2007-12-13 04:49:24 +01:00
|
|
|
#
|
2008-04-25 16:46:58 +02:00
|
|
|
# spec file for package strongswan (Version 4.2.1)
|
2007-12-13 04:49:24 +01:00
|
|
|
#
|
2008-02-19 14:17:02 +01:00
|
|
|
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
2007-12-13 04:49:24 +01:00
|
|
|
# This file and all modifications and additions to the pristine
|
|
|
|
# package are under the same license as the package itself.
|
|
|
|
#
|
|
|
|
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
|
|
|
#
|
|
|
|
|
|
|
|
# norootforbuild
|
|
|
|
|
2008-02-19 14:17:02 +01:00
|
|
|
|
2007-12-13 04:49:24 +01:00
|
|
|
Name: strongswan
|
2008-04-25 16:46:58 +02:00
|
|
|
%define upstream_version 4.2.1
|
2007-12-13 04:49:24 +01:00
|
|
|
%define strongswan_docdir %{_docdir}/%{name}
|
2008-04-25 16:46:58 +02:00
|
|
|
Version: 4.2.1
|
2008-07-11 22:15:59 +02:00
|
|
|
Release: 16
|
2007-12-13 04:49:24 +01:00
|
|
|
License: GPL v2 or later
|
|
|
|
Group: Productivity/Networking/Security
|
|
|
|
Summary: StrongSwan -- OpenSource IPsec-based VPN Solution
|
|
|
|
Url: http://www.strongswan.org/
|
|
|
|
PreReq: gmp grep %insserv_prereq %fillup_prereq
|
|
|
|
Requires: iproute2
|
|
|
|
Provides: pluto klips ipsec VPN freeswan
|
|
|
|
Obsoletes: freeswan
|
|
|
|
Conflicts: openswan
|
|
|
|
AutoReqProv: on
|
|
|
|
Source0: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2
|
|
|
|
Source1: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2.sig
|
|
|
|
Source2: %{name}.init.in
|
2008-04-25 16:46:58 +02:00
|
|
|
Source3: %{name}-%{version}-rpmlintrc
|
2008-02-19 14:17:02 +01:00
|
|
|
Patch1: %{name}_modprobe_syslog.dif
|
2008-04-25 16:46:58 +02:00
|
|
|
Patch2: %{name}-%{upstream_version}.dif
|
2008-05-22 04:41:53 +02:00
|
|
|
Patch3: %{name}_crash_badcfg_reload.dif
|
2008-07-11 22:15:59 +02:00
|
|
|
Patch4: %{name}_old-caps-version.diff
|
2007-12-13 04:49:24 +01:00
|
|
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
|
|
|
BuildRequires: bison flex gmp-devel gperf pkg-config
|
|
|
|
%if 0%{?suse_version} >= 1030
|
|
|
|
BuildRequires: libpcap-devel
|
|
|
|
%else
|
|
|
|
BuildRequires: libpcap
|
|
|
|
%endif
|
|
|
|
# --enable-http
|
|
|
|
BuildRequires: curl-devel
|
|
|
|
# --enable-ldap
|
|
|
|
BuildRequires: openldap2-devel
|
|
|
|
|
|
|
|
%description
|
|
|
|
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
|
|
|
|
|
|
|
|
* runs both on Linux 2.4 (KLIPS IPsec) and Linux 2.6 (NETKEY IPsec)
|
|
|
|
kernels
|
|
|
|
|
2008-02-19 14:17:02 +01:00
|
|
|
* implements both the IKEv1 and IKEv2 (RFC 4306) key exchange
|
2007-12-13 04:49:24 +01:00
|
|
|
protocols
|
|
|
|
|
2008-02-19 14:17:02 +01:00
|
|
|
* NEW: Fully tested support of IPv6 IPsec tunnel connections
|
|
|
|
|
2007-12-13 04:49:24 +01:00
|
|
|
* Dynamical IP address and interface update with IKEv2 MOBIKE (RFC
|
|
|
|
4555)
|
|
|
|
|
|
|
|
* Fast connection startup and periodic update using ipsec starter
|
|
|
|
|
|
|
|
* Automatic insertion and deletion of IPsec policy based firewall
|
|
|
|
rules
|
|
|
|
|
|
|
|
* Strong 3DES, AES, Serpent, Twofish, or Blowfish encryption
|
|
|
|
|
|
|
|
* NAT-Traversal via UDP encapsulation and port floating (RFC 3947)
|
|
|
|
|
|
|
|
* Static Virtual IPs and IKE Mode Config Pull and Push modes
|
|
|
|
|
|
|
|
* XAUTH server and client functionality on top of IKE Main Mode
|
|
|
|
authentication
|
|
|
|
|
|
|
|
* Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels
|
|
|
|
|
|
|
|
* Authentication based on X.509 certificates or preshared keys
|
|
|
|
|
|
|
|
* Generation of a default self-signed certificate during first
|
|
|
|
strongSwan startup
|
|
|
|
|
|
|
|
* Retrieval and local caching of Certificate Revocation Lists via
|
|
|
|
HTTP or LDAP
|
|
|
|
|
|
|
|
* Full support of the Online Certificate Status Protocol (OCSP, RCF
|
|
|
|
2560).
|
|
|
|
|
|
|
|
* CA management (OCSP and CRL URIs, default LDAP server)
|
|
|
|
|
|
|
|
* Powerful IPsec policies based on wildcards or intermediate CAs
|
|
|
|
|
|
|
|
* Group policies based on X.509 attribute certificates ( RFC 3281)
|
|
|
|
|
|
|
|
* Optional storage of RSA private keys and certificates on a
|
|
|
|
smartcard
|
|
|
|
|
|
|
|
* Smartcard access via standardized PKCS #11 interface
|
|
|
|
|
|
|
|
* PKCS #11 proxy function offering RSA decryption services via whack
|
|
|
|
|
|
|
|
* NEW: strongSwan Manager - a graphical management interface for IKEv2
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Authors:
|
|
|
|
--------
|
|
|
|
Andreas Steffen
|
|
|
|
and others
|
|
|
|
|
|
|
|
%package doc
|
2008-04-25 16:46:58 +02:00
|
|
|
License: GPL v2 or later
|
2007-12-13 04:49:24 +01:00
|
|
|
Summary: StrongSwan -- OpenSource IPsec-based VPN Solution
|
|
|
|
Group: Productivity/Networking/Security
|
|
|
|
|
|
|
|
%description doc
|
|
|
|
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
|
|
|
|
|
|
|
|
This package provides the StrongSwan documentation.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Authors:
|
|
|
|
--------
|
|
|
|
Andreas Steffen
|
|
|
|
and others
|
|
|
|
|
|
|
|
%prep
|
|
|
|
%setup -q -n %{name}-%{upstream_version}
|
|
|
|
%patch1 -p0
|
2008-04-25 16:46:58 +02:00
|
|
|
%patch2 -p0
|
2008-05-22 04:41:53 +02:00
|
|
|
%patch3 -p0
|
2008-07-11 22:15:59 +02:00
|
|
|
%patch4 -p2
|
2007-12-13 04:49:24 +01:00
|
|
|
sed -e 's|@libexecdir@|%_libexecdir|g' \
|
|
|
|
< $RPM_SOURCE_DIR/strongswan.init.in \
|
|
|
|
> strongswan.init
|
|
|
|
|
|
|
|
%build
|
|
|
|
export RPM_OPT_FLAGS="$RPM_OPT_FLAGS -W -Wall"
|
|
|
|
export CFLAGS="$RPM_OPT_FLAGS"
|
2008-04-25 16:46:58 +02:00
|
|
|
libtoolize --force
|
2007-12-13 04:49:24 +01:00
|
|
|
%{?suse_update_config:%{suse_update_config -f}}
|
|
|
|
autoreconf
|
|
|
|
%configure \
|
|
|
|
--enable-smartcard --with-default-pkcs11=%{_libdir}/opensc-pkcs11.so \
|
|
|
|
--enable-cisco-quirks \
|
|
|
|
--enable-http \
|
|
|
|
--enable-ldap
|
|
|
|
make %_smp_mflags
|
|
|
|
|
|
|
|
%install
|
|
|
|
export RPM_BUILD_ROOT
|
|
|
|
install -m755 -d ${RPM_BUILD_ROOT}%{_sbindir}/
|
|
|
|
install -m755 -d ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/
|
|
|
|
install -m755 strongswan.init ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/ipsec
|
|
|
|
ln -s %{_sysconfdir}/init.d/ipsec ${RPM_BUILD_ROOT}%{_sbindir}/rcipsec
|
|
|
|
#
|
|
|
|
make install DESTDIR="$RPM_BUILD_ROOT"
|
|
|
|
#
|
|
|
|
rm -f ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.secrets
|
|
|
|
cat << EOT > ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.secrets
|
|
|
|
#
|
|
|
|
# ipsec.secrets
|
|
|
|
#
|
|
|
|
# This file holds the RSA private keys or the PSK preshared secrets for
|
|
|
|
# the IKE/IPsec authentication. See the ipsec.secrets(5) manual page.
|
|
|
|
#
|
|
|
|
EOT
|
|
|
|
#
|
|
|
|
rm -f $RPM_BUILD_ROOT%{_libdir}/libstrongswan.{so,a,la}
|
|
|
|
find $RPM_BUILD_ROOT%{_libdir}/ipsec \
|
|
|
|
-name "*.a" -o -name "*.la" | xargs -r rm -f
|
|
|
|
#
|
|
|
|
install -m755 -d ${RPM_BUILD_ROOT}%{strongswan_docdir}/
|
|
|
|
install -m644 TODO NEWS README COPYING CREDITS \
|
|
|
|
${RPM_BUILD_ROOT}%{strongswan_docdir}/
|
|
|
|
|
|
|
|
%clean
|
|
|
|
if [ -n "$RPM_BUILD_ROOT" ] && [ "$RPM_BUILD_ROOT" != "/" ] ; then
|
|
|
|
rm -rf "$RPM_BUILD_ROOT"
|
|
|
|
fi
|
|
|
|
|
|
|
|
%post
|
|
|
|
%{run_ldconfig}
|
|
|
|
%{fillup_and_insserv ipsec}
|
|
|
|
|
|
|
|
%preun
|
|
|
|
%{stop_on_removal ipsec}
|
|
|
|
if test -s %{_sysconfdir}/ipsec.secrets.rpmsave; then
|
|
|
|
cp -p --backup=numbered %{_sysconfdir}/ipsec.secrets.rpmsave %{_sysconfdir}/ipsec.secrets.rpmsave.old
|
|
|
|
fi
|
|
|
|
if test -s %{_sysconfdir}/ipsec.conf.rpmsave; then
|
|
|
|
cp -p --backup=numbered %{_sysconfdir}/ipsec.conf.rpmsave %{_sysconfdir}/ipsec.conf.rpmsave.old
|
|
|
|
fi
|
|
|
|
|
|
|
|
%postun
|
|
|
|
%{run_ldconfig}
|
|
|
|
%{restart_on_update ipsec}
|
|
|
|
%{insserv_cleanup}
|
|
|
|
|
|
|
|
%files
|
|
|
|
%defattr(-,root,root)
|
|
|
|
%config(noreplace) %attr(600,root,root) %{_sysconfdir}/ipsec.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{_sysconfdir}/ipsec.secrets
|
2008-04-25 16:46:58 +02:00
|
|
|
%config(noreplace) %attr(600,root,root) %{_sysconfdir}/strongswan.conf
|
2007-12-13 04:49:24 +01:00
|
|
|
%dir %{_sysconfdir}/ipsec.d
|
|
|
|
%dir %{_sysconfdir}/ipsec.d/crls
|
|
|
|
%dir %{_sysconfdir}/ipsec.d/reqs
|
|
|
|
%dir %{_sysconfdir}/ipsec.d/certs
|
|
|
|
%dir %{_sysconfdir}/ipsec.d/acerts
|
|
|
|
%dir %{_sysconfdir}/ipsec.d/aacerts
|
|
|
|
%dir %{_sysconfdir}/ipsec.d/cacerts
|
|
|
|
%dir %{_sysconfdir}/ipsec.d/ocspcerts
|
|
|
|
%dir %attr(700,root,root) %{_sysconfdir}/ipsec.d/private
|
|
|
|
%config %{_sysconfdir}/init.d/ipsec
|
|
|
|
%{_sbindir}/rcipsec
|
|
|
|
%{_sbindir}/ipsec
|
|
|
|
%{_libdir}/ipsec
|
|
|
|
%{_libdir}/libstrongswan.*
|
|
|
|
%if "%{_libdir}" != "%{_libexecdir}"
|
|
|
|
%{_libexecdir}/ipsec
|
|
|
|
%endif
|
|
|
|
%{_mandir}/man5/ipsec.conf.5*
|
|
|
|
%{_mandir}/man5/ipsec.secrets.5*
|
|
|
|
%{_mandir}/man8/ipsec.8*
|
|
|
|
|
|
|
|
%files doc
|
|
|
|
%defattr(-,root,root)
|
|
|
|
%dir %{strongswan_docdir}
|
|
|
|
%{strongswan_docdir}/TODO
|
|
|
|
%{strongswan_docdir}/NEWS
|
|
|
|
%{strongswan_docdir}/README
|
|
|
|
%{strongswan_docdir}/COPYING
|
|
|
|
%{strongswan_docdir}/CREDITS
|
|
|
|
%{_mandir}/man3/anyaddr.3*
|
|
|
|
%{_mandir}/man3/atoaddr.3*
|
|
|
|
%{_mandir}/man3/atoasr.3*
|
|
|
|
%{_mandir}/man3/atosa.3*
|
|
|
|
%{_mandir}/man3/atoul.3*
|
|
|
|
%{_mandir}/man3/goodmask.3*
|
|
|
|
%{_mandir}/man3/initaddr.3*
|
|
|
|
%{_mandir}/man3/initsubnet.3*
|
|
|
|
%{_mandir}/man3/keyblobtoid.3*
|
|
|
|
%{_mandir}/man3/optionsfrom.3*
|
|
|
|
%{_mandir}/man3/portof.3*
|
|
|
|
%{_mandir}/man3/prng.3*
|
|
|
|
%{_mandir}/man3/rangetosubnet.3*
|
|
|
|
%{_mandir}/man3/sameaddr.3*
|
|
|
|
%{_mandir}/man3/subnetof.3*
|
|
|
|
%{_mandir}/man3/ttoaddr.3*
|
|
|
|
%{_mandir}/man3/ttodata.3*
|
|
|
|
%{_mandir}/man3/ttosa.3*
|
|
|
|
%{_mandir}/man3/ttoul.3*
|
|
|
|
%{_mandir}/man3/version.3*
|
|
|
|
%{_mandir}/man8/_copyright.8*
|
|
|
|
%{_mandir}/man8/_updown.8*
|
|
|
|
%{_mandir}/man8/_updown_espmark.8*
|
|
|
|
%{_mandir}/man8/openac.8*
|
|
|
|
%{_mandir}/man8/pluto.8*
|
|
|
|
%{_mandir}/man8/scepclient.8*
|
|
|
|
%{_mandir}/man8/starter.8*
|
2008-02-19 14:17:02 +01:00
|
|
|
|
2007-12-13 04:49:24 +01:00
|
|
|
%changelog
|
2008-07-11 22:15:59 +02:00
|
|
|
* Tue Jul 01 2008 mt@suse.de
|
|
|
|
- Added fix that explicitly enables version 1 linux capabilities
|
|
|
|
on version 2 systems to aviod that the charon and pluto daemons
|
|
|
|
exit because of failed capset call (bnc#404989).
|
2008-05-22 04:41:53 +02:00
|
|
|
* Mon May 19 2008 mt@suse.de
|
|
|
|
- Applied fix (strongswan_crash_badcfg_reload.dif) to avoid
|
|
|
|
a crash after reloading with bad config (bnc#392062).
|
2008-04-25 16:46:58 +02:00
|
|
|
* Wed Apr 23 2008 mt@suse.de
|
|
|
|
- Updated to 4.2.1 release. A lot of code refactoring in the 4.2
|
|
|
|
release provides much more modularity and therefore much more
|
|
|
|
extensiblity and offers the following new features:
|
|
|
|
* libstrongswan has been modularized to attach crypto algorithms,
|
|
|
|
credential implementations (secret and private keys, certificates)
|
|
|
|
and http/ldap fetchers dynamically through plugins.
|
|
|
|
* A relational database API that uses pluggable database providers
|
|
|
|
was added to libstrongswan including plugins for MySQL and SQLite.
|
|
|
|
* The IKEv2 keying charon daemon has become more extensible. Generic
|
|
|
|
plugins can provide arbitrary interfaces to credential stores and
|
|
|
|
connection management interfaces. Also any EAP method can be added.
|
|
|
|
* The authentication and credential framework in charon has been
|
|
|
|
heavily refactored to support modular credential providers, proper
|
|
|
|
CERTREQ/CERT payload exchanges and extensible authorization rules.
|
|
|
|
* Support for "Hash and URL" encoded certificate payloads has been
|
|
|
|
implemented in the IKEv2 daemon charon.
|
|
|
|
* The IKEv2 daemon charon now supports the "uniqueids" option to
|
|
|
|
close multiple IKE_SAs with the same peer.
|
|
|
|
* The crypto factory in libstrongswan additionally supports random
|
|
|
|
number generators. Plugins may provide other sources of randomness.
|
|
|
|
* Extended the credential framework by a caching option to allow
|
|
|
|
plugins persistent caching of fetched credentials.
|
|
|
|
* The new trust chain verification introduced in 4.2.0 has been
|
|
|
|
parallelized. Threads fetching CRL or OCSP information no longer
|
|
|
|
block other threads.
|
|
|
|
* A new IKEv2 configuration attribute framework has been introduced
|
|
|
|
allowing plugins to provide virtual IP addresses, and in the future,
|
|
|
|
other configuration attribute services (e.g. DNS/WINS servers).
|
|
|
|
* The stroke plugin has been extended to provide virtual IP addresses
|
|
|
|
from a simple pool defined in ipsec.conf.
|
|
|
|
* Fixed compilation on uClibc and a couple of other minor bugs.
|
|
|
|
* The IKEv1 pluto daemon now supports the ESP encryption algorithm
|
|
|
|
CAMELLIA with key lengths of 128, 192, and 256 bits, as well as the
|
|
|
|
authentication algorithm AES_XCBC_MAC.
|
|
|
|
- Applied a small patch defining _GNU_SOURCE for struct in6_pktinfo
|
|
|
|
and adding inclusion of limits.h for PATH_MAX availability.
|
|
|
|
- Added rpmlintrc file and a libtoolize call to the spec file.
|
2008-02-19 14:17:02 +01:00
|
|
|
* Tue Feb 19 2008 mt@suse.de
|
|
|
|
- Updated to 4.1.11 maintenance release, providing following fixes:
|
|
|
|
* IKE rekeying in NAT situations did not inherit the NAT conditions
|
|
|
|
to the rekeyed IKE_SA so that the UDP encapsulation was lost with
|
|
|
|
the next CHILD_SA rekeying.
|
|
|
|
* Wrong type definition of the next_payload variable in id_payload.c
|
|
|
|
caused an INVALID_SYNTAX error on PowerPC platforms.
|
|
|
|
* Implemented IKEv2 EAP-SIM server and client test modules that use
|
|
|
|
triplets stored in a file. For details on the configuration see
|
|
|
|
the scenario 'ikev2/rw-eap-sim-rsa'.
|
|
|
|
- The 4.1.10 final version, declared upstream as "Fully tested support
|
|
|
|
of IPv6 IPsec tunnel connections", fixes ordering error in oscp cache,
|
|
|
|
IPv6 defaults of the nexthop parameter, adds support for new EAP
|
|
|
|
modules [disabled in this build] and obsoletes our strongswan_path
|
|
|
|
and strongswan_ipsec_script_msg patches.
|
|
|
|
- Removed a sed call from init script.
|
|
|
|
* Sat Dec 08 2007 mt@suse.de
|
2007-12-13 04:49:24 +01:00
|
|
|
- Updated to 4.1.9 final, including all our patches.
|
|
|
|
- Changed init script to use ipsec cmd using LSB codes now.
|
|
|
|
- Added strongswan_path.dif setting a PATH in scripts (updown).
|
|
|
|
- Added strongswan_ipsec_script_msg.dif for consistent look of
|
|
|
|
ipsec script messages.
|
|
|
|
- Added strongswan_modprobe_syslog.dif redirecting modprobe
|
|
|
|
output to syslog.
|
2008-02-19 14:17:02 +01:00
|
|
|
* Mon Nov 26 2007 mt@suse.de
|
2007-12-13 04:49:24 +01:00
|
|
|
- Renamed charon plugins to avoid rpm conflicts with existing
|
|
|
|
libraries (libstroke). Patch: strongswan-libconflicts.dif
|
|
|
|
- Added init script. Template file: strongswan.init.in
|
2008-02-19 14:17:02 +01:00
|
|
|
* Thu Nov 22 2007 mt@suse.de
|
2007-12-13 04:49:24 +01:00
|
|
|
- Initial, unfinished package
|