Page History

Introduction

Currently VR is using openSwan ipsec vpn. This is an opensource ipsec vpn package that provides the Site-to-Site as well as Remote Access VPN in cloudstack VR.

This feature will replace OpenSwan ipsec with the StrongSwan ipsec vpn.

Motivation

Features of strongswan over openswan is:

1. Openswan is currently not maintained.  Strongswan project is maintained by debian. 
2. Strongswan ipsec supports the latest version  of OS X clients.

Ticket

Use cases:

There are no use case changes w.r.t openswan ipsec.

Strongswan ipsec vpn configurations

Strongswan supports below vpn models as openswan.

1. Remote access VPN (isolated network and VPC )
2. Site to Site VPN (VPC).

Template changes:

Installing the StrongSwan

VR template is installed with the StrongSwan U4.5.2 package.

1. VRs deployed in cloudstack version will be come with the new template which is having strongswan.
2. If there are already VRs running, on reboot from cloudstack will pick up the new template.
   
   

Upgrade:

After upgrade if there existing vpn tunnels then these tunnels works with opnswan ipsec untill the VR is upgraded.

Once the VR is upgraded existing/new vpn tunnel will use the strongswan ipsec tunnel.

Bring up pre upgrade vpn tunnels with strongswan

For existing tunnels to come up strongswan ipsec daemon, VR needs to be upgraded.

...

Once the VRs are restarted, previously existing VPN connections will be broken. Once the VR rebooted successfully  then VPN clients can re-establish the tunnels strongswan ipsec.

UI

N/A

API

N/A

Configuration examples

Remote access VPN: