Comment 5 for bug 1301418

Major progress. I have a working VPN again. So a few things.

1) You absolutely have to have the rootwrap section in there:
/etc/neutron/rootwrap.d/vpnaas.filters
[Filters]
ip: IpFilter, ip, root
ip_exec: IpNetnsExecFilter, ip, root
openswan: CommandFilter, ipsec, root

2) You absolutely need have the interface driver in the vpn_agent.ini file. As I read the dev documentation (and I think you pointed this out also Mark) that this file 'should' inherit the l3_agent.ini config which has the interface driver defined but the log yells about it missing and when I add the driver line to the file the log completely cleans up and I have a working config again (with the below additions as well):
/etc/neutron/vpn_agent.ini
[DEFAULT]
interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver

3) As we have already discussed, we need the service_plugins (COI does this) AND the service_providers (COI does not add this in Havana):
/etc/neutron/neutron.conf
service_plugins =neutron.services.loadbalancer.plugin.LoadBalancerPlugin,neutron.services.firewall.fwaas_plugin.FirewallPlugin,neutron.services.vpn.plugin.VPNDriverPlugin

service_provider=LOADBALANCER:Haproxy:neutron.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default
service_provider = VPN:Vpn:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default

With this setup I can create/destroy my VPNs and instances multiple times and have a clean test

Of course I can't reboot any of my nodes due to the https://bugs.launchpad.net/bugs/1292107