[openstack-dev] [Neutron][VPNaaS] Supporting OpenSwan or StrongSwan or Both?

Paul Michali pcm at cisco.com
Tue Aug 20 13:17:16 UTC 2013


Was the original reasoning to use StrongSwan over OpenSwan, only because of community support? I vaguely recall something mentioned about StrongSwan having additional capabilities or something. Can anyone confirm?

As far as which option, it sounds like B or C-2 are the better choices, just because of the RHEL support. The two are very similar (from an end-user standpoint), so the added doc/help shouldn't be too bad. From a  code perspective, much of the code can be shared, so the added testing requirements should also be minimal.

The only point to make about C-2 is it requires us to either take the extra time now to support multiple drivers (we will have to eventually - I'll be working on one), or do a refactoring later to support a hierarchy of drivers. I brought that point up in the review of the reference driver, and Nachi and I talked about this a bit yesterday. We both agreed that we could do the refactoring later, to support drivers that are different than the Swan family.

Related to that, I did have some question about multiple drivers...

How do we handle the case where the drivers support different capabilities? For example, say one driver supports an encryption mode that the other does not.

Can we reject unsupported capabilities at configuration time? That seems cleaner, but I'm wondering how that would be done (I know we'll specify the provider, but wondering how we'll invoke driver specific verification routines - do we have that mechanism defined?).

Regards,

PCM (Paul Michali)

MAIL pcm at cisco.com
IRC   pcm_  (irc.freenode.net)
TW   @pmichali

On Aug 19, 2013, at 6:15 PM, Nachi Ueno <nachi at ntti3.com> wrote:

> Hi folks
> 
> I would like to discuss whether supporting OpenSwan or StrongSwan or Both for
> ipsec driver?
> 
> We choose StrongSwan because of the community is active and plenty of docs.
> However It looks like RHEL is only supporting OpenSwan.
> 
> so we should choose
> 
> (A) Support StrongSwan
> (B) Support OpenSwan
> (C) Support both
>   (C-1) Make StrongSwan default
>   (C-2) Make OpenSwan default
> 
> Actually, I'm working on C-2.
> The patch is still WIP https://review.openstack.org/#/c/42264/
> 
> Besides the patch is small, supporting two driver may burden
> in H3 including docs or additional help.
> IMO, this is also a valid comment.
> 
> Best
> Nachi
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130820/cdbe3619/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130820/cdbe3619/attachment.pgp>


More information about the OpenStack-dev mailing list