Sync from SUSE:ALP:Source:Standard:1.0 strongswan revision c330aa00148b2c1727e83f27b487a6a9

2023-12-21 13:27:22 +01:00 · 2023-12-21 13:27:22 +01:00 · 755c9c3f5e
commit 755c9c3f5e
13 changed files with 3699 additions and 0 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text
--- a/0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
+++ b/0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
@ -0,0 +1,27 @@
+From 4e16732c1c668c27e73574724d2d90537a74f67a Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Fri, 17 Jun 2016 18:19:48 +0200
+Subject: [PATCH] ikev1: Don't retransmit Aggressive Mode response
+
+These could theoretically be used for an amplified DDoS attack.
+---
+ src/libcharon/sa/ikev1/task_manager_v1.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c
+index 48ec3e7..0912555 100644
+--- a/src/libcharon/sa/ikev1/task_manager_v1.c
+++ b/src/libcharon/sa/ikev1/task_manager_v1.c
+@@ -770,8 +770,7 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
+ 				continue;
+ 			case NEED_MORE:
+ 				/* processed, but task needs another exchange */
+-				if (task->get_type(task) == TASK_QUICK_MODE ||
+-					task->get_type(task) == TASK_AGGRESSIVE_MODE)
+				if (task->get_type(task) == TASK_QUICK_MODE)
+ 				{	/* we rely on initiator retransmission, except for
+ 					 * three-message exchanges */
+ 					expect_request = TRUE;
+-- 
+2.13.2
+
--- a/README.SUSE
+++ b/README.SUSE
@ -0,0 +1,54 @@
+Dear Customer,
+
+please note, that the strongswan release 4.5 changes the keyexchange mode
+to IKEv2 as default -- from strongswan-4.5.0/NEWS:
+"[...]
+IMPORTANT: the default keyexchange mode 'ike' is changing with release 4.5
+from 'ikev1' to 'ikev2', thus commemorating the five year anniversary of the
+IKEv2 RFC 4306 and its mature successor RFC 5996. The time has definitively
+come for IKEv1 to go into retirement and to cede its place to the much more
+robust, powerful and versatile IKEv2 protocol!
+[...]"
+
+This requires adoption of either the "conn %default" or all other IKEv1
+"conn" sections in the /etc/ipsec.conf to use explicit:
+
+	keyexchange=ikev1
+
+The charon daemon in strongswan 5.x versions supports IKEv1 and IKEv2,
+thus a separate pluto IKEv1 daemon is not needed / not shipped any more.
+
+
+The strongswan package does not provide any files except of this README,
+but triggers the installation of the charon daemon and the "traditional"
+strongswan-ipsec package providing the "ipsec" script and service.
+The ipsec.service is an alias link to the "strongswan.service" systemd
+service unit and created by "systemctl enable strongswan.service".
+
+
+There is a new strongswan-nm package with a NetworkManager specific charon-nm
+binary controlling the charon daemon through D-Bus and designed to work using
+the NetworkManager-strongswan graphical user interface.
+It does not depend on the traditional starter scripts, but on the IKEv2
+charon daemon and plugins only. 
+
+
+The stongswan-hmac package provides the fips hmac hash files, a _fipscheck
+script and a /etc/strongswan.d/charon/zzz_fips-enforce.conf config file,
+which disables all non-openssl algorithm implementations.
+
+When fips operation mode is enabled in the kernel using the fips=1 boot
+parameter, the strongswan fips checks are executed in front of any start
+action of the "ipsec" script provided by the "strongswan-ipsec" package
+and a verification problem causes a failure as required by fips-140-2.
+Further, it is not required to enable the fips_mode in the openssl plugin
+(/etc/strongswan.d/charon/openssl.conf); the kernel entablement enables
+it automatically as needed.
+
+The "ipsec _fipscheck" command allows to execute the fips checks manually
+without a check if fips is enabled (/proc/sys/crypto/fips_enabled is 1),
+e.g. for testing purposes.
+
+
+Have a lot of fun...
+
--- a/fips-enforce.conf
+++ b/fips-enforce.conf
@ -0,0 +1,51 @@
+#
+# When fips is enabled (fips=1 kernel parameter), only certified openssl
+# and kernel crypto API (af-alg) algorithms are supported.
+#
+# The strongswan-hmac package is supposed to be used/installed when fips
+# is enabled and provides this blacklist disabling other plugins
+# providing further and/or alternative algorithm implementations.
+#
+gcrypt {
+    load = no
+}
+blowfish {
+    load = no
+}
+random {
+    load = no
+}
+des {
+    load = no
+}
+aes {
+    load = no
+}
+rc2 {
+    load = no
+}
+ctr {
+    load = no
+}
+cmac {
+    load = no
+}
+xcbc {
+    load = no
+}
+md4 {
+    load = no
+}
+md5 {
+    load = no
+}
+sha1 {
+    load = no
+}
+sha2 {
+    load = no
+}
+ccm {
+    load = no
+}
+
--- a/harden_strongswan.service.patch
+++ b/harden_strongswan.service.patch
@ -0,0 +1,22 @@
+Index: strongswan-5.9.5/init/systemd/strongswan.service.in
+===================================================================
+--- strongswan-5.9.5.orig/init/systemd/strongswan.service.in
+++ strongswan-5.9.5/init/systemd/strongswan.service.in
+@@ -3,6 +3,17 @@ Description=strongSwan IPsec IKEv1/IKEv2
+ After=network-online.target
+ 
+ [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+ Type=notify
+ ExecStart=@SBINDIR@/charon-systemd
+ ExecStartPost=@SBINDIR@/swanctl --load-all --noprompt
--- a/strongswan-5.9.12.tar.bz2
+++ b/strongswan-5.9.12.tar.bz2
--- a/strongswan-5.9.12.tar.bz2.sig
+++ b/strongswan-5.9.12.tar.bz2.sig
@ -0,0 +1,14 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQGzBAABCgAdFiEElI8Vik52onvz0HUy30LBcLNNuncFAmVbP3kACgkQ30LBcLNN
+uneAygwAomUeLeEAbCSAkr+hVxxV2n8YBhGIoGYC8Ii/vpfD2ZC72gZF13QlUQcR
+CizUT7XtvNBqQTTae0aoUlF6avmgqktHnJeLXVk8XATrkqVwW57EtfbBDEmVz1U9
+r1RNVvQWE15buvlT3yYoTu94dzm1jfNpGhB+v1bom9d+0JM+RGhxyl6nTpXgcNvQ
+39P7rMQ5KbpdModLXZqBSZsKOX41a6oMWXQE+akfrUakhe/0N9FabpUb76U+R3Hz
+Xx2TStOQDV/6QaAtLaaAOvIIjLsc1lHPxcO5Yf2iMbGBEOzldtrA5rPiLWLSwEG8
+chHhweSoD0qAKjRKYfx5umLYzOlsew42fwjFTQye8BXLdYqELdvD6MyCWn51YKO4
+ALhWFWxvBzL9FMQfPyVo+SWoS5IN9pKc4dqCgTMetorn7dZZGRykI8VAfnn5WxwB
+CTzAitDVNI6T3dfqiadBrqDNe0wnatlOg2fJ+N3wU1IqoEtfHZ4yoxm/P88AaTBX
+ImhWse8k
+=6zu/
+-----END PGP SIGNATURE-----
--- a/9
+++ b/9
@ -0,0 +1,9 @@
+### Known warnings:
+# - traditional name
+addFilter("strongswan.* incoherent-init-script-name ipsec")
+# - readme only, triggers full ipsec + ikev1&ikev2 install
+addFilter("strongswan.* no-binary")
+# - link to init script, covered by service(8)
+addFilter("strongswan.* no-manual-page-for-binary rcipsec")
+# - no, restating tunnels on update may break the update
+addFilter("strongswan.*restart_on_update-postun /etc/init.d/ipsec")
--- a/strongswan.changes
+++ b/strongswan.changes
--- a/strongswan.init.in
+++ b/strongswan.init.in
@ -0,0 +1,278 @@
+#!/bin/bash
+#
+#     SUSE/LSB system startup script for strongswan ipsec
+#
+#     Copyright (C) 2007 Marius Tomaschewski, SUSE / Novell Inc.
+#     based on /etc/init.d/skeleton.compat by Kurt Garloff.
+#
+#     This library is free software; you can redistribute it and/or modify it
+#     under the terms of the GNU Lesser General Public License as published by
+#     the Free Software Foundation; either version 2.1 of the License, or (at
+#     your option) any later version.
+#
+#     This library is distributed in the hope that it will be useful, but
+#     WITHOUT ANY WARRANTY; without even the implied warranty of
+#     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+#     Lesser General Public License for more details.
+#
+#     You should have received a copy of the GNU Lesser General Public
+#     License along with this library; if not, write to the Free Software
+#     Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
+#     USA.
+#
+# /etc/init.d/ipsec
+#     and its symbolic link
+# /usr/sbin/rcipsec
+#
+# LSB compatible service control script; see http://www.linuxbase.org/spec/
+# Please send feedback to http://www.suse.de/feedback/
+#
+# Note: This script uses functions rc_XXX defined in /etc/rc.status on
+# UnitedLinux/SUSE/Novell based Linux distributions. However, it shoule
+# work on other distributions as well, by using the LSB (Linux Standard
+# Base) or RH functions or by open coding the needed functions.
+#
+# chkconfig: 345 99 00
+# description: StrongSwan IPsec
+#
+### BEGIN INIT INFO
+# Provides:          ipsec
+# Required-Start:    $syslog $remote_fs $named
+# Should-Start:      $time
+# Required-Stop:     $syslog $remote_fs $named
+# Should-Stop:       $time
+# Default-Start:     3 5
+# Default-Stop:      0 1 2 6
+# Short-Description: StrongSwan IPsec
+# Description:       StrongSwan IPsec provides encrypted and authenticated
+#	communication via a unsafe network, such as the internet.
+#	This scripts loads the kernel modules and starts the user-space setup.
+### END INIT INFO
+
+
+# Check for missing binaries (stale symlinks should not happen)
+# Note: Special treatment of stop for LSB conformance
+IPSEC_CMD="/usr/sbin/ipsec"
+test -x $IPSEC_CMD || {
+	echo "$IPSEC_CMD not installed";
+	if [ "$1" = "stop" ]; then exit 0; else exit 5; fi;
+}
+IPSEC_STARTER="@libexecdir@/ipsec/starter"
+test -x $IPSEC_STARTER || { 
+        echo "$IPSEC_STARTER not installed";   
+        if [ "$1" = "stop" ]; then exit 0; else exit 5; fi;
+}
+
+# The pid file of the ipsec starter
+IPSEC_PIDFILE="/var/run/starter.pid"
+
+# Check for existence of needed config files
+IPSEC_CONFIG="/etc/ipsec.conf"
+test -r $IPSEC_CONFIG || {
+	echo "$IPSEC_CONFIG not existing";
+	if [ "$1" = "stop" ]; then exit 0; else exit 6; fi;
+}
+IPSEC_SECRET="/etc/ipsec.secrets"
+test -r $IPSEC_SECRET || {
+	echo "$IPSEC_SECRET not existing";
+	if [ "$1" = "stop" ]; then exit 0; else exit 6; fi;
+}
+
+# Source LSB init functions
+# providing start_daemon, killproc, pidofproc, 
+# log_success_msg, log_failure_msg and log_warning_msg.
+# This is currently not used by UnitedLinux based distributions and
+# not needed for init scripts for UnitedLinux only. If it is used,
+# the functions from rc.status should not be sourced or used.
+#. /lib/lsb/init-functions
+
+# Shell functions sourced from /etc/rc.status:
+#      rc_check         check and set local and overall rc status
+#      rc_status        check and set local and overall rc status
+#      rc_status -v     be verbose in local rc status and clear it afterwards
+#      rc_status -v -r  ditto and clear both the local and overall rc status
+#      rc_status -s     display "skipped" and exit with status 3
+#      rc_status -u     display "unused" and exit with status 3
+#      rc_failed        set local and overall rc status to failed
+#      rc_failed <num>  set local and overall rc status to <num>
+#      rc_reset         clear both the local and overall rc status
+#      rc_exit          exit appropriate to overall rc status
+#      rc_active        checks whether a service is activated by symlinks
+
+# Use the SUSE rc_ init script functions;
+# emulate them on LSB, RH and other systems
+
+# Default: Assume sysvinit binaries exist
+start_daemon() { /sbin/start_daemon ${1+"$@"}; }
+killproc()     { /sbin/killproc     ${1+"$@"}; }
+pidofproc()    { /sbin/pidofproc    ${1+"$@"}; }
+checkproc()    { /sbin/checkproc    ${1+"$@"}; }
+if test -e /etc/rc.status; then
+    # SUSE rc script library
+    . /etc/rc.status
+else
+    export LC_ALL=POSIX
+    _cmd=$1
+    declare -a _SMSG
+    if test "${_cmd}" = "status"; then
+	_SMSG=(running dead dead unused unknown reserved)
+	_RC_UNUSED=3
+    else
+	_SMSG=(done failed failed missed failed skipped unused failed failed reserved)
+	_RC_UNUSED=6
+    fi
+    if test -e /lib/lsb/init-functions; then
+	# LSB    
+	. /lib/lsb/init-functions
+	echo_rc()
+	{
+	    if test ${_RC_RV} = 0; then
+		log_success_msg "  [${_SMSG[${_RC_RV}]}] "
+	    else
+		log_failure_msg "  [${_SMSG[${_RC_RV}]}] "
+	    fi
+	}
+	# TODO: Add checking for lockfiles
+	checkproc() { pidofproc ${1+"$@"} >/dev/null 2>&1; }
+    elif test -e /etc/init.d/functions; then
+	# RHAT
+	. /etc/init.d/functions
+	echo_rc()
+	{
+	    #echo -n "  [${_SMSG[${_RC_RV}]}] "
+	    if test ${_RC_RV} = 0; then
+		success "  [${_SMSG[${_RC_RV}]}] "
+	    else
+		failure "  [${_SMSG[${_RC_RV}]}] "
+	    fi
+	}
+	checkproc() { status ${1+"$@"}; }
+	start_daemon() { daemon ${1+"$@"}; }
+    else
+	# emulate it
+	echo_rc() { echo "  [${_SMSG[${_RC_RV}]}] "; }
+    fi
+    rc_reset() { _RC_RV=0; }
+    rc_failed()
+    {
+	if test -z "$1"; then 
+	    _RC_RV=1;
+	elif test "$1" != "0"; then 
+	    _RC_RV=$1; 
+    	fi
+	return ${_RC_RV}
+    }
+    rc_check()
+    {
+	rc_failed $?
+    }	
+    rc_status()
+    {
+	rc_failed $?
+	if test "$1" = "-r"; then _RC_RV=0; shift; fi
+	if test "$1" = "-s"; then rc_failed 5; echo_rc; rc_failed 3; shift; fi
+	if test "$1" = "-u"; then rc_failed ${_RC_UNUSED}; echo_rc; rc_failed 3; shift; fi
+	if test "$1" = "-v"; then echo_rc; shift; fi
+	if test "$1" = "-r"; then _RC_RV=0; shift; fi
+	return ${_RC_RV}
+    }
+    rc_exit() { exit ${_RC_RV}; }
+    rc_active() 
+    {
+        local x
+	for x in /etc/rc.d/rc[0-9].d/S[0-9][0-9]${1} ; do
+		test -e $x && return 0 || break
+	done
+	return 1
+    }
+fi
+
+# Reset status of this service
+rc_reset
+
+# Return values acc. to LSB for all commands but status:
+# 0       - success
+# 1       - generic or unspecified error
+# 2       - invalid or excess argument(s)
+# 3       - unimplemented feature (e.g. "reload")
+# 4       - user had insufficient privileges
+# 5       - program is not installed
+# 6       - program is not configured
+# 7       - program is not running
+# 8--199  - reserved (8--99 LSB, 100--149 distrib, 150--199 appl)
+#
+# Note that starting an already running service, stopping
+# or restarting a not-running service as well as the restart
+# with force-reload (in case signaling is not supported) are
+# considered a success.
+
+case "$1" in
+    start)
+	$IPSEC_CMD start 2>&1
+	rc_status -v1
+	;;
+    stop)
+	$IPSEC_CMD stop 2>&1
+	rc_status -v1
+	;;
+    try-restart|condrestart)
+	## Do a restart only if the service was active before.
+	## Note: try-restart is now part of LSB (as of 1.9).
+	## RH has a similar command named condrestart.
+	if test "$1" = "condrestart"; then
+		echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}"
+	fi
+	$0 status
+	if test $? = 0; then
+		$0 restart
+	else
+		rc_reset	# Not running is not a failure.
+	fi
+	# Remember status and be quiet
+	rc_status
+	;;
+    restart)
+	## Stop the service and regardless of whether it was
+	## running or not, start it again.
+	$0 stop
+	sleep 2
+	$0 start
+
+	# Remember status and be quiet
+	rc_status
+	;;
+    reload|force-reload)
+	$IPSEC_CMD reload
+	rc_status -v1
+	;;
+    status)
+	# Return value is slightly different for the status command:
+	# 0 - service up and running
+	# 1 - service dead, but /var/run/  pid  file exists
+	# 2 - service dead, but /var/lock/ lock file exists
+	# 3 - service not running (unused)
+	# 4 - service status unknown :-(
+	# 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.)
+	
+	echo -n "Checking for service strongSwan IPsec "
+	#checkproc $IPSEC_STARTER
+	$IPSEC_CMD status 2>&1 >/dev/null
+
+	# NOTE: rc_status knows that we called this init script with
+	# "status" option and adapts its messages accordingly.
+	rc_status -v
+	;;
+    probe)
+	## Optional: Probe for the necessity of a reload, print out the
+	## argument to this init script which is required for a reload.
+	## Note: probe is not (yet) part of LSB (as of 1.9)
+
+	test $IPSEC_CONFIG -nt $IPSEC_PIDFILE || \
+	test $IPSEC_SECRET -nt $IPSEC_PIDFILE && echo reload
+	;;
+    *)
+	echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
+	exit 1
+	;;
+esac
+rc_exit
--- a/strongswan.keyring
+++ b/strongswan.keyring
@ -0,0 +1,53 @@
+pub   3072R/B34DBA77 2009-06-12
+uid                  Andreas Steffen <andreas.steffen@strongswan.org>
+sub   3072g/0E10E91A 2009-08-20
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.19 (GNU/Linux)
+
+mQGNBEoycP0BDACzL8ymURD7gnaNbGx2VGieNQr/gNISWhqgHaeUxuSkrInxl89A
+ClvN7DoF2cD7slEqIMQh/8t6xVzmh9teu5uyeV1eyG/CuFMUqawXqpn/sYa2SkgX
+C/qHB2hIbFg2K4k5LJHxzqHb1OdtOcU6lHg9yrvYcoO+FTVR+rYaVgYbbbziTB/v
+hAAzvdTdgwMgoQMSXA7FsJ0mALny4IeiCoi6S6qRVDm4zcu11UFT9g1VmhmeHqtU
+SQso72bPKKhYvu7ZaQrLhkvY9inWr6m9dxV8Zgb1ivZGhzsNzrhGAsz9jmiB5POF
+Mfph0hREMiS33ph/YMJducGQHYGEza9mKBdUaaAAEL3fCpde7vRa+c5Gc/Y5RUB7
+iUsb2KQY+7xTiSUnCHbsMwhndG0dJspVXcz6X+2S3Ty4GaiqkvxI9KLiwiECNl0I
+oLX5s/FIW6KW+GnxJTp/3h6vvqm8i0+yIwk+ETM4XfhHMwuPkDyf6km1ag3nIUw6
+pSSfnQMPhj5rXIMAEQEAAbQwQW5kcmVhcyBTdGVmZmVuIDxhbmRyZWFzLnN0ZWZm
+ZW5Ac3Ryb25nc3dhbi5vcmc+iQG3BBMBAgAhBQJKMnD9AhsDBwsJCAcDAgEEFQII
+AwQWAgMBAh4BAheAAAoJEN9CwXCzTbp3t5AL/jrXnnGIHLn8M9rmyoeNe7JQUE5A
+GSV3UFaZHgHmjbvIHA+dRvh1MPlHuWbaZkHVPtRFvFtEgksc944+XcKoNoExKGKr
+wLQcUExUiQ0IyNwH70u7f1uFNcbY85Oue5ASzm+wAntnmIlNsN+MHewRWC6f6gYn
+1aHwsvh09fz0A34v9wdtim2ek/Voxe3AIDIw2MTNmwF61pXEsrH0wqYnGhYLZ7Qb
+thnDnHQaUd3IPSa6uAgOOiCoCbKCvP4u/iVm0rmXN9uzmm/i4Y0cE3DopGsqrR5D
+fWYJjgP4KBCln0LgWtYI8pcYcmA5E+l+fijNcMidtzWHMW2Mj0oZZsO+wlRUYLGh
+/jRASgq7rXuxV+oGKcBn4RqSHlZ5/BYlvowUxnNFC4tLLlneHidS8TurjacM3fwR
+MP5NMmcS5d9sVLG1uxl+/g2cRMtphHiziz+79jDc+tSxqRO5lhqyItAD6LC2GxB3
+iC5afnMx49+YWzhUTeL/KfkrD9w3/n7O00kLtLkDDQRKjOHDEAwAxdh8W7j/QhE3
+KZNmJGsK/QtJ72zZRGRcdUPH6GG//GaAG5hSCjM8q+0MR/G+31uk32RbzRIj1sHQ
+8fY0znxPmaeD1wow0hCbDTq+Ep3K8ouaqoqjlP4rd+I94OtxNfXgmllf7BDOZ6lI
+wUY8ba8cFCPYsv8ZvRXo82XfwFYevQ9kTLqkJT52mMyPZLwYx4DNwuqFtQQEBLKg
+IVXVgpK6SE72MFP8vyFsdrL0ORgxoWI6PIHbnIRY1KiWUzOSrqirZUHH9MPuzFuB
+R0+jEAajeKoxycn0ILLM5PBAEFXFgBdtNNCtshe1fR5aPsXcGZsZRjc7mbAHLRqa
+pVhk7oX31WrGqGHkSM/GAnf3aAzsnCkO5+Tje2iyuoG5OhQbHsvMBOtdvQrwnorl
+56EguzuK1mGDsczNsuAYRcKiasCWpsjoytDH+dGEQmKXydD9r06cxPx+mWmWKLo4
+w+k4mMC0lFRYKi83cwTpaMpHOeW4+3d1tJfkCQy+vjUz4aZJ/WSXAAMFDACqmeXA
+Al7WssHkjVZ/vwQfHLHNMZsGEEucvV7KNqMF4Fe6nRbbE6GJOuz6taeFkJIppBqV
+xhSNOsf5soOXfGp0IgYoC37GPI6AAb4UnG5GVcaAMQAXUYcwfDGGuV/EO5pPrEyP
+jy++GvjhxcKV3HmUuAfcgyhTGhDOVPxU28Roz3+8Eig085v+lyqAsgFduBrf+ZV+
+lHjIOSXSWmTiT8EVSA3fpN14/qhltudhdGIZ/pCW303H9Bd9c4Uc9OzYhRr1VpO6
+lpYfTFNey8KQL4z9Kjt0RPscz2hYDOJ1cTFWs/4Z+9mBJODwrnIiORLlgV2NlP5E
+ZY4MccVFd9K7E/OPQdt3Uv6+6BjYRntY7wsX617T5Rmj8n6AhbpngmWg2D6wRfm7
+TyI0Wtz5icCoJIEHQwB/3EhBzQl7tBc0cClwCYm7nTYRt+SL2tfylWy9Leail+ay
+M6zwMW0klV42E4u8DCy/aJrwmEiVwuwGbXL6z46M9EZguof38MTEmLsHls+JAZ8E
+GAECAAkFAkqM4cMCGwwACgkQ30LBcLNNunffBgv/b/v3eQoZTWgOB5MnXhIrg/Ki
+kYTYbnEG9wWM7XIST8bpP7f/UKyD44CCVJH7SVTGAXeyjglnuYXy4FwaTdFmm6al
+W0sCp4rnmADi5BLLzQlCUa5J0iZ+oAZnAH60BezUM+CYz/QBW3NJmP3323PeM4H4
+MZ0vLv3wgaLkFlaK/eASBoC7KuZWAnvsNOdLQ29L4BYgW2Jwk1+PxszjT369DsMU
+Y3iY6gM9rM71Ajd8x98hd1r26LILGntAEEXxs+13Kka7J4GCqf8/J9ZR01dDp8QM
+M9EHFLnthpAyUuSXm5Qlglavnf7tU6AA0SFuA0pP5CXVLG1DLT1fJvNOqjdzPsf
+u/48AM2Lpxj0gKt1yDQc890GxwnOL1iZ6+XMh9/ujWy7Q7dI4M2mthwYFXldWrPS
+CmMToWfl62BxPdY5FIECXeRwTIO9sI0LQVc2eAG8lDsge05q1nJFxo9WKr7ewAdF
+b/fMIr7XMwoMj2SQSy/tZVCBnDXR5Gw5HSxRnIAS
+=ze82
+-----END PGP PUBLIC KEY BLOCK-----
--- a/strongswan.spec
+++ b/strongswan.spec
@ -0,0 +1,936 @@
+#
+# spec file for package strongswan
+#
+# Copyright (c) 2023 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+Name:           strongswan
+Version:        5.9.12
+Release:        0
+%define         upstream_version     %{version}
+%define         strongswan_docdir    %{_docdir}/%{name}
+%define         strongswan_libdir    %{_libdir}/ipsec
+%define         strongswan_configs   %{_sysconfdir}/strongswan.d
+%define         strongswan_datadir   %{_datadir}/strongswan
+%define         strongswan_plugins   %{strongswan_libdir}/plugins
+%define         strongswan_templates %{strongswan_datadir}/templates
+%if 0
+%bcond_without  tests
+%else
+%bcond_with     tests
+%endif
+%bcond_without  fipscheck
+%ifarch %{ix86} ppc64le
+%bcond_without  integrity
+%else
+%bcond_with     integrity
+%endif
+%bcond_without  farp
+%bcond_without  afalg
+%bcond_without  mysql
+%bcond_without  sqlite
+%bcond_without  gcrypt
+%bcond_without  nm
+%bcond_without  systemd
+Summary:        IPsec-based VPN solution
+License:        GPL-2.0-or-later
+Group:          Productivity/Networking/Security
+URL:            https://www.strongswan.org/
+Source0:        http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2
+Source1:        http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2.sig
+Source2:        %{name}.init.in
+Source3:        %{name}-rpmlintrc
+Source4:        README.SUSE
+Source5:        %{name}.keyring
+%if %{with fipscheck}
+Source7:        fips-enforce.conf
+%endif
+Patch2:         %{name}_ipsec_service.patch
+Patch5:         0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
+Patch6:         harden_strongswan.service.patch
+BuildRequires:  bison
+BuildRequires:  curl-devel
+BuildRequires:  flex
+BuildRequires:  gmp-devel
+BuildRequires:  gperf
+BuildRequires:  libcap-devel
+BuildRequires:  libopenssl-devel
+BuildRequires:  openldap2-devel
+BuildRequires:  pam-devel
+BuildRequires:  pcsc-lite-devel
+BuildRequires:  pkg-config
+BuildRequires:  pkgconfig(libsoup-2.4)
+%if %{with mysql}
+BuildRequires:  libmysqlclient-devel
+%endif
+%if %{with sqlite}
+BuildRequires:  sqlite3-devel
+%endif
+%if %{with gcrypt}
+BuildRequires:  libgcrypt-devel
+%endif
+%if %{with nm}
+BuildRequires:  pkgconfig(libnm)
+%endif
+%{?systemd_requires}
+BuildRequires:  iptables
+BuildRequires:  pkgconfig(libsystemd)
+%{!?_rundir: %global _rundir /run}
+%{!?_tmpfilesdir: %global _tmpfilesdir /usr/lib/tmpfiles.d}
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  libtool
+Requires:       strongswan-ipsec = %{version}
+
+%description
+StrongSwan is an IPsec-based VPN solution for Linux.
+
+* Implements both the IKEv1 and IKEv2 (RFC 4306) key exchange protocols
+* Fully tested support of IPv6 IPsec tunnel and transport connections
+* Dynamic IP address and interface update with IKEv2 MOBIKE (RFC 4555)
+* Automatic insertion and deletion of IPsec-policy-based firewall rules
+* Strong 128/192/256 bit AES or Camellia encryption, 3DES support
+* NAT Traversal via UDP encapsulation and port floating (RFC 3947)
+* Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels
+* Static virtual IP addresses and IKEv1 ModeConfig pull and push modes
+* XAUTH server and client functionality on top of IKEv1 Main Mode authentication
+* Virtual IP address pool managed by IKE daemon or SQL database
+* Secure IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-MSCHAPv2, etc.)
+* Optional relaying of EAP messages to AAA server via EAP-RADIUS plugin
+* Support of IKEv2 Multiple Authentication Exchanges (RFC 4739)
+* Authentication based on X.509 certificates or preshared keys
+* Generation of a default self-signed certificate during first strongSwan startup
+* Retrieval and local caching of Certificate Revocation Lists via HTTP or LDAP
+* Full support of the Online Certificate Status Protocol (OCSP, RCF 2560).
+* CA management (OCSP and CRL URIs, default LDAP server)
+* Powerful IPsec policies based on wildcards or intermediate CAs
+* Group policies based on X.509 attribute certificates (RFC 3281)
+* Storage of RSA private keys and certificates on a smartcard (PKCS #11 interface)
+* Modular plugins for crypto algorithms and relational database interfaces
+* Support of elliptic curve DH groups and ECDSA certificates (Suite B, RFC 4869)
+* Optional built-in integrity and crypto tests for plugins and libraries
+* Linux desktop integration via the strongSwan NetworkManager applet
+
+This package triggers the installation of both, IKEv1 and IKEv2 daemons.
+
+%package doc
+Summary:        Documentation for strongSwan
+Group:          Documentation/Man
+BuildArch:      noarch
+
+%description doc
+StrongSwan is an IPsec-based VPN solution for Linux.
+
+This package provides the StrongSwan documentation.
+
+%package libs0
+Summary:        strongSwan core libraries and basic plugins
+Group:          Productivity/Networking/Security
+Conflicts:      strongswan < %{version}
+
+%description libs0
+StrongSwan is an IPsec-based VPN solution for Linux.
+
+This package provides the strongswan library and plugins.
+
+%package hmac
+Summary:        Config file to disable non FIPS-140-2 algos in strongSwan
+Group:          Productivity/Networking/Security
+Requires:       strongswan-ipsec = %{version}
+Requires:       strongswan-libs0 = %{version}
+
+%description hmac
+The package provides a config file disabling alternative algorithm
+implementation when FIPS-140-2 compliant operation mode is enabled.
+
+%package ipsec
+Summary:        IPsec-based VPN solution
+Group:          Productivity/Networking/Security
+Requires:       strongswan-libs0 = %{version}
+Provides:       VPN
+Provides:       ipsec
+Provides:       strongswan = %{version}
+Obsoletes:      strongswan < %{version}
+Conflicts:      freeswan
+Conflicts:      openswan
+
+%description ipsec
+StrongSwan is an IPsec-based VPN solution for Linux.
+
+This package provides the /etc/init.d/ipsec service script and allows
+to maintain both IKEv1 and IKEv2 using the /etc/ipsec.conf and the
+/etc/ipsec.secrets files.
+
+%package mysql
+Summary:        MySQL plugin for strongSwan
+Group:          Productivity/Networking/Security
+Requires:       strongswan-libs0 = %{version}
+
+%description mysql
+StrongSwan is an IPsec-based VPN solution for Linux.
+
+This package provides the strongswan mysql plugin.
+
+%package sqlite
+Summary:        SQLite plugin for strongSwan
+Group:          Productivity/Networking/Security
+Requires:       strongswan-libs0 = %{version}
+
+%description sqlite
+StrongSwan is an OpenSource IPsec-based VPN solution for Linux.
+
+This package provides the strongswan sqlite plugin.
+
+%package nm
+Summary:        NetworkManager plugin for strongSwan
+Group:          Productivity/Networking/Security
+Requires:       strongswan-libs0 = %{version}
+
+%description nm
+StrongSwan is an OpenSource IPsec-based VPN solution for Linux.
+
+This package provides the NetworkManager plugin to control the
+charon IKEv2 daemon through D-Bus, designed to work using the
+NetworkManager-strongswan graphical user interface.
+
+%package tests
+Summary:        Testing plugins for strongSwan
+Group:          Productivity/Networking/Security
+Requires:       strongswan-libs0 = %{version}
+
+%description tests
+StrongSwan is an OpenSource IPsec-based VPN solution for Linux.
+
+This package provides the strongswan crypto test vectors plugin
+and the load testing plugin for IKEv2 daemon.
+
+%prep
+%setup -q -n %{name}-%{upstream_version}
+%patch2 -p1
+%patch5 -p1
+sed -e 's|@libexecdir@|%_libexecdir|g'    \
+     < %{_sourcedir}/strongswan.init.in \
+     > strongswan.init
+%patch6 -p1
+
+%build
+CFLAGS="%{optflags} -W -Wall -Wno-pointer-sign -Wno-strict-aliasing -Wno-unused-parameter"
+export CFLAGS
+autoreconf --force --install
+%configure \
+%if %{with integrity}
+	--enable-integrity-test \
+%endif
+	--with-capabilities=libcap \
+	--with-plugindir=%{strongswan_plugins} \
+	--with-resolv-conf=%{_rundir}/%{name}/resolv.conf \
+	--with-piddir=%{_rundir}/%{name} \
+	--enable-systemd \
+	--with-systemdsystemunitdir=%{_unitdir} \
+	--enable-pkcs11 \
+	--enable-openssl \
+	--enable-agent \
+%if %{with gcrypt}
+	--enable-gcrypt \
+%else
+	--disable-gcrypt \
+%endif
+	--enable-blowfish \
+	--enable-ctr \
+	--enable-ccm \
+	--enable-gcm \
+	--enable-unity \
+	--enable-md4 \
+%if %{with afalg}
+	--enable-af-alg \
+%endif
+	--enable-eap-sim \
+	--enable-eap-sim-file \
+	--enable-eap-sim-pcsc \
+	--enable-eap-aka \
+	--enable-eap-aka-3gpp2 \
+	--enable-eap-simaka-sql \
+	--enable-eap-simaka-pseudonym \
+	--enable-eap-simaka-reauth \
+	--enable-eap-identity \
+	--enable-eap-md5 \
+	--enable-eap-gtc \
+	--enable-eap-mschapv2 \
+	--enable-eap-tls \
+	--enable-eap-ttls \
+	--enable-eap-peap \
+	--enable-eap-tnc \
+	--enable-eap-dynamic \
+	--enable-eap-radius \
+	--enable-xauth-eap \
+	--enable-xauth-pam \
+	--enable-tnc-pdp \
+	--enable-tnc-imc \
+	--enable-tnc-imv \
+	--enable-tnccs-11 \
+	--enable-tnccs-20 \
+	--enable-tnccs-dynamic \
+	--enable-imc-test \
+	--enable-imv-test \
+	--enable-imc-scanner \
+	--enable-imv-scanner \
+	--enable-ha \
+	--enable-dhcp \
+%if %{with farp}
+	--enable-farp \
+%endif
+	--enable-smp \
+	--enable-sql \
+	--enable-attr-sql \
+	--enable-addrblock \
+	--enable-radattr \
+	--enable-mediation \
+	--enable-led \
+	--enable-certexpire \
+	--enable-duplicheck \
+	--enable-coupling \
+%if %{with mysql}
+	--enable-mysql \
+%endif
+%if %{with sqlite}
+	--enable-sqlite \
+%endif
+%if %{with nm}
+	--enable-nm \
+%else
+	--disable-nm \
+%endif
+%if %{with tests}
+	--enable-conftest \
+	--enable-load-tester \
+	--enable-test-vectors \
+%endif
+	--enable-ldap \
+	--enable-soup \
+	--enable-curl \
+	--enable-bypass-lan \
+	--disable-static
+%make_build
+
+%install
+install -d -m755              %{buildroot}/%{_sbindir}/
+install -d -m755              %{buildroot}/%{_sysconfdir}/ipsec.d/
+ln -sf %{_sbindir}/service    %{buildroot}/%{_sbindir}/rcstrongswan
+ln -sf %{_sbindir}/service    %{buildroot}/%{_sbindir}/rcstrongswan-starter
+ln -sf %{_sbindir}/service    %{buildroot}/%{_sbindir}/rcipsec
+#
+# Ensure, plugin -> library dependencies can be resolved
+# (e.g. libtls) to avoid plugin segment checksum errors.
+#
+LD_LIBRARY_PATH="%{buildroot}-$$/%{strongswan_libdir}" \
+%make_install
+#
+# checksums are calculated during make install using the
+# installed binaries/libraries... but find-debuginfo.sh
+# extracts debuginfo/debugsource breaking file checksums.
+# let find-debuginfo.sh run on a build root copy and then
+# calculate the checksums.
+#
+%if %{with integrity}
+%{?__debug_package:
+	if test -x %{_rpmconfigdir}/find-debuginfo.sh ; then
+		cp -a "%{buildroot}" "%{buildroot}-$$"
+		RPM_BUILD_ROOT="%{buildroot}-$$" \
+		%{_rpmconfigdir}/find-debuginfo.sh  \
+			%{?_find_debuginfo_opts} "%{buildroot}-$$"
+		make -C src/checksum clean
+		rm -f   src/checksum/checksum_builder
+		LD_LIBRARY_PATH="%{buildroot}-$$/%{strongswan_libdir}" \
+		make -C src/checksum install DESTDIR="%{buildroot}-$$"
+		mv "%{buildroot}-$$/%{strongswan_libdir}/libchecksum.so" \
+		   "%{buildroot}/%{strongswan_libdir}/libchecksum.so"
+		rm -rf "%{buildroot}-$$"
+	fi
+}
+%endif
+#
+rm -f %{buildroot}/%{_sysconfdir}/ipsec.secrets
+cat << EOT > %{buildroot}/%{_sysconfdir}/ipsec.secrets
+#
+# ipsec.secrets
+#
+# This file holds the RSA private keys or the PSK preshared secrets for
+# the IKE/IPsec authentication. See the ipsec.secrets(5) manual page.
+#
+EOT
+#
+%if ! %{with mysql}
+rm -f %{buildroot}/%{strongswan_templates}/database/sql/mysql.sql
+%endif
+%if ! %{with sqlite}
+rm -f %{buildroot}/%{strongswan_templates}/database/sql/sqlite.sql
+%endif
+rm -f %{buildroot}/%{strongswan_libdir}/lib{charon,hydra,strongswan,pttls}.so
+rm -f %{buildroot}/%{strongswan_libdir}/lib{radius,simaka,tls,tnccs,imcv}.so
+find %{buildroot}/%{strongswan_libdir} -type f -name "*.la" -delete
+#
+install -d -m755 %{buildroot}/%{strongswan_docdir}/
+install -c -m644 TODO NEWS README COPYING LICENSE \
+		 AUTHORS ChangeLog \
+		 %{buildroot}/%{strongswan_docdir}/
+install -c -m644 %{_sourcedir}/README.SUSE \
+		 %{buildroot}/%{strongswan_docdir}/
+install -d -m 0755 %{buildroot}%{_tmpfilesdir}
+echo 'd %{_rundir}/%{name} 0770 root root' > %{buildroot}%{_tmpfilesdir}/%{name}.conf
+%if %{with fipscheck}
+install -c -m644 %{_sourcedir}/fips-enforce.conf \
+                 %{buildroot}/%{strongswan_configs}/charon/zzz_fips-enforce.conf
+# disable bypass-lan plugin by default
+sed -i 's/\(load[ ]*=[ ]*\)yes/\1no/g' %{buildroot}/%{strongswan_configs}/charon/bypass-lan.conf
+%endif
+
+%post libs0
+/sbin/ldconfig
+%{?tmpfiles_create:%tmpfiles_create %{_tmpfilesdir}/%{name}.conf}
+%{!?tmpfiles_create:test -d %{_rundir}/%{name} || mkdir -p %{_rundir}/%{name}}
+
+%postun libs0 -p /sbin/ldconfig
+
+%pre ipsec
+%service_add_pre %{name}-starter.service
+
+%post ipsec
+# Following code does the migration from strongwan.service (ver < 5.8.0) to
+# strongswan-starter.service (ver >= 5.8.0) during update. The systemd service
+# units have been renamed. The modern unit, which was called strongswan-swanctl,
+# is now called strongswan (the previous name is configured as alias in the unit,
+# for which a symlink is created when the unit is enabled). The legacy unit is now
+# called strongswan-starter.
+_ipsec_active=`/usr/bin/systemctl is-active %{name}-starter.service 2>/dev/null` || :
+_swanctl_active=`/usr/bin/systemctl is-active %{name}.service 2>/dev/null` || :
+_ipsec_enable=`/usr/bin/systemctl is-enabled %{name}-starter.service 2>/dev/null` || :
+_swanctl_enable=`/usr/bin/systemctl is-enabled %{name}.service 2>/dev/null` || :
+if [[ "$_swanctl_enable" == "enabled" || "$_swanctl_active" == "active" ]]; then
+        /usr/bin/systemctl disable --now %{name}.service || :
+        /usr/bin/systemctl mask %{name}.service || :
+fi
+if [[ "$_swanctl_enable" == "enabled" || "$_ipsec_enable" == "enabled" ]]; then
+        /usr/bin/systemctl daemon-reload
+        /usr/bin/systemctl enable %{name}-starter.service || :
+fi
+if [[ "$_swanctl_active" == "active" || "$_ipsec_active" == "active" ]]; then
+        /usr/bin/systemctl start %{name}-starter.service || :
+fi
+
+%preun ipsec
+%service_del_preun %{name}-starter.service
+if test -s %{_sysconfdir}/ipsec.secrets.rpmsave ; then
+	cp -p --backup=numbered %{_sysconfdir}/ipsec.secrets.rpmsave \
+	                        %{_sysconfdir}/ipsec.secrets.rpmsave.old
+fi
+if test -s %{_sysconfdir}/ipsec.conf.rpmsave ; then
+	cp -p --backup=numbered %{_sysconfdir}/ipsec.conf.rpmsave \
+	                        %{_sysconfdir}/ipsec.conf.rpmsave.old
+fi
+
+%postun ipsec
+%service_del_postun %{name}-starter.service
+
+%files
+%dir %{strongswan_docdir}
+%{strongswan_docdir}/README.SUSE
+
+%if %{with fipscheck}
+
+%files hmac
+%dir %{strongswan_configs}
+%dir %{strongswan_configs}/charon
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/zzz_fips-enforce.conf
+%endif
+
+%files ipsec
+%config(noreplace) %attr(600,root,root) %{_sysconfdir}/ipsec.conf
+%config(noreplace) %attr(600,root,root) %{_sysconfdir}/ipsec.secrets
+%config(noreplace) %attr(600,root,root) %{_sysconfdir}/swanctl/swanctl.conf
+%dir %{_sysconfdir}/swanctl
+%dir %{_sysconfdir}/ipsec.d
+%dir %{_sysconfdir}/ipsec.d/crls
+%dir %{_sysconfdir}/ipsec.d/reqs
+%dir %{_sysconfdir}/ipsec.d/certs
+%dir %{_sysconfdir}/ipsec.d/acerts
+%dir %{_sysconfdir}/ipsec.d/aacerts
+%dir %{_sysconfdir}/ipsec.d/cacerts
+%dir %{_sysconfdir}/ipsec.d/ocspcerts
+%dir %attr(700,root,root) %{_sysconfdir}/ipsec.d/private
+%{_unitdir}/strongswan-starter.service
+%{_unitdir}/strongswan.service
+%{_sbindir}/rcstrongswan
+%{_sbindir}/rcstrongswan-starter
+%{_sbindir}/charon-systemd
+%{_sbindir}/rcipsec
+%{_bindir}/pki
+%{_bindir}/pt-tls-client
+%{_bindir}/tpm_extendpcr
+%{_sbindir}/ipsec
+%{_sbindir}/swanctl
+%{_mandir}/man1/pki*.1*
+%{_mandir}/man1/pt-tls-client.1*
+%{_mandir}/man8/ipsec.8*
+%{_mandir}/man5/ipsec.conf.5*
+%{_mandir}/man5/ipsec.secrets.5*
+%{_mandir}/man5/strongswan.conf.5*
+%dir %{_libexecdir}/ipsec
+%{_libexecdir}/ipsec/_updown
+%if %{with test}
+%{_libexecdir}/ipsec/conftest
+%endif
+%{_libexecdir}/ipsec/xfrmi
+%{_libexecdir}/ipsec/duplicheck
+%{_libexecdir}/ipsec/pool
+%{_libexecdir}/ipsec/starter
+%{_libexecdir}/ipsec/stroke
+%{_libexecdir}/ipsec/charon
+%{_libexecdir}/ipsec/_imv_policy
+%{_libexecdir}/ipsec/imv_policy_manager
+%dir %{strongswan_plugins}
+%{strongswan_plugins}/libstrongswan-drbg.so
+%{strongswan_plugins}/libstrongswan-stroke.so
+%{strongswan_plugins}/libstrongswan-updown.so
+
+%files doc
+%dir %{strongswan_docdir}
+%{strongswan_docdir}/TODO
+%{strongswan_docdir}/NEWS
+%{strongswan_docdir}/README
+%{strongswan_docdir}/COPYING
+%{strongswan_docdir}/LICENSE
+%{strongswan_docdir}/AUTHORS
+%{strongswan_docdir}/ChangeLog
+%{_mandir}/man5/swanctl.conf.5.*
+%{_mandir}/man8/swanctl.8.*
+
+%files libs0
+%{_tmpfilesdir}/%{name}.conf
+%config(noreplace) %attr(600,root,root) %{_sysconfdir}/strongswan.conf
+%dir %{strongswan_configs}
+%dir %{strongswan_configs}/charon
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-systemd.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-logging.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/imcv.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/pki.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/pool.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/starter.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/tnc.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/swanctl.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/addrblock.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/aes.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/counters.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/curve25519.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/drbg.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/vici.conf
+%if %{with afalg}
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/af-alg.conf
+%endif
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/agent.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/attr.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/attr-sql.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/blowfish.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ccm.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/certexpire.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/cmac.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/constraints.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/coupling.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ctr.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/curl.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/des.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/dhcp.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/dnskey.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/duplicheck.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-aka-3gpp2.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-aka.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-dynamic.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-gtc.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-identity.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-md5.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-mschapv2.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-peap.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-radius.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-simaka-pseudonym.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-simaka-reauth.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-simaka-sql.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-sim.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-sim-file.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-sim-pcsc.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-tls.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-tnc.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-ttls.conf
+%if %{with farp}
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/farp.conf
+%endif
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/fips-prf.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/gcm.conf
+%if %{with gcrypt}
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/gcrypt.conf
+%endif
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/gmp.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ha.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/hmac.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/kdf.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/kernel-netlink.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ldap.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/led.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md4.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md5.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/mgf1.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/nonce.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/openssl.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pem.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pgp.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs11.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs12.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs1.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs7.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs8.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pubkey.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/radattr.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/random.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/rc2.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/resolve.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/revocation.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sha1.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sha2.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/smp.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/socket-default.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/soup.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sql.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sshkey.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/stroke.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnccs-11.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnccs-20.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnccs-dynamic.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnc-imc.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnc-imv.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnc-pdp.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnc-tnccs.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/unity.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/updown.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/x509.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/xauth-eap.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/xauth-generic.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/xauth-pam.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/xcbc.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/bypass-lan.conf
+%dir %{strongswan_libdir}
+%if %{with integrity}
+%{strongswan_libdir}/libchecksum.so
+%endif
+%{strongswan_libdir}/libcharon.so.*
+%{strongswan_libdir}/libtpmtss.so.*
+%{strongswan_libdir}/libtpmtss.so
+%{strongswan_libdir}/libvici.so
+%{strongswan_libdir}/libvici.so.*
+%{strongswan_libdir}/libpttls.so.*
+%{strongswan_libdir}/libradius.so.*
+%{strongswan_libdir}/libsimaka.so.*
+%{strongswan_libdir}/libstrongswan.so.*
+%{strongswan_libdir}/libtls.so.*
+%{strongswan_libdir}/libtnccs.so.*
+%{strongswan_libdir}/libimcv.so.*
+%dir %{strongswan_libdir}/imcvs
+%{strongswan_libdir}/imcvs/imc-scanner.so
+%{strongswan_libdir}/imcvs/imc-test.so
+%{strongswan_libdir}/imcvs/imv-scanner.so
+%{strongswan_libdir}/imcvs/imv-test.so
+%dir %{strongswan_plugins}
+%{strongswan_plugins}/libstrongswan-addrblock.so
+%{strongswan_plugins}/libstrongswan-aes.so
+%if %{with afalg}
+%{strongswan_plugins}/libstrongswan-af-alg.so
+%endif
+%{strongswan_plugins}/libstrongswan-agent.so
+%{strongswan_plugins}/libstrongswan-attr.so
+%{strongswan_plugins}/libstrongswan-attr-sql.so
+%{strongswan_plugins}/libstrongswan-blowfish.so
+%{strongswan_plugins}/libstrongswan-ccm.so
+%{strongswan_plugins}/libstrongswan-certexpire.so
+%{strongswan_plugins}/libstrongswan-cmac.so
+%{strongswan_plugins}/libstrongswan-counters.so
+%{strongswan_plugins}/libstrongswan-constraints.so
+%{strongswan_plugins}/libstrongswan-coupling.so
+%{strongswan_plugins}/libstrongswan-ctr.so
+%{strongswan_plugins}/libstrongswan-curl.so
+%{strongswan_plugins}/libstrongswan-des.so
+%{strongswan_plugins}/libstrongswan-dhcp.so
+%{strongswan_plugins}/libstrongswan-dnskey.so
+%{strongswan_plugins}/libstrongswan-duplicheck.so
+%{strongswan_plugins}/libstrongswan-eap-aka-3gpp2.so
+%{strongswan_plugins}/libstrongswan-eap-aka.so
+%{strongswan_plugins}/libstrongswan-eap-dynamic.so
+%{strongswan_plugins}/libstrongswan-eap-gtc.so
+%{strongswan_plugins}/libstrongswan-eap-identity.so
+%{strongswan_plugins}/libstrongswan-eap-md5.so
+%{strongswan_plugins}/libstrongswan-eap-mschapv2.so
+%{strongswan_plugins}/libstrongswan-eap-peap.so
+%{strongswan_plugins}/libstrongswan-eap-radius.so
+%{strongswan_plugins}/libstrongswan-eap-sim-file.so
+%{strongswan_plugins}/libstrongswan-eap-sim-pcsc.so
+%{strongswan_plugins}/libstrongswan-eap-sim.so
+%{strongswan_plugins}/libstrongswan-eap-simaka-pseudonym.so
+%{strongswan_plugins}/libstrongswan-eap-simaka-reauth.so
+%{strongswan_plugins}/libstrongswan-eap-simaka-sql.so
+%{strongswan_plugins}/libstrongswan-eap-tls.so
+%{strongswan_plugins}/libstrongswan-eap-tnc.so
+%{strongswan_plugins}/libstrongswan-eap-ttls.so
+%if %{with farp}
+%{strongswan_plugins}/libstrongswan-farp.so
+%endif
+%{strongswan_plugins}/libstrongswan-fips-prf.so
+%{strongswan_plugins}/libstrongswan-gcm.so
+%if %{with gcrypt}
+%{strongswan_plugins}/libstrongswan-gcrypt.so
+%endif
+%{strongswan_plugins}/libstrongswan-gmp.so
+%{strongswan_plugins}/libstrongswan-ha.so
+%{strongswan_plugins}/libstrongswan-hmac.so
+%{strongswan_plugins}/libstrongswan-kdf.so
+%{strongswan_plugins}/libstrongswan-kernel-netlink.so
+%{strongswan_plugins}/libstrongswan-ldap.so
+%{strongswan_plugins}/libstrongswan-led.so
+%{strongswan_plugins}/libstrongswan-md4.so
+%{strongswan_plugins}/libstrongswan-md5.so
+%{strongswan_plugins}/libstrongswan-mgf1.so
+%{strongswan_plugins}/libstrongswan-nonce.so
+%{strongswan_plugins}/libstrongswan-openssl.so
+%{strongswan_plugins}/libstrongswan-pem.so
+%{strongswan_plugins}/libstrongswan-pgp.so
+%{strongswan_plugins}/libstrongswan-pkcs1.so
+%{strongswan_plugins}/libstrongswan-pkcs11.so
+%{strongswan_plugins}/libstrongswan-pkcs12.so
+%{strongswan_plugins}/libstrongswan-pkcs7.so
+%{strongswan_plugins}/libstrongswan-pkcs8.so
+%{strongswan_plugins}/libstrongswan-pubkey.so
+%{strongswan_plugins}/libstrongswan-radattr.so
+%{strongswan_plugins}/libstrongswan-random.so
+%{strongswan_plugins}/libstrongswan-rc2.so
+%{strongswan_plugins}/libstrongswan-resolve.so
+%{strongswan_plugins}/libstrongswan-revocation.so
+%{strongswan_plugins}/libstrongswan-sha1.so
+%{strongswan_plugins}/libstrongswan-sha2.so
+%{strongswan_plugins}/libstrongswan-smp.so
+%{strongswan_plugins}/libstrongswan-socket-default.so
+%{strongswan_plugins}/libstrongswan-soup.so
+%{strongswan_plugins}/libstrongswan-sql.so
+%{strongswan_plugins}/libstrongswan-sshkey.so
+%{strongswan_plugins}/libstrongswan-tnc-imc.so
+%{strongswan_plugins}/libstrongswan-tnc-imv.so
+%{strongswan_plugins}/libstrongswan-tnc-pdp.so
+%{strongswan_plugins}/libstrongswan-tnc-tnccs.so
+%{strongswan_plugins}/libstrongswan-tnccs-11.so
+%{strongswan_plugins}/libstrongswan-tnccs-20.so
+%{strongswan_plugins}/libstrongswan-tnccs-dynamic.so
+%{strongswan_plugins}/libstrongswan-unity.so
+%{strongswan_plugins}/libstrongswan-x509.so
+%{strongswan_plugins}/libstrongswan-xauth-eap.so
+%{strongswan_plugins}/libstrongswan-xauth-generic.so
+%{strongswan_plugins}/libstrongswan-xauth-pam.so
+%{strongswan_plugins}/libstrongswan-xcbc.so
+%{strongswan_plugins}/libstrongswan-curve25519.so
+%{strongswan_plugins}/libstrongswan-vici.so
+%{strongswan_plugins}/libstrongswan-bypass-lan.so
+%dir %{strongswan_datadir}
+%dir %{strongswan_templates}
+%dir %{strongswan_templates}/config
+%dir %{strongswan_templates}/config/plugins
+%dir %{strongswan_templates}/config/strongswan.d
+%dir %{strongswan_templates}/database
+%dir %{strongswan_templates}/database/imv
+%dir %{strongswan_templates}/database/sql
+%{strongswan_templates}/config/strongswan.conf
+%{strongswan_templates}/config/plugins/addrblock.conf
+%{strongswan_templates}/config/plugins/aes.conf
+%if %{with afalg}
+%{strongswan_templates}/config/plugins/af-alg.conf
+%endif
+%{strongswan_templates}/config/plugins/agent.conf
+%{strongswan_templates}/config/plugins/attr-sql.conf
+%{strongswan_templates}/config/plugins/attr.conf
+%{strongswan_templates}/config/plugins/blowfish.conf
+%{strongswan_templates}/config/plugins/ccm.conf
+%{strongswan_templates}/config/plugins/certexpire.conf
+%{strongswan_templates}/config/plugins/cmac.conf
+%{strongswan_templates}/config/plugins/counters.conf
+%{strongswan_templates}/config/plugins/constraints.conf
+%{strongswan_templates}/config/plugins/coupling.conf
+%{strongswan_templates}/config/plugins/ctr.conf
+%{strongswan_templates}/config/plugins/curl.conf
+%{strongswan_templates}/config/plugins/des.conf
+%{strongswan_templates}/config/plugins/dhcp.conf
+%{strongswan_templates}/config/plugins/dnskey.conf
+%{strongswan_templates}/config/plugins/drbg.conf
+%{strongswan_templates}/config/plugins/duplicheck.conf
+%{strongswan_templates}/config/plugins/eap-aka-3gpp2.conf
+%{strongswan_templates}/config/plugins/eap-aka.conf
+%{strongswan_templates}/config/plugins/eap-dynamic.conf
+%{strongswan_templates}/config/plugins/eap-gtc.conf
+%{strongswan_templates}/config/plugins/eap-identity.conf
+%{strongswan_templates}/config/plugins/eap-md5.conf
+%{strongswan_templates}/config/plugins/eap-mschapv2.conf
+%{strongswan_templates}/config/plugins/eap-peap.conf
+%{strongswan_templates}/config/plugins/eap-radius.conf
+%{strongswan_templates}/config/plugins/eap-sim-file.conf
+%{strongswan_templates}/config/plugins/eap-sim-pcsc.conf
+%{strongswan_templates}/config/plugins/eap-sim.conf
+%{strongswan_templates}/config/plugins/eap-simaka-pseudonym.conf
+%{strongswan_templates}/config/plugins/eap-simaka-reauth.conf
+%{strongswan_templates}/config/plugins/eap-simaka-sql.conf
+%{strongswan_templates}/config/plugins/eap-tls.conf
+%{strongswan_templates}/config/plugins/eap-tnc.conf
+%{strongswan_templates}/config/plugins/eap-ttls.conf
+%if %{with farp}
+%{strongswan_templates}/config/plugins/farp.conf
+%endif
+%{strongswan_templates}/config/plugins/fips-prf.conf
+%{strongswan_templates}/config/plugins/gcm.conf
+%if %{with gcrypt}
+%{strongswan_templates}/config/plugins/gcrypt.conf
+%endif
+%{strongswan_templates}/config/plugins/gmp.conf
+%{strongswan_templates}/config/plugins/ha.conf
+%{strongswan_templates}/config/plugins/hmac.conf
+%{strongswan_templates}/config/plugins/kdf.conf
+%{strongswan_templates}/config/plugins/kernel-netlink.conf
+%{strongswan_templates}/config/plugins/ldap.conf
+%{strongswan_templates}/config/plugins/led.conf
+%{strongswan_templates}/config/plugins/md4.conf
+%{strongswan_templates}/config/plugins/md5.conf
+%{strongswan_templates}/config/plugins/mgf1.conf
+%{strongswan_templates}/config/plugins/nonce.conf
+%{strongswan_templates}/config/plugins/openssl.conf
+%{strongswan_templates}/config/plugins/pem.conf
+%{strongswan_templates}/config/plugins/pgp.conf
+%{strongswan_templates}/config/plugins/pkcs1.conf
+%{strongswan_templates}/config/plugins/pkcs11.conf
+%{strongswan_templates}/config/plugins/pkcs12.conf
+%{strongswan_templates}/config/plugins/pkcs7.conf
+%{strongswan_templates}/config/plugins/pkcs8.conf
+%{strongswan_templates}/config/plugins/pubkey.conf
+%{strongswan_templates}/config/plugins/radattr.conf
+%{strongswan_templates}/config/plugins/random.conf
+%{strongswan_templates}/config/plugins/rc2.conf
+%{strongswan_templates}/config/plugins/resolve.conf
+%{strongswan_templates}/config/plugins/revocation.conf
+%{strongswan_templates}/config/plugins/sha1.conf
+%{strongswan_templates}/config/plugins/sha2.conf
+%{strongswan_templates}/config/plugins/smp.conf
+%{strongswan_templates}/config/plugins/socket-default.conf
+%{strongswan_templates}/config/plugins/soup.conf
+%{strongswan_templates}/config/plugins/sql.conf
+%{strongswan_templates}/config/plugins/sshkey.conf
+%{strongswan_templates}/config/plugins/stroke.conf
+%{strongswan_templates}/config/plugins/tnc-imc.conf
+%{strongswan_templates}/config/plugins/tnc-imv.conf
+%{strongswan_templates}/config/plugins/tnc-pdp.conf
+%{strongswan_templates}/config/plugins/tnc-tnccs.conf
+%{strongswan_templates}/config/plugins/tnccs-11.conf
+%{strongswan_templates}/config/plugins/tnccs-20.conf
+%{strongswan_templates}/config/plugins/tnccs-dynamic.conf
+%{strongswan_templates}/config/plugins/unity.conf
+%{strongswan_templates}/config/plugins/updown.conf
+%{strongswan_templates}/config/plugins/x509.conf
+%{strongswan_templates}/config/plugins/xauth-eap.conf
+%{strongswan_templates}/config/plugins/xauth-generic.conf
+%{strongswan_templates}/config/plugins/xauth-pam.conf
+%{strongswan_templates}/config/plugins/xcbc.conf
+%{strongswan_templates}/config/plugins/curve25519.conf
+%{strongswan_templates}/config/plugins/vici.conf
+%{strongswan_templates}/config/plugins/bypass-lan.conf
+%{strongswan_templates}/config/strongswan.d/charon-systemd.conf
+%{strongswan_templates}/config/strongswan.d/charon-logging.conf
+%{strongswan_templates}/config/strongswan.d/charon.conf
+%{strongswan_templates}/config/strongswan.d/imcv.conf
+%{strongswan_templates}/config/strongswan.d/pki.conf
+%{strongswan_templates}/config/strongswan.d/pool.conf
+%{strongswan_templates}/config/strongswan.d/starter.conf
+%{strongswan_templates}/config/strongswan.d/tnc.conf
+%{strongswan_templates}/config/strongswan.d/swanctl.conf
+%{strongswan_templates}/database/imv/data.sql
+%{strongswan_templates}/database/imv/tables.sql
+
+%if %{with nm}
+
+%files nm
+%dir %{_libexecdir}/ipsec
+%dir %{strongswan_plugins}
+%{_libexecdir}/ipsec/charon-nm
+%{_datadir}/dbus-1/system.d/nm-strongswan-service.conf
+%endif
+
+%if %{with mysql}
+
+%files mysql
+%dir %{strongswan_libdir}
+%dir %{strongswan_plugins}
+%{strongswan_plugins}/libstrongswan-mysql.so
+%dir %{strongswan_configs}
+%dir %{strongswan_configs}/charon
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/mysql.conf
+%dir %{strongswan_datadir}
+%dir %{strongswan_templates}
+%dir %{strongswan_templates}/config
+%dir %{strongswan_templates}/config/plugins
+%dir %{strongswan_templates}/database
+%dir %{strongswan_templates}/database/sql
+%{strongswan_templates}/config/plugins/mysql.conf
+%{strongswan_templates}/database/imv/tables-mysql.sql
+%{strongswan_templates}/database/sql/mysql.sql
+%endif
+
+%if %{with sqlite}
+
+%files sqlite
+%dir %{strongswan_libdir}
+%dir %{strongswan_plugins}
+%{strongswan_plugins}/libstrongswan-sqlite.so
+%dir %{strongswan_configs}
+%dir %{strongswan_configs}/charon
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sqlite.conf
+%dir %{strongswan_datadir}
+%dir %{strongswan_templates}
+%dir %{strongswan_templates}/config
+%dir %{strongswan_templates}/config/plugins
+%dir %{strongswan_templates}/database
+%dir %{strongswan_templates}/database/sql
+%{strongswan_templates}/config/plugins/sqlite.conf
+%{strongswan_templates}/database/sql/sqlite.sql
+%endif
+
+%if %{with tests}
+
+%files tests
+%dir %{strongswan_configs}
+%dir %{strongswan_configs}/charon
+%{strongswan_configs}/charon/load-tester.conf
+%{strongswan_configs}/charon/test-vectors.conf
+%dir %{strongswan_templates}
+%dir %{strongswan_templates}/config
+%dir %{strongswan_templates}/config/plugins
+%{strongswan_templates}/config/plugins/load-tester.conf
+%{strongswan_templates}/config/plugins/test-vectors.conf
+%dir %{_libexecdir}/ipsec
+%{_libexecdir}/ipsec/conftest
+%{_libexecdir}/ipsec/load-tester
+%dir %{strongswan_libdir}
+%dir %{strongswan_plugins}
+%{strongswan_plugins}/libstrongswan-load-tester.so
+%{strongswan_plugins}/libstrongswan-test-vectors.so
+%endif
+
+%changelog
--- a/strongswan_ipsec_service.patch
+++ b/strongswan_ipsec_service.patch
@ -0,0 +1,9 @@
+Index: strongswan-5.6.2/init/systemd/strongswan.service.in
+===================================================================
+--- strongswan-5.6.2.orig/init/systemd-starter/strongswan-starter.service.in	2017-02-07 08:04:04.000000000 +0100
+++ strongswan-5.6.2/init/systemd-starter/strongswan-starter.service.in	2018-04-17 16:53:57.546334751 +0200
+@@ -9,3 +9,4 @@ Restart=on-abnormal
+ 
+ [Install]
+ WantedBy=multi-user.target
+Alias=ipsec.service