This patch implements strongSwan driver for VPNaaS, Initial effort
only supports strongSwan >= 5.x and implements an equivalent psk
net-to-net vpn service as openSwan driver did based on recommended
configuration.
Implements blueprint ipsec-strongswan-driver
DocImpact
a, StrongSwan and openSwan cannot be installed at the same time.
Thus, both cannot be enabled for use. In the future when
flavors/STF support is available, this will still constrain
the flavors which can be used together.
b, Adding StrongswanDriver in the file /etc/neutron/vpn_agent.ini
vpn_device_driver=neutron.services.vpn.device_drivers \
.strongswan_ipsec.StrongSwanDriver
c, Apparmor can interfere with both creation of tunnels and
established tunnels, because it controls access to operating
system resources. Thus we can use below commands to remove
apparmor definitions from the kernel.
sudo apparmor_parser -R usr.lib.ipsec.charon
sudo apparmor_parser -R usr.lib.ipsec.stroke
However, what we are seeing is that even though we disable the
profile for charon and stroke, apparmor is re-enabling them
(at unknown times). As a result, we can directly disable them
by the following commands:
sudo ln -s /etc/apparmor.d/usr.lib.ipsec.charon \
/etc/apparmor.d/disable/
sudo ln -s /etc/apparmor.d/usr.lib.ipsec.stroke \
/etc/apparmor.d/disable/
sudo service apparmor restart
In a word, you need to take care of your apparmor configurations.
d, Supports Ubuntu only. A separate commit will address Fedora.
e, Other steps are the same with the existing openSwan driver.
This patch is based on patchset67 of nachi's initial vpnaas
implementation, many thanks to nachi.
Change-Id: Ia3eb10a9103bdceb2a29f2372b410b946f3a89cc
6d55e377ea