Add ipsec.secrets reload function to strongSwan driver

Currently, strongSwan driver only triggers "ipsec reload" command when a new IPsec Site Connection configuration is received. If that configuration uses a different PSK, it will not be picked up upon reload called by restart() function. This change introduces a separate reload_secrets() function which will call "ipsec rereadsecrets" before "ipsec reload". Closes-Bug: #1921514 Change-Id: Ia5458bbbb38b1d645547baf56ce3bb5ee2a97781
2021-03-26 07:43:08 +01:00 · 2021-03-26 07:43:08 +01:00 · 2297098875
commit 2297098875
parent 42ae0626ba
1 changed files with 12 additions and 0 deletions
--- a/neutron_vpnaas/services/vpn/device_drivers/strongswan_ipsec.py
+++ b/neutron_vpnaas/services/vpn/device_drivers/strongswan_ipsec.py
@ -158,8 +158,20 @@ class StrongSwanProcess(ipsec.BaseSwanProcess):

    def restart(self):
        """Restart the process."""
+        self.reload_secrets()
        self.reload()

+    def reload_secrets(self):
+        """Reload the ipsec.secrets file.
+
+        Flushes and rereads all secrets defined in ipsec.secrets. This needs
+        to be done each time when a new site connection is associated with
+        a VPN service which already hosts a site connection - 'ipsec reload'
+        does not reload the secrets and new connections will not authenticate
+        properly.
+        """
+        self._execute([self.binary, 'rereadsecrets'])
+
    def reload(self):
        """Reload the process.