openstack/neutron-vpnaas
Code Issues Proposed changes

Support for libreswan 4

Browse Source 
With libreswan 4 some command line option changed, the rundir is now
/run/pluto instead of /var/run/pluto, and nat_traversal must not be set
in ipsec.conf.
Adapt the libreswan device driver accordingly.
Users will require libreswan v4.0 or higher, compatibility with v3.x is
not maintained.

Closes-Bug: #1938571
Change-Id: Ib55e3c3f9cfbe3dfe1241ace8c821256d7fc174a
This commit is contained in:
Bodo Petermann 2023-09-19 15:58:56 +02:00
parent 9191fb672b
commit 55558e8f3b
5 changed files with 35 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
neutron_vpnaas/services/vpn/device_drivers/ipsec.py
View File

@ -445,6 +445,10 @@ class OpenSwanProcess(BaseSwanProcess):
(2) ipsec addconn: Adds new ipsec addconn (2) ipsec addconn: Adds new ipsec addconn
(3) ipsec whack: control interface for IPSEC keying daemon (3) ipsec whack: control interface for IPSEC keying daemon
""" """
# Derived classes can set IPSEC_CONF_NAT_TRAVERSAL to None to
# omit the nat_traversal line in ipsec.conf
IPSEC_CONF_NAT_TRAVERSAL = "yes"
def __init__(self, conf, process_id, vpnservice, namespace): def __init__(self, conf, process_id, vpnservice, namespace):
super(OpenSwanProcess, self).__init__(conf, process_id, super(OpenSwanProcess, self).__init__(conf, process_id,
vpnservice, namespace) vpnservice, namespace)
@ -641,7 +645,8 @@ class OpenSwanProcess(BaseSwanProcess):
virtual_privates = self._virtual_privates(vpnservice) virtual_privates = self._virtual_privates(vpnservice)
return template.render( return template.render(
{'vpnservice': vpnservice, {'vpnservice': vpnservice,
'virtual_privates': virtual_privates}) 'virtual_privates': virtual_privates,
'nat_traversal': self.IPSEC_CONF_NAT_TRAVERSAL})
def start_pluto(self): def start_pluto(self):
cmd = [self.binary, cmd = [self.binary,

6
neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py
View File

@ -25,6 +25,8 @@ class LibreSwanProcess(ipsec.OpenSwanProcess):
Libreswan needs nssdb initialised before running pluto daemon. Libreswan needs nssdb initialised before running pluto daemon.
""" """
IPSEC_CONF_NAT_TRAVERSAL = None
# pylint: disable=useless-super-delegation # pylint: disable=useless-super-delegation
def __init__(self, conf, process_id, vpnservice, namespace): def __init__(self, conf, process_id, vpnservice, namespace):
self._rootwrap_cfg = self._get_rootwrap_config() self._rootwrap_cfg = self._get_rootwrap_config()
@ -39,7 +41,7 @@ class LibreSwanProcess(ipsec.OpenSwanProcess):
""" """
ip_wrapper = ip_lib.IPWrapper(namespace=self.namespace) ip_wrapper = ip_lib.IPWrapper(namespace=self.namespace)
mount_paths = {'/etc': '%s/etc' % self.config_dir, mount_paths = {'/etc': '%s/etc' % self.config_dir,
'/var/run': '%s/var/run' % self.config_dir} '/run': '%s/var/run' % self.config_dir}
mount_paths_str = ','.join( mount_paths_str = ','.join(
"%s:%s" % (source, target) "%s:%s" % (source, target)
for source, target in mount_paths.items()) for source, target in mount_paths.items())
@ -106,7 +108,7 @@ class LibreSwanProcess(ipsec.OpenSwanProcess):
def start_pluto(self): def start_pluto(self):
cmd = ['pluto', cmd = ['pluto',
'--use-netkey', '--use-xfrm',
'--uniqueids'] '--uniqueids']
if self.conf.ipsec.enable_detailed_logging: if self.conf.ipsec.enable_detailed_logging:

4
neutron_vpnaas/services/vpn/device_drivers/template/openswan/ipsec.conf.template
View File

@ -1,6 +1,8 @@
# Configuration for {{vpnservice.id}} # Configuration for {{vpnservice.id}}
config setup config setup
nat_traversal=yes {% if nat_traversal is defined and nat_traversal is not none -%}
nat_traversal={{nat_traversal}}
{% endif -%}
virtual_private={{virtual_privates}} virtual_private={{virtual_privates}}
conn %default conn %default
keylife=60m keylife=60m

12
neutron_vpnaas/tests/unit/services/vpn/device_drivers/test_ipsec.py
View File

@ -998,7 +998,7 @@ class TestOpenSwanConfigGeneration(BaseIPsecDeviceDriver):
self.conf.register_opts(openswan_ipsec.openswan_opts, 'openswan') self.conf.register_opts(openswan_ipsec.openswan_opts, 'openswan')
self.conf.set_override('state_path', '/tmp') self.conf.set_override('state_path', '/tmp')
self.ipsec_template = self.conf.openswan.ipsec_config_template self.ipsec_template = self.conf.openswan.ipsec_config_template
self.process = openswan_ipsec.OpenSwanProcess(self.conf, self.process = ipsec_process(self.conf,
'foo-process-id', 'foo-process-id',
self.vpnservice, self.vpnservice,
mock.ANY) mock.ANY)
@ -1206,6 +1206,16 @@ class IPsecStrongswanConfigGeneration(BaseIPsecDeviceDriver):
self.check_config_file(expected, actual) self.check_config_file(expected, actual)
class TestLibreSwanConfigGeneration(TestOpenSwanConfigGeneration):
def setUp(self, driver=libreswan_ipsec.LibreSwanDriver,
ipsec_process=libreswan_ipsec.LibreSwanProcess):
super().setUp(driver=driver, ipsec_process=ipsec_process)
def build_ipsec_expected_config_for_test(self, info):
expected = super().build_ipsec_expected_config_for_test(info)
return expected.replace(' nat_traversal=yes\n', '')
class TestOpenSwanProcess(IPSecDeviceLegacy): class TestOpenSwanProcess(IPSecDeviceLegacy):
_test_timeout = 1 _test_timeout = 1

8
releasenotes/notes/libreswan4-0e43b4cc41a5c0bc.yaml Normal file
View File

@ -0,0 +1,8 @@
---
upgrade:
- |
The updated VPNaaS driver for libreswan requires libreswan v4.0 or later.
fixes:
- |
Fixed the VPNaaS driver for libreswan to be compatible with libreswan v4
and dropped support for libreswan v3.x.