Hello OpenStack Community,

I'm working with OpenStack VPNaaS (using strongSwan as the backend driver) and have a question about tunnel configuration capabilities.

Current Setup:
  OpenStack VPNaaS with strongSwan driver (StrongSwanDriver)
  Single VPN Service (gateway) with multiple IPSec Site Connections
  Each connection targets different remote peers with distinct subnets

Configuration Details:
  VPN Service: Connected to a single router
  Multiple IPSec Site Connections under the same VPN Service:
    Connection 1: To MY office (10.10.100.0/24) via peer 68.x.y.34
    Connection 2: To Rackspace (172.24.60.0/22) via peer 184.n.p.53
  Shared IKE and IPSec policies across connections
  Local endpoint groups covering multiple subnets (192.168.0.0/24, 10.43.0.0/16)

Question:
Is it supported/recommended to have multiple IPSec Site Connections under a single VPN Service? I understand this creates multiple tunnels from the same OpenStack router to different remote peers.

Current Issue:
One of my connections shows "PENDING_CREATE" status while the other is "ACTIVE". I'm trying to determine if this is:

  A configuration issue on my end
  A limitation of having multiple tunnels per VPN service
  A strongSwan-specific behavior in the OpenStack context

Specific Questions:
  Does VPNaaS officially support multiple IPSec connections per VPN Service?
  Are there any known limitations or best practices when using multiple tunnels?
  Should each remote site have its own dedicated VPN Service instead?

I've checked the documentation but couldn't find clear guidance on multi-tunnel scenarios. Any insights from the community would be greatly appreciated.

Environment:
  OpenStack version: 2024.2 Dalmatian
  Neutron VPNaaS with strongSwan backend
  Kubernetes-deployed OpenStack (OpenStack-Helm)

Thank you for your time and assistance!

Best regards,
Shubham