5b48852aaa
LibreSwan 3.19 introduces a new commandline argument '--nssdir' for
pluto which defaults to '/etc/ipsec.d'. As older versions don't
understand such an option, we cannot just add it to the commandline.
The commandline arguments of LibreSwan are not stable enough to rely on.
For example, in 3.19, 'ipsec initnss' has the new argument '--nssdir',
and in 3.20, 'ipsec pluto' also gets this new argument '--nssdir', then
in 3.22, the argument '--ctlbase' is phased out.
In this commit, instead of trying new options and then fallback to old
ones for older versions, the bind-mount method used in StrongSwan driver
is adopted. With /etc and /var/run bind mounted, all the commandline
arguments related to configuration file places can be removed. This
ensures that changes of such arguments between different versions won't
bother as the default places are always used.
This commit also replaces 'auth=' by 'phase2=' in the configuration
template as the former is for a long time an alias of the latter and
removed in LibreSwan 3.19.
The virtual-private argument of 'ipsec pluto' has been put into the
configuration file to avoid commas(,) in the commandline so that the
netns_wrapper can work well.
This commit has been simply tested on CentOS 7.4 with the following
versions of LibreSwan provided by the CentOS repo:
- libreswan-3.12-5.el7.x86_64.rpm
- libreswan-3.12-10.1.el7_1.x86_64.rpm
- libreswan-3.15-5.el7_1.x86_64.rpm
- libreswan-3.15-8.el7.x86_64.rpm
- libreswan-3.20-3.el7.x86_64.rpm
- libreswan-3.20-5.el7_4.x86_64.rpm
and different versions of LibreSwan provided by libreswan.org[1]:
[1] https://download.libreswan.org/binaries/rhel/7/x86_64/
Conflicts:
.zuul.yaml
neutron_vpnaas/tests/tempest/scenario/test_vpnaas.py
neutron_vpnaas/tests/unit/services/vpn/device_drivers/test_ipsec.py
Change-Id: Iacb6f13187b49cf771f0c24662d6af9217c211b8
Closes-Bug: #1711456
Closes-Bug: #1782337
(cherry picked from commit
|
||
---|---|---|
.. | ||
neutron/rootwrap.d | ||
oslo-config-generator | ||
README.txt |
README.txt
To generate the sample neutron VPNaaS configuration files, run the following command from the top level of the neutron VPNaaS directory: tox -e genconfig If a 'tox' environment is unavailable, then you can run the following script instead to generate the configuration files: ./tools/generate_config_file_samples.sh