Add aggressive negotiation mode for ikepolicy

The *swan drivers can support the selection of main or aggressive
negotiation mode, but vpnaas only supports main mode. When the external
host establishes a VPN communication with the internal virtual machine in
the cloud environment, if the external vpn site connection is configured
in aggressive mode, this will cause communication failure. Therefore, this
patch adds support for aggressive mode.

Change-Id: Ia3c9db2d151bd7c63c6ab500dbdecfaf07583a6f
Partial-Bug: #1701413

neutron_vpnaas/db/migration/alembic_migrations/versions/EXPAND_HEAD

@@ -1 +1 @@
-95601446dbcc
+5f884db48ba9

neutron_vpnaas/db/migration/alembic_migrations/versions/victoria/expand/5f884db48ba9_add_aggressive_negotiation_modes.py

@@ -0,0 +1,39 @@
+# Copyright 2020 cmss, Inc.  All rights reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+#
+
+"""add_aggressive_negotiation_modes
+
+Revision ID: 5f884db48ba9
+Revises: 95601446dbcc
+Create Date: 2020-05-12 14:37:46.320070
+
+"""
+
+# revision identifiers, used by Alembic.
+revision = '5f884db48ba9'
+down_revision = '95601446dbcc'
+
+from alembic import op
+import sqlalchemy as sa
+
+
+phase1_negotiation_modes = sa.Enum('main', 'aggressive',
+                                   name='ike_phase1_mode')
+
+
+def upgrade():
+    op.alter_column('ikepolicies', 'phase1_negotiation_mode',
+                    type_=phase1_negotiation_modes,
+                    existing_nullable=False)

neutron_vpnaas/db/vpn/vpn_models.py

@@ -75,7 +75,7 @@ class IKEPolicy(model_base.BASEV2, model_base.HasId, model_base.HasProject):
                                              "aes-256", "aes-192",
                                              name="vpn_encrypt_algorithms"),
                                      nullable=False)
-    phase1_negotiation_mode = sa.Column(sa.Enum("main",
+    phase1_negotiation_mode = sa.Column(sa.Enum("main", 'aggressive',
                                                 name="ike_phase1_mode"),
                                         nullable=False)
     lifetime_units = sa.Column(sa.Enum("seconds", "kilobytes",

neutron_vpnaas/extensions/vpnaas.py

@@ -194,7 +194,7 @@ vpn_supported_pfs = ['group2', 'group5', 'group14']
 vpn_supported_ike_versions = ['v1', 'v2']
 vpn_supported_auth_mode = ['psk']
 vpn_supported_auth_algorithms = ['sha1', 'sha256', 'sha384', 'sha512']
-vpn_supported_phase1_negotiation_mode = ['main']
+vpn_supported_phase1_negotiation_mode = ['main', 'aggressive']
 
 vpn_lifetime_limits = (60, validators.UNLIMITED)
 positive_int = (0, validators.UNLIMITED)

neutron_vpnaas/services/vpn/device_drivers/template/openswan/ipsec.conf.template

@@ -63,6 +63,9 @@ conn {{ipsec_site_connection.id}}
     ikev2={{ipsec_site_connection.ikepolicy.ike_version}}
     # [encryption_algorithm]-[auth_algorithm]-[pfs]
     ike={{ipsec_site_connection.ikepolicy.encryption_algorithm}}-{{ipsec_site_connection.ikepolicy.auth_algorithm}};{{ipsec_site_connection.ikepolicy.pfs}}
+    {% if ipsec_site_connection.ikepolicy.phase1_negotiation_mode == "aggressive" -%}
+    aggressive=yes
+    {% endif -%}
     # [lifetime_value]
     ikelifetime={{ipsec_site_connection.ikepolicy.lifetime_value}}s
     # NOTE: it looks lifetime_units=kilobytes can't be enforced (could be seconds,  hours,  days...)

neutron_vpnaas/services/vpn/device_drivers/template/strongswan/ipsec.conf.template

@@ -23,6 +23,9 @@ conn {{ipsec_site_connection.id}}
     dpdtimeout={{ipsec_site_connection.dpd_timeout}}s
     ike={{ipsec_site_connection.ikepolicy.encryption_algorithm}}-{{ipsec_site_connection.ikepolicy.auth_algorithm}}-{{ipsec_site_connection.ikepolicy.pfs}}
     ikelifetime={{ipsec_site_connection.ikepolicy.lifetime_value}}s
+    {%- if ipsec_site_connection.ikepolicy.phase1_negotiation_mode == "aggressive" %}
+    aggressive=yes
+    {%- endif %}
     {%- if ipsec_site_connection.ipsecpolicy.transform_protocol == "ah" %}
     ah={{ipsec_site_connection.ipsecpolicy.auth_algorithm}}-{{ipsec_site_connection.ipsecpolicy.pfs}}
     {%- else %}

neutron_vpnaas/tests/unit/db/vpn/test_vpn_db.py

@@ -512,6 +512,26 @@ class TestVpnaas(VPNPluginDbTestCase):
         with self.ikepolicy(name=name, description=description) as ikepolicy:
             self._check_policy(ikepolicy['ikepolicy'], keys, lifetime)
 
+    def test_create_ikepolicy_with_aggressive_mode(self):
+        """Test case to create an ikepolicy with aggressive mode."""
+        name = "ikepolicy1"
+        description = 'ipsec-ikepolicy'
+        mode = 'aggressive'
+        keys = [('name', name),
+                ('description', 'ipsec-ikepolicy'),
+                ('auth_algorithm', 'sha1'),
+                ('encryption_algorithm', 'aes-128'),
+                ('phase1_negotiation_mode', 'aggressive'),
+                ('ike_version', 'v1'),
+                ('pfs', 'group5'),
+                ('tenant_id', self._tenant_id)]
+        lifetime = {
+            'units': 'seconds',
+            'value': 3600}
+        with self.ikepolicy(name=name, description=description,
+                            phase1_negotiation_mode=mode) as ikepolicy:
+            self._check_policy(ikepolicy['ikepolicy'], keys, lifetime)
+
     def test_delete_ikepolicy(self):
         """Test case to delete an ikepolicy."""
         with self.ikepolicy(do_delete=False) as ikepolicy:
@@ -622,6 +642,30 @@ class TestVpnaas(VPNPluginDbTestCase):
             for k, v in keys:
                 self.assertEqual(res['ikepolicy'][k], v)
 
+    def test_update_ikepolicy_with_aggressive_mode(self):
+        """Test case to update an ikepolicy with aggressive mode."""
+        name = "new_ikepolicy1"
+        keys = [('name', name),
+                ('auth_algorithm', 'sha1'),
+                ('encryption_algorithm', 'aes-128'),
+                ('phase1_negotiation_mode', 'aggressive'),
+                ('ike_version', 'v1'),
+                ('pfs', 'group5'),
+                ('tenant_id', self._tenant_id),
+                ('lifetime', {'units': 'seconds',
+                              'value': 60})]
+        with self.ikepolicy(name=name) as ikepolicy:
+            data = {'ikepolicy': {'name': name,
+                                  'phase1_negotiation_mode': 'aggressive',
+                                  'lifetime': {'units': 'seconds',
+                                               'value': 60}}}
+            req = self.new_update_request("ikepolicies",
+                                          data,
+                                          ikepolicy['ikepolicy']['id'])
+            res = self.deserialize(self.fmt, req.get_response(self.ext_api))
+            for k, v in keys:
+                self.assertEqual(res['ikepolicy'][k], v)
+
     def test_create_ikepolicy_with_invalid_values(self):
         """Test case to test invalid values."""
         name = 'ikepolicy1'
@@ -643,7 +687,7 @@ class TestVpnaas(VPNPluginDbTestCase):
                                expected_res_status=400)
         self._create_ikepolicy(name=name,
                                fmt=self.fmt,
-                               phase1_negotiation_mode='aggressive',
+                               phase1_negotiation_mode='unsupported',
                                expected_res_status=400)
         self._create_ikepolicy(name=name,
                                fmt=self.fmt,

neutron_vpnaas/tests/unit/extensions/test_vpnaas.py

@@ -71,6 +71,35 @@ class VpnaasExtensionTestCase(base.ExtensionTestCase):
         self.assertIn('ikepolicy', res)
         self.assertDictSupersetOf(return_value, res['ikepolicy'])
 
+    def test_ikepolicy_create_with_aggressive_mode(self):
+        """Test case to create an ikepolicy with agressive mode."""
+        ikepolicy_id = _uuid()
+        data = {'ikepolicy': {'name': 'ikepolicy1',
+                              'description': 'myikepolicy1',
+                              'auth_algorithm': 'sha1',
+                              'encryption_algorithm': 'aes-128',
+                              'phase1_negotiation_mode': 'aggressive',
+                              'lifetime': {
+                                  'units': 'seconds',
+                                  'value': 3600},
+                              'ike_version': 'v1',
+                              'pfs': 'group5',
+                              'tenant_id': _uuid()}}
+
+        return_value = copy.copy(data['ikepolicy'])
+        return_value.update({'id': ikepolicy_id})
+
+        instance = self.plugin.return_value
+        instance.create_ikepolicy.return_value = return_value
+        res = self.api.post(_get_path('vpn/ikepolicies', fmt=self.fmt),
+                            self.serialize(data),
+                            content_type='application/%s' % self.fmt)
+        self.assertEqual(1, instance.create_ikepolicy.call_count)
+        self.assertEqual(exc.HTTPCreated.code, res.status_int)
+        res = self.deserialize(res)
+        self.assertIn('ikepolicy', res)
+        self.assertDictSupersetOf(return_value, res['ikepolicy'])
+
     def test_ikepolicy_list(self):
         """Test case to list all ikepolicies."""
         ikepolicy_id = _uuid()
@@ -122,6 +151,39 @@ class VpnaasExtensionTestCase(base.ExtensionTestCase):
         self.assertIn('ikepolicy', res)
         self.assertEqual(return_value, res['ikepolicy'])
 
+    def test_ikepolicy_update_with_aggressive_mode(self):
+        """Test case to update an ikepolicy with aggressive mode."""
+        ikepolicy_id = _uuid()
+        update_data = {'ikepolicy':
+                       {'name': 'ikepolicy1',
+                        'phase1_negotiation_mode': 'aggressive',
+                        'encryption_algorithm': 'aes-256'}}
+        return_value = {'name': 'ikepolicy1',
+                        'auth_algorithm': 'sha1',
+                        'encryption_algorithm': 'aes-256',
+                        'phase1_negotiation_mode': 'aggressive',
+                        'lifetime': {
+                            'units': 'seconds',
+                            'value': 3600},
+                        'ike_version': 'v1',
+                        'pfs': 'group5',
+                        'tenant_id': _uuid(),
+                        'id': ikepolicy_id}
+
+        instance = self.plugin.return_value
+        instance.update_ikepolicy.return_value = return_value
+
+        res = self.api.put(_get_path('vpn/ikepolicies', id=ikepolicy_id,
+                                     fmt=self.fmt),
+                           self.serialize(update_data))
+
+        instance.update_ikepolicy.assert_called_with(mock.ANY, ikepolicy_id,
+                                                     ikepolicy=update_data)
+        self.assertEqual(exc.HTTPOk.code, res.status_int)
+        res = self.deserialize(res)
+        self.assertIn('ikepolicy', res)
+        self.assertEqual(return_value, res['ikepolicy'])
+
     def test_ikepolicy_get(self):
         """Test case to get or show an ikepolicy."""
         ikepolicy_id = _uuid()

releasenotes/notes/add-aggressive-negotiation-mode-3d8fbcd843d003b7.yaml

@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    The phase1 negotiation mode can use ``aggressive`` mode in VPNaaS
+    ikepolicy when using \*Swan drivers.