Open Stack

> I think you want to test $file, right?

Yes, sorry for that, shouldn't have add it as it was meaningless for
the example.

> Does sound like we want to use Strongswan, if at all possible. This sounds like it'll do that, huh?

To my opinion, It would be better regarding its documentation and support.

The only concern is about strongswan requiring some extra information in
/etc or /var/run (as it will only see its own files in it). It isn't a
problem for the current use case, but it may be required for some extra
plugin we may want to use in the future (lots of may...)

By the way, I tested it against an actual quantum router deployment, it
works fine but requires some extra tricks: we have to insert iptables
rules for traffic to be correctly encrypted. Strongswan is able to insert
its own filter rules using "leftfirewall" parameter. Anyway, it doesn't
manages nat rules, so IPsec traffic from VMs won't cross the router until
we add this kind of iptables rule:

iptables -t nat -D POSTROUTING -s local_cidr -d peer_cidr -m policy \
--dir out --pol ipsec --reqid 16384 --proto 50 -j ACCEPT

Strongswan can set it automatically if we provide it with a custom _updown
script (using "leftupdown" parameter). IptablesManager could also be an
option (reqid is also configurable).

Note: this extra driver complexity is probably not specific to strongswan,
it's probably the same in openswan (not tested).

Francois.