12': 'aes_ccm_b256',
+            # ENCR_AES_CCM_16
+            'aes-128-ccm-16': 'aes_ccm_c128',
+            'aes-192-ccm-16': 'aes_ccm_c192',
+            'aes-256-ccm-16': 'aes_ccm_c256',
+            # ENCR_AES_GCM_8
+            'aes-128-gcm-8': 'aes_gcm_a128',
+            'aes-192-gcm-8': 'aes_gcm_a192',
+            'aes-256-gcm-8': 'aes_gcm_a256',
+            # ENCR_AES_GCM_12
+            'aes-128-gcm-12': 'aes_gcm_b128',
+            'aes-192-gcm-12': 'aes_gcm_b192',
+            'aes-256-gcm-12': 'aes_gcm_b256',
+            # ENCR_AES_GCM_16
+            'aes-128-gcm-16': 'aes_gcm_c128',
+            'aes-192-gcm-16': 'aes_gcm_c192',
+            'aes-256-gcm-16': 'aes_gcm_c256'
+        }
+        self.DIALECT_MAP.update(dialect_map_update)
         self._rootwrap_cfg = self._get_rootwrap_config()
         super().__init__(conf, process_id, vpnservice, namespace)
 
diff --git a/releasenotes/notes/add-missing-dialect-map-libreswan-aead-ciphers-23fca20ad7da7214.yaml b/releasenotes/notes/add-missing-dialect-map-libreswan-aead-ciphers-23fca20ad7da7214.yaml
new file mode 100644
index 000000000..98fbc9687
--- /dev/null
+++ b/releasenotes/notes/add-missing-dialect-map-libreswan-aead-ciphers-23fca20ad7da7214.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    The required dialect map has been added to allow for usage of the
+    new AEAD ciphers with Libreswan.
\ No newline at end of file