Currently VR is using openSwan ipsec vpn. This is an opensource ipsec vpn package that provides the Site-to-Site as well as Remote Access VPN in cloudstack VR.
This feature will replace OpenSwan ipsec with the StrongSwan ipsec vpn.
Features of strongswan over openswan is:
There are no use case changes w.r.t openswan ipsec.
Strongswan supports below vpn models as openswan.
VR template is installed with the StrongSwan U4.5.2 package.
After upgrade if there existing vpn tunnels then these tunnels works with opnswan ipsec untill the VR is upgraded.
Once the VR is upgraded existing/new vpn tunnel will use the strongswan ipsec tunnel.
For existing tunnels to come up strongswan ipsec daemon, VR needs to be upgraded.
...
Once the VRs are restarted, previously existing VPN connections will be broken. Once the VR rebooted successfully then VPN clients can re-establish the tunnels strongswan ipsec.
N/A
N/A
# Manual: ipsec.conf - strongSwan IPsec configuration file.5
version 2.0# basic configuration
config setup
charonstart plutodebug=yescontrol
plutostart=yes charonstart=noinclude /var/lib/strongswan/ipsec.conf.inc
include /etc/ipsec.d/*.conf
root@r-315-QA:/etc/ipsec.d# cat cat ipsec.vpn-10.147.52.205174.conf
#config file#vpn
conn vpn-10.147.52.205174
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
left=10.147.52.204173
leftsubnet=19210.16810.0.0/16
leftnexthop #leftid=10@10.147.52.1173
leftid=@moon
leftfirewall=yes
right=10.147.52.205174
rightsubnet=10.320.0.0/16
type=tunnel
authby=secret
keyexchange=ike
ike=3des-md5
ikelifetime=24h
esp=3des-md5
lifetime=1h
pfs=no
keyingtries=2
auto=add
#rightid=@10.147.52.174
rightid=@sun
auto=add
root@r-
5-QA:/etc/ipsec.d# cat /etc/ipsec.
#basic configuration
config setup
charonstart=yes
plutostart=yes
secrets
#include /var/lib/
openswan/ipsec.
secrets.inc
#include /etc/ipsec.d
root@r-33-QA:/etc/ipsec.d# cat ipsec.vpn-10.147.52.204.conf
#config file
conn vpn-10.147.52.204
left=10.147.52.205
leftsubnet=10.3.0.0/16
leftnexthop=10.147.52.1
right=10.147.52.204
rightsubnet=192.168.0.0/16
type=tunnel
authby=secret
keyexchange=ike
ike=3des-md5
ikelifetime=24h
esp=3des-md5
lifetime=1h
pfs=no
keyingtries=2
auto=add
/ipsec.*.secrets
@moon @sun : PSK "123456789"