diff --git a/manifests/agents/vpnaas.pp b/manifests/agents/vpnaas.pp
index 5a0779265..b2661847d 100644
--- a/manifests/agents/vpnaas.pp
+++ b/manifests/agents/vpnaas.pp
@@ -94,11 +94,9 @@ openswan package in distributions")
     'DEFAULT/interface_driver':          value => $interface_driver;
   }
 
-  if $::neutron::params::vpnaas_agent_package {
-    ensure_resource( 'package', 'neutron-vpnaas-agent', {
-      'ensure' => $package_ensure,
-      'name'   => $::neutron::params::vpnaas_agent_package,
-      'tag'    => ['openstack', 'neutron-package'],
-    })
-  }
+  ensure_packages( 'neutron-vpnaas-agent', {
+    'ensure' => $package_ensure,
+    'name'   => $::neutron::params::vpnaas_agent_package,
+    'tag'    => ['openstack', 'neutron-package'],
+  })
 }
diff --git a/manifests/config.pp b/manifests/config.pp
index 338bcdf7b..437290610 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -72,6 +72,9 @@
 # [*vpnaas_agent_config*]
 #   (optional) Manage configuration of vpn_agent.ini
 #
+# [*vpnaas_service_config*]
+#   (optional) Manage configuration of neutron_vpnaas.conf
+#
 # [*bgp_dragent_config*]
 #   (optional) Manage configuration of bgp_dragent.ini
 #
@@ -110,6 +113,7 @@ class neutron::config (
   Hash $ovn_metadata_agent_config     = {},
   Hash $metering_agent_config         = {},
   Hash $vpnaas_agent_config           = {},
+  Hash $vpnaas_service_config         = {},
   Hash $bgp_dragent_config            = {},
   Hash $plugin_opencontrail_config    = {},
   Hash $plugin_ml2_config             = {},
@@ -149,6 +153,7 @@ class neutron::config (
   create_resources('ovn_metadata_agent_config', $ovn_metadata_agent_config)
   create_resources('neutron_metering_agent_config', $metering_agent_config)
   create_resources('neutron_vpnaas_agent_config', $vpnaas_agent_config)
+  create_resources('neutron_vpnaas_service_config', $vpnaas_service_config)
   create_resources('neutron_bgp_dragent_config', $bgp_dragent_config)
   create_resources('neutron_plugin_opencontrail', $plugin_opencontrail_config)
   create_resources('neutron_plugin_ml2', $plugin_ml2_config)
diff --git a/manifests/services/vpnaas.pp b/manifests/services/vpnaas.pp
new file mode 100644
index 000000000..a102e18bc
--- /dev/null
+++ b/manifests/services/vpnaas.pp
@@ -0,0 +1,68 @@
+# This class installs and configures vpnaas Neutron Plugin.
+#
+# === Parameters
+#
+# [*package_ensure*]
+#   (optional) Ensure state for package.
+#   Defaults to 'present'.
+#
+# [*service_providers*]
+#   (optional) Array of allowed service types includes vpnaas
+#   Must be in form: <service_type>:<name>:<driver>[:default]
+#   Defaults to $facts['os_service_default']
+#
+# [*sync_db*]
+#   Whether 'neutron-db-manage' should run to create and/or synchronize the
+#   database with neutron-vpnaas specific tables.
+#   Default to false
+#
+# [*purge_config*]
+#   (optional) Whether to set only the specified config options
+#   in the vpnaas config.
+#   Defaults to false.
+#
+class neutron::services::vpnaas (
+  $package_ensure       = 'present',
+  $service_providers    = $facts['os_service_default'],
+  Boolean $sync_db      = false,
+  Boolean $purge_config = false,
+) {
+
+  include neutron::deps
+  include neutron::params
+
+  ensure_packages( 'neutron-vpnaas-agent', {
+    'ensure' => $package_ensure,
+    'name'   => $::neutron::params::vpnaas_agent_package,
+    'tag'    => ['openstack', 'neutron-package'],
+  })
+
+  resources { 'neutron_vpnaas_service_config':
+    purge => $purge_config,
+  }
+
+  if is_service_default($service_providers) {
+    $service_providers_real = 'VPN:openswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default'
+  } else {
+    $service_providers_real = $service_providers
+  }
+
+  neutron_vpnaas_service_config {
+    'service_providers/service_provider': value => $service_providers_real;
+  }
+
+  if $sync_db {
+    exec { 'vpnaas-db-sync':
+      command     => 'neutron-db-manage --config-file /etc/neutron/neutron.conf --subproject neutron-vpnaas upgrade head',
+      path        => '/usr/bin',
+      user        => $::neutron::params::user,
+      subscribe   => [
+        Anchor['neutron::install::end'],
+        Anchor['neutron::config::end'],
+        Anchor['neutron::dbsync::begin']
+      ],
+      notify      => Anchor['neutron::dbsync::end'],
+      refreshonly => true
+    }
+  }
+}
diff --git a/releasenotes/notes/vpnaas-service-7324f6b62e828853.yaml b/releasenotes/notes/vpnaas-service-7324f6b62e828853.yaml
new file mode 100644
index 000000000..0c5955e91
--- /dev/null
+++ b/releasenotes/notes/vpnaas-service-7324f6b62e828853.yaml
@@ -0,0 +1,10 @@
+---
+features:
+  - |
+    The new ``neutron::services::vpnaas`` class has been added. This class
+    installs and manages neutron VPNaaS service plugin.
+
+  - |
+    The new ``neutron::config::neutron_vpnaas_service_config`` parameter has
+    been added. This parameter can be used to inject arbitrary configurations
+    for neutron VPNaaS service plugin.
diff --git a/spec/classes/neutron_agents_vpnaas_spec.rb b/spec/classes/neutron_agents_vpnaas_spec.rb
index 4c4eb505a..16c514c24 100644
--- a/spec/classes/neutron_agents_vpnaas_spec.rb
+++ b/spec/classes/neutron_agents_vpnaas_spec.rb
@@ -43,7 +43,7 @@ describe 'neutron::agents::vpnaas' do
 
       it 'installs neutron vpnaas agent package' do
         should contain_package('neutron-vpnaas-agent').with(
-          :ensure => 'present',
+          :ensure => 'installed',
           :name   => platform_params[:vpnaas_agent_package],
           :tag    => ['openstack', 'neutron-package'],
         )
diff --git a/spec/classes/neutron_config_spec.rb b/spec/classes/neutron_config_spec.rb
index 53112e92e..a18573c24 100644
--- a/spec/classes/neutron_config_spec.rb
+++ b/spec/classes/neutron_config_spec.rb
@@ -66,6 +66,7 @@ describe 'neutron::config' do
         :metadata_agent_config    => config_hash,
         :metering_agent_config    => config_hash,
         :vpnaas_agent_config      => config_hash,
+        :vpnaas_service_config    => config_hash,
         :l2gw_agent_config        => config_hash,
         :bgp_dragent_config       => config_hash,
       }
@@ -131,6 +132,12 @@ describe 'neutron::config' do
       should contain_neutron_vpnaas_agent_config('DEFAULT/baz').with_ensure('absent')
     end
 
+    it 'configures arbitrary vpnaas_service_config configurations' do
+      should contain_neutron_vpnaas_service_config('DEFAULT/foo').with_value('fooValue')
+      should contain_neutron_vpnaas_service_config('DEFAULT/bar').with_value('barValue')
+      should contain_neutron_vpnaas_service_config('DEFAULT/baz').with_ensure('absent')
+    end
+
     it 'configures arbitrary l2gw_agent_config configurations' do
       should contain_neutron_l2gw_agent_config('DEFAULT/foo').with_value('fooValue')
       should contain_neutron_l2gw_agent_config('DEFAULT/bar').with_value('barValue')
diff --git a/spec/classes/neutron_services_vpnaas_spec.rb b/spec/classes/neutron_services_vpnaas_spec.rb
new file mode 100644
index 000000000..33218da28
--- /dev/null
+++ b/spec/classes/neutron_services_vpnaas_spec.rb
@@ -0,0 +1,83 @@
+require 'spec_helper'
+
+describe 'neutron::services::vpnaas' do
+
+  shared_examples 'neutron vpnaas service plugin' do
+    context 'with default params' do
+      it 'installs vpnaas package' do
+        should contain_package('neutron-vpnaas-agent').with(
+          :ensure => 'installed',
+          :name   => platform_params[:vpnaas_agent_package_name]
+        )
+      end
+
+      it 'configures neutron_vpnaas.conf' do
+        should contain_neutron_vpnaas_service_config(
+          'service_providers/service_provider'
+        ).with_value(
+          'VPN:openswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default'
+        )
+      end
+
+      it 'does not run neutron-db-manage' do
+        should_not contain_exec('vpnaas-db-sync')
+      end
+    end
+
+    context 'with db sync enabled' do
+      let :params do
+        {
+          :sync_db => true
+        }
+      end
+
+      it 'runs neutron-db-manage' do
+        should contain_exec('vpnaas-db-sync').with(
+          :command     => 'neutron-db-manage --config-file /etc/neutron/neutron.conf --subproject neutron-vpnaas upgrade head',
+          :path        => '/usr/bin',
+          :user        => 'neutron',
+          :subscribe   => ['Anchor[neutron::install::end]',
+                           'Anchor[neutron::config::end]',
+                           'Anchor[neutron::dbsync::begin]'
+                           ],
+          :notify      => 'Anchor[neutron::dbsync::end]',
+          :refreshonly => 'true',
+        )
+      end
+    end
+
+    context 'with multiple service providers' do
+      let :params do
+        {
+          :service_providers => ['provider1', 'provider2']
+        }
+      end
+
+      it 'configures neutron_vpnaas.conf' do
+        should contain_neutron_vpnaas_service_config(
+          'service_providers/service_provider'
+        ).with_value(['provider1', 'provider2'])
+      end
+    end
+  end
+
+  on_supported_os({
+    :supported_os   => OSDefaults.get_supported_os
+  }).each do |os,facts|
+    context "on #{os}" do
+      let (:facts) do
+        facts.merge(OSDefaults.get_facts())
+      end
+
+      let (:platform_params) do
+        case facts[:os]['family']
+        when 'Debian'
+          { :vpnaas_agent_package_name => 'python3-neutron-vpnaas' }
+        when 'RedHat'
+          { :vpnaas_agent_package_name => 'openstack-neutron-vpnaas' }
+        end
+      end
+      it_behaves_like 'neutron vpnaas service plugin'
+    end
+  end
+end