[VPNaas] Libreswan driver support in VPNaaS

Libreswan will be compiled with NSS by default.
when 'ipsec pluto' is called, it checks for NSS db. If NSS db is not initialised, it fails.
So VPNaaS should create NSS db before calling ipsec pluto(for Libreswan implementation) .

ipsec initnss /opt/stack/data/neutron/ipsec/250faac2-167b-4861-9d0c-b5710bf02ee2/etc/pki/nssdb/

then run pluto by specifying this etc/pki/nssdb/ as --ipsecdir
ipsec pluto --ipsecdir /opt/stack/data/neutron/ipsec/250faac2-167b-4861-9d0c-b5710bf02ee2/etc/pki/nssdb

Openstack supports OpenSwan specifically, and I don't think there has been much checking at all with Libreswan (and with Fedora for that matter). I can suggest two things...

1) A Libreswan driver could be developed that would do the different provisioning needed for IPsec connections. It could be a subclass of the OpenSwan driver.

2) Adapt the newly added StrongSwan driver, to work under Fedora. This driver has been added in Kilo, with support under Ubuntu, but some modifications are needed for running this under Fedora. There is a bug for that (https://bugs.launchpad.net/neutron/+bug/1441788).

Thanks Paul.

Both 1 and 2 are needed.

As Fedora supports both stronswan and openswan(Libreswan version)
So for openstack running on fedora, if user wanted to run openswan, Libreswan driver in neutron VPNaaS will be selected. I will try this(your suggestion 1) for this patch.
Openstack running on Fedora, if user wanted strongswan, your other bug((https://bugs.launchpad.net/neutron/+bug/1441788) will take care of that.

Fix proposed to branch: master
Review: https://review.openstack.org/174299

Just to cross reference, bug 1444776 and 1441788 address adding StrongSwan support for Fedora (item #2 mentioned in post 2).

Reviewed: https://review.openstack.org/174299
Committed: https://git.openstack.org/cgit/openstack/neutron-vpnaas/commit/?id=72e1f670fdca2138aa85703cb96eac473f6fb811
Submitter: Jenkins
Branch: master

commit 72e1f670fdca2138aa85703cb96eac473f6fb811
Author: venkata anil <email address hidden>
Date: Sun May 3 10:27:12 2015 +0000

    Libreswan driver support in VPNaaS

    VPNaas is not working on Fedora/centos devstack.
    Fedora/centos uses Libreswan(fork of the Openswan IPSEC VPN) for ipsec.

    Libreswan needs nssdb to be initialised before
    'ipsec pluto' command, otherwise pluto daemon will fail to run

    Change-Id: I54558208b2aaa82bda09c0db96042d236eceba69
    Closes-bug: #1444017

I think this driver should back port to kilo branch. Since in rhel7, there is no available vpnaas driver now. As far as I have tested, only this driver and fedorastrongswan driver can support rhel7 in kilo.

sure, I will do that now, Thanks Wei Hu.

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/185519

Reviewed: https://review.openstack.org/185519
Committed: https://git.openstack.org/cgit/openstack/neutron-vpnaas/commit/?id=5cc06138332a06334fa1d4fa28e71c59d58f8aca
Submitter: Jenkins
Branch: stable/kilo

commit 5cc06138332a06334fa1d4fa28e71c59d58f8aca
Author: venkata anil <email address hidden>
Date: Sun May 3 10:27:12 2015 +0000

    Libreswan driver support in VPNaaS

    VPNaas is not working on Fedora/centos devstack.
    Fedora/centos uses Libreswan(fork of the Openswan IPSEC VPN) for ipsec.

    Libreswan needs nssdb to be initialised before
    'ipsec pluto' command, otherwise pluto daemon will fail to run

    (cherry picked from commit 72e1f670fdca2138aa85703cb96eac473f6fb811)
    Change-Id: I54558208b2aaa82bda09c0db96042d236eceba69
    Closes-bug: #1444017
    Resolves rhbz: 1213148
    Upstream-Liberty: https://review.openstack.org/#/c/174299/