Algo officially supports the cloud providers listed here. If you want to deploy Algo on another virtual hosting provider, that provider must support:
Please see the Required Kernel Modules documentation from strongSwan for a list of the specific required modules and a script to check for them. As a first step, we recommend running their shell script to determine initial compatibility with your new hosting provider.
If you want Algo to officially support your new cloud provider then it must have an Ansible cloud module available. If no module is available for your provider, search Ansible’s open issues and pull requests for existing efforts to add it. If none are available, then you may want to develop the module yourself. Reference the Ansible module developer documentation and the API documentation for your hosting provider.
Hosting providers that rely on OpenVZ or Docker cannot be used by Algo since they cannot load the required kernel modules or access the required network interfaces. For more information, see the strongSwan documentation on Cloud Platforms.
In order to address this issue, strongSwan has developed the kernel-libipsec plugin which provides an IPsec backend that works entirely in userland. libipsec
bundles its own IPsec implementation and uses TUN devices to route packets. For example, libipsec
is used by the Android strongSwan app to address Android’s lack of a functional IPsec stack.
Use of libipsec
is not supported by Algo. It has known performance issues since it buffers each packet in memory. On certain systems with insufficient processor power, such as many cloud hosting providers, using libipsec
can lead to an out of memory condition, crash the charon daemon, or lock up the entire host.
Further, libipsec
introduces unknown security risks. The code in libipsec
has not been scrutinized to the same level as the code in the Linux or FreeBSD kernel that it replaces. This additional code introduces new complexity to the Algo server that we want to avoid at this time. We recommend moving to a hosting provider that does not require libipsec and can load the required kernel modules.