Comment 13 for bug 1938571

The current implementation in neutron-vpnaas does use network namespaces to run the pluto in, one namespace per router and one pluto per router in that namespace. So if there are multiple routers, there will be multiple plutos, separated by namespaces. The whack commands will be executed in a wrapper that will run them in the namespace, with bind-mounted /etc and /run. This way a ipsec whack --shutdown should only shut down the one pluto in the per-router namespace.

If the deployment uses ML2/OVS the namespace will be the one created for the router and pluto will be started by the L3 agent, where vpnaas is loaded as an extension. For the to-be-released implementation for ML2/OVN there's no L3 agent and instead a stand-alone VPN agent will take the responsibility to create the namespace (again: per router id).