IPSec strongswan driver implemention

Registered by Hua Zhang on 2014-06-09

Redhat doesn't support strongswan, but strongswan is supported VPN solution in main as of ubuntu 14.04.
However, Neutron's VPNaaS uses openswan, this blueprint will also implement a strongswan driver similar to openswan driver.

openswan is fairly similar to strongSwan in terms of configuration, looking at:
- neutron/services/vpn/device_drivers/ipsec.py

So
 * We'd have to create a strongswan_opts based off openswan_opts.
 * Create a StrongSwanProcess class based off OpenSwanProcess (openswan uses pluto and whack, while strongSwan uses 'charon' and 'stroke' respectively).
 * The IPsecDriver._update_nat looks like it sets the right iptables ipsec needed rules for strongSwan.

Actually, patchset 67 of https://review.openstack.org/#/c/33148/ is similar with this idea, Nachi, thanks for your effort, I will start from this patchset.

For neutron-spec of this BP, pls refer https://blueprints.launchpad.net/neutron/+spec/ipsec-vpn-reference

Blueprint information

Status:
Complete
Approver:
Kyle Mestery
Priority:
Medium
Drafter:
Hua Zhang
Direction:
Approved
Assignee:
Hua Zhang
Definition:
Approved
Series goal:
Accepted for kilo
Implementation:
Implemented
Milestone target:
milestone icon 2015.1.0
Started by
Kyle Mestery on 2014-12-18
Completed by
Kyle Mestery on 2015-03-17

Related branches

Sprints

Whiteboard

February-3 (mestery): Moving to Kilo-3. After discussion with pc_m, he was having trouble getting StrongSwan to work with Neutron VPNaaS.

December-18 (mestery): Kilo-2.

Gerrit topic: https://review.openstack.org/#q,topic:bp/ipsec-strongswan-driver,n,z

Addressed by: https://review.openstack.org/100791 (Abandoned)
    IPsec strongswan driver implemention

Addressed by: https://review.openstack.org/101457 (Merged)
    IPSec Strongswan Driver

Addressed by: https://review.openstack.org/144388 (Abandoned)
    netns wrapper

Addressed by: https://review.openstack.org/144391 (Merged)
    IPsec strongswan driver implemention

Addressed by: https://review.openstack.org/146508 (Merged)
    netns wrapper

Addressed by: https://review.openstack.org/149460 (Abandoned)
    Add functional tests for strongSwan driver

Addressed by: https://review.openstack.org/153191 (Abandoned)
    Sometimes vpnservice's status can't be updated

Addressed by: https://review.openstack.org/158560
    Functional tests of ipsec strongswan vpnaas driver

Gerrit topic: https://review.openstack.org/#q,topic:bug/1430100,n,z

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.