strongswan/strongswan.spec

552 lines
17 KiB
RPMSpec
Raw Normal View History

#
# spec file for package strongswan
#
# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: strongswan
Version: 4.6.4
Release: 0
- Updated to strongSwan 4.5.2 release, changes overview since 4.5.2: * Our private libraries (e.g. libstrongswan) are not installed directly in prefix/lib anymore. Instead a subdirectory is used (prefix/lib/ipsec/ by default). The plugins directory is also moved from libexec/ipsec/ to that directory. * The dynamic IMC/IMV libraries were moved from the plugins directory to a new imcvs directory in the prefix/lib/ipsec/ subdirectory. * Job priorities were introduced to prevent thread starvation caused by too many threads handling blocking operations (such as CRL fetching). * Two new strongswan.conf options allow to fine-tune performance on IKEv2 gateways by dropping IKE_SA_INIT requests on high load. * IKEv2 charon daemon supports PASS and DROP shunt policies preventing traffic to go through IPsec connections. Installation of the shunt policies either via the XFRM netfilter or PFKEYv2 IPsec kernel interfaces. * The history of policies installed in the kernel is now tracked so that e.g. trap policies are correctly updated when reauthenticated SAs are terminated. * IMC/IMV Scanner pair implementing the RFC 5792 PA-TNC (IF-M) protocol. Using "netstat -l" the IMC scans open listening ports on the TNC client and sends a port list to the IMV which based on a port policy decides if the client is admitted to the network. * IMC/IMV Test pair implementing the RFC 5792 PA-TNC (IF-M) protocol. * The IKEv2 close action does not use the same value as the ipsec.conf dpdaction setting, but the value defined by its own closeaction keyword. The action is triggered if the remote peer closes a CHILD_SA unexpectedly. OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=28
2011-09-08 17:17:43 +02:00
%define upstream_version %{version}
%define strongswan_docdir %{_docdir}/%{name}
%define strongswan_libdir %{_libdir}/ipsec
%define strongswan_plugins %{strongswan_libdir}/plugins
%define with_mysql 1
%define with_sqlite 0%{suse_version} >= 1110
%define with_gcrypt 0%{suse_version} >= 1110
%define with_nm 0%{suse_version} >= 1110
%define with_tests 0
Summary: OpenSource IPsec-based VPN Solution
License: GPL-2.0+
Group: Productivity/Networking/Security
Url: http://www.strongswan.org/
Requires: strongswan-ikev1 = %{version}
Requires: strongswan-ikev2 = %{version}
Requires: strongswan-ipsec = %{version}
Source0: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2
Source1: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2.sig
Source2: %{name}.init.in
Source3: %{name}-%{version}-rpmlintrc
Source4: README.SUSE
Patch1: %{name}_modprobe_syslog.patch
Patch2: %{name}-%{version}-fmt-warnings.patch
Patch3: 0001-openssl-Ensure-the-thread-ID-is-never-zero.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: bison
BuildRequires: curl-devel
BuildRequires: flex
BuildRequires: gmp-devel
BuildRequires: gperf
BuildRequires: libcap-devel
BuildRequires: libopenssl-devel
BuildRequires: openldap2-devel
BuildRequires: pam-devel
BuildRequires: pkg-config
%if %with_mysql
BuildRequires: libmysqlclient-devel
%endif
%if %with_sqlite
BuildRequires: sqlite3-devel
%endif
%if %with_gcrypt
BuildRequires: libgcrypt-devel
%endif
%if %with_nm
BuildRequires: NetworkManager-devel
%endif
BuildRequires: iptables
BuildRequires: libnl >= 1.1
%description
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
* runs both on Linux 2.4 (KLIPS IPsec) and Linux 2.6 (NETKEY IPsec) kernels
* implements both the IKEv1 and IKEv2 (RFC 4306) key exchange protocols
* Fully tested support of IPv6 IPsec tunnel and transport connections
* Dynamical IP address and interface update with IKEv2 MOBIKE (RFC 4555)
* Automatic insertion and deletion of IPsec-policy-based firewall rules
* Strong 128/192/256 bit AES or Camellia encryption, 3DES support
* NAT-Traversal via UDP encapsulation and port floating (RFC 3947)
* Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels
* Static virtual IPs and IKEv1 ModeConfig pull and push modes
* XAUTH server and client functionality on top of IKEv1 Main Mode authentication
* Virtual IP address pool managed by IKE daemon or SQL database
* Secure IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-MSCHAPv2, etc.)
* Optional relaying of EAP messages to AAA server via EAP-RADIUS plugin
* Support of IKEv2 Multiple Authentication Exchanges (RFC 4739)
* Authentication based on X.509 certificates or preshared keys
* Generation of a default self-signed certificate during first strongSwan startup
* Retrieval and local caching of Certificate Revocation Lists via HTTP or LDAP
* Full support of the Online Certificate Status Protocol (OCSP, RCF 2560).
* CA management (OCSP and CRL URIs, default LDAP server)
* Powerful IPsec policies based on wildcards or intermediate CAs
* Group policies based on X.509 attribute certificates (RFC 3281)
* Storage of RSA private keys and certificates on a smartcard (PKCS #11 interface)
* Modular plugins for crypto algorithms and relational database interfaces
* Support of elliptic curve DH groups and ECDSA certificates (Suite B, RFC 4869)
* Optional built-in integrity and crypto tests for plugins and libraries
* Smooth Linux desktop integration via the strongSwan NetworkManager applet
This package triggers the installation of both, IKEv1 and IKEv2 daemons.
Authors:
--------
Andreas Steffen
and others
%package doc
- Updated to strongSwan 4.6.1 release: Changes in 4.6.1: - Because of changing checksums before and after installation which caused the integrity tests to fail we avoided directly linking libsimaka, libtls and libtnccs to those libcharon plugins which make use of these dynamiclibraries. Instead we linked the libraries to the charon daemon. Unfortunately Ubuntu 11.10 activated the --as-needed ld option which discards explicit links to dynamic libraries that are not actually used by the charon daemon itself, thus causing failures during the loading of the plugins which depend on these libraries for resolving external symbols. - Therefore our approach of computing integrity checksums for plugins had to be changed radically by moving the hash generation from the compilation to the post-installation phase. Changes in 4.6.0: - The new libstrongswan certexpire plugin collects expiration information of all used certificates and exports them to CSV files. It either directly exports them or uses cron style scheduling for batch exports. - Starter passes unresolved hostnames to charon, allowing it to do name resolution not before the connection attempt. This is especially useful with connections between hosts using dynamic IP addresses. Thanks to Mirko Parthey for the initial patch. - The android plugin can now be used without the Android frontend patch and provides DNS server registration and logging to logcat. - Pluto and starter (plus stroke and whack) have been ported to Android. - Support for ECDSA private and public key operations has been added to the pkcs11 plugin. The plugin now also provides DH and ECDH via PKCS#11 and can use tokens as random number generators (RNG). By default only private key operations are enabled, more advanced features have to be enabled by their option in strongswan.conf. This also applies to public OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=39
2012-02-15 14:32:28 +01:00
BuildArch: noarch
Summary: OpenSource IPsec-based VPN Solution
- Updated to strongSwan 4.6.3 release: - The tnc-pdp plugin implements a RADIUS server interface allowing a strongSwan TNC server to act as a Policy Decision Point. - The eap-radius authentication backend enforces Session-Timeout attributes using RFC4478 repeated authentication and acts upon RADIUS Dynamic Authorization extensions, RFC 5176. Currently supported are disconnect requests and CoA messages containing a Session-Timeout. - The eap-radius plugin can forward arbitrary RADIUS attributes from and to clients using custom IKEv2 notify payloads. The new radattr plugin reads attributes to include from files and prints received attributes to the console. - Added support for untruncated MD5 and SHA1 HMACs in ESP as used in RFC 4595. - The cmac plugin implements the AES-CMAC-96 and AES-CMAC-PRF-128 algorithms as defined in RFC 4494 and RFC 4615, respectively. - The resolve plugin automatically installs nameservers via resolvconf(8), if it is installed, instead of modifying /etc/resolv.conf directly. - The IKEv2 charon daemon supports now raw RSA public keys in RFC 3110 DNSKEY and PKCS#1 file format. - The farp plugin sends ARP responses for any tunneled address, not only virtual IPs. - Charon resolves hosts again during additional keying tries. - Fixed switching back to original address pair during MOBIKE. - When resending IKE_SA_INIT with a COOKIE charon reuses the previous DH value, as specified in RFC 5996. This has an effect on the lifecycle of diffie_hellman_t, see source:src/libcharon/sa/keymat.h#39 for details. - COOKIEs are now kept enabled a bit longer to avoid certain race OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=44
2012-05-10 12:02:51 +02:00
Group: Productivity/Networking/Security
%description doc
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
This package provides the StrongSwan documentation.
Authors:
--------
Andreas Steffen
and others
%package libs0
Summary: OpenSource IPsec-based VPN Solution
- Updated to strongSwan 4.6.3 release: - The tnc-pdp plugin implements a RADIUS server interface allowing a strongSwan TNC server to act as a Policy Decision Point. - The eap-radius authentication backend enforces Session-Timeout attributes using RFC4478 repeated authentication and acts upon RADIUS Dynamic Authorization extensions, RFC 5176. Currently supported are disconnect requests and CoA messages containing a Session-Timeout. - The eap-radius plugin can forward arbitrary RADIUS attributes from and to clients using custom IKEv2 notify payloads. The new radattr plugin reads attributes to include from files and prints received attributes to the console. - Added support for untruncated MD5 and SHA1 HMACs in ESP as used in RFC 4595. - The cmac plugin implements the AES-CMAC-96 and AES-CMAC-PRF-128 algorithms as defined in RFC 4494 and RFC 4615, respectively. - The resolve plugin automatically installs nameservers via resolvconf(8), if it is installed, instead of modifying /etc/resolv.conf directly. - The IKEv2 charon daemon supports now raw RSA public keys in RFC 3110 DNSKEY and PKCS#1 file format. - The farp plugin sends ARP responses for any tunneled address, not only virtual IPs. - Charon resolves hosts again during additional keying tries. - Fixed switching back to original address pair during MOBIKE. - When resending IKE_SA_INIT with a COOKIE charon reuses the previous DH value, as specified in RFC 5996. This has an effect on the lifecycle of diffie_hellman_t, see source:src/libcharon/sa/keymat.h#39 for details. - COOKIEs are now kept enabled a bit longer to avoid certain race OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=44
2012-05-10 12:02:51 +02:00
Group: Productivity/Networking/Security
Conflicts: strongswan < %{version}
%description libs0
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
This package provides the strongswan library and plugins.
%package ikev1
Summary: OpenSource IPsec-based VPN Solution
- Updated to strongSwan 4.6.3 release: - The tnc-pdp plugin implements a RADIUS server interface allowing a strongSwan TNC server to act as a Policy Decision Point. - The eap-radius authentication backend enforces Session-Timeout attributes using RFC4478 repeated authentication and acts upon RADIUS Dynamic Authorization extensions, RFC 5176. Currently supported are disconnect requests and CoA messages containing a Session-Timeout. - The eap-radius plugin can forward arbitrary RADIUS attributes from and to clients using custom IKEv2 notify payloads. The new radattr plugin reads attributes to include from files and prints received attributes to the console. - Added support for untruncated MD5 and SHA1 HMACs in ESP as used in RFC 4595. - The cmac plugin implements the AES-CMAC-96 and AES-CMAC-PRF-128 algorithms as defined in RFC 4494 and RFC 4615, respectively. - The resolve plugin automatically installs nameservers via resolvconf(8), if it is installed, instead of modifying /etc/resolv.conf directly. - The IKEv2 charon daemon supports now raw RSA public keys in RFC 3110 DNSKEY and PKCS#1 file format. - The farp plugin sends ARP responses for any tunneled address, not only virtual IPs. - Charon resolves hosts again during additional keying tries. - Fixed switching back to original address pair during MOBIKE. - When resending IKE_SA_INIT with a COOKIE charon reuses the previous DH value, as specified in RFC 5996. This has an effect on the lifecycle of diffie_hellman_t, see source:src/libcharon/sa/keymat.h#39 for details. - COOKIEs are now kept enabled a bit longer to avoid certain race OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=44
2012-05-10 12:02:51 +02:00
Group: Productivity/Networking/Security
Requires: iproute2
Requires: strongswan-ipsec = %{version}
- Updated to strongSwan 4.6.3 release: - The tnc-pdp plugin implements a RADIUS server interface allowing a strongSwan TNC server to act as a Policy Decision Point. - The eap-radius authentication backend enforces Session-Timeout attributes using RFC4478 repeated authentication and acts upon RADIUS Dynamic Authorization extensions, RFC 5176. Currently supported are disconnect requests and CoA messages containing a Session-Timeout. - The eap-radius plugin can forward arbitrary RADIUS attributes from and to clients using custom IKEv2 notify payloads. The new radattr plugin reads attributes to include from files and prints received attributes to the console. - Added support for untruncated MD5 and SHA1 HMACs in ESP as used in RFC 4595. - The cmac plugin implements the AES-CMAC-96 and AES-CMAC-PRF-128 algorithms as defined in RFC 4494 and RFC 4615, respectively. - The resolve plugin automatically installs nameservers via resolvconf(8), if it is installed, instead of modifying /etc/resolv.conf directly. - The IKEv2 charon daemon supports now raw RSA public keys in RFC 3110 DNSKEY and PKCS#1 file format. - The farp plugin sends ARP responses for any tunneled address, not only virtual IPs. - Charon resolves hosts again during additional keying tries. - Fixed switching back to original address pair during MOBIKE. - When resending IKE_SA_INIT with a COOKIE charon reuses the previous DH value, as specified in RFC 5996. This has an effect on the lifecycle of diffie_hellman_t, see source:src/libcharon/sa/keymat.h#39 for details. - COOKIEs are now kept enabled a bit longer to avoid certain race OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=44
2012-05-10 12:02:51 +02:00
Requires: strongswan-libs0 = %{version}
Provides: ikev1
Provides: pluto
- Updated to strongSwan 4.6.3 release: - The tnc-pdp plugin implements a RADIUS server interface allowing a strongSwan TNC server to act as a Policy Decision Point. - The eap-radius authentication backend enforces Session-Timeout attributes using RFC4478 repeated authentication and acts upon RADIUS Dynamic Authorization extensions, RFC 5176. Currently supported are disconnect requests and CoA messages containing a Session-Timeout. - The eap-radius plugin can forward arbitrary RADIUS attributes from and to clients using custom IKEv2 notify payloads. The new radattr plugin reads attributes to include from files and prints received attributes to the console. - Added support for untruncated MD5 and SHA1 HMACs in ESP as used in RFC 4595. - The cmac plugin implements the AES-CMAC-96 and AES-CMAC-PRF-128 algorithms as defined in RFC 4494 and RFC 4615, respectively. - The resolve plugin automatically installs nameservers via resolvconf(8), if it is installed, instead of modifying /etc/resolv.conf directly. - The IKEv2 charon daemon supports now raw RSA public keys in RFC 3110 DNSKEY and PKCS#1 file format. - The farp plugin sends ARP responses for any tunneled address, not only virtual IPs. - Charon resolves hosts again during additional keying tries. - Fixed switching back to original address pair during MOBIKE. - When resending IKE_SA_INIT with a COOKIE charon reuses the previous DH value, as specified in RFC 5996. This has an effect on the lifecycle of diffie_hellman_t, see source:src/libcharon/sa/keymat.h#39 for details. - COOKIEs are now kept enabled a bit longer to avoid certain race OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=44
2012-05-10 12:02:51 +02:00
Provides: strongswan-daemon = %{version}
Conflicts: freeswan openswan strongswan < %{version}
%description ikev1
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
This package provides the pluto IKEv1 daemon.
%package ikev2
Summary: OpenSource IPsec-based VPN Solution
- Updated to strongSwan 4.6.3 release: - The tnc-pdp plugin implements a RADIUS server interface allowing a strongSwan TNC server to act as a Policy Decision Point. - The eap-radius authentication backend enforces Session-Timeout attributes using RFC4478 repeated authentication and acts upon RADIUS Dynamic Authorization extensions, RFC 5176. Currently supported are disconnect requests and CoA messages containing a Session-Timeout. - The eap-radius plugin can forward arbitrary RADIUS attributes from and to clients using custom IKEv2 notify payloads. The new radattr plugin reads attributes to include from files and prints received attributes to the console. - Added support for untruncated MD5 and SHA1 HMACs in ESP as used in RFC 4595. - The cmac plugin implements the AES-CMAC-96 and AES-CMAC-PRF-128 algorithms as defined in RFC 4494 and RFC 4615, respectively. - The resolve plugin automatically installs nameservers via resolvconf(8), if it is installed, instead of modifying /etc/resolv.conf directly. - The IKEv2 charon daemon supports now raw RSA public keys in RFC 3110 DNSKEY and PKCS#1 file format. - The farp plugin sends ARP responses for any tunneled address, not only virtual IPs. - Charon resolves hosts again during additional keying tries. - Fixed switching back to original address pair during MOBIKE. - When resending IKE_SA_INIT with a COOKIE charon reuses the previous DH value, as specified in RFC 5996. This has an effect on the lifecycle of diffie_hellman_t, see source:src/libcharon/sa/keymat.h#39 for details. - COOKIEs are now kept enabled a bit longer to avoid certain race OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=44
2012-05-10 12:02:51 +02:00
Group: Productivity/Networking/Security
Requires: iproute2
Requires: strongswan-daemon-starter = %{version}
- Updated to strongSwan 4.6.3 release: - The tnc-pdp plugin implements a RADIUS server interface allowing a strongSwan TNC server to act as a Policy Decision Point. - The eap-radius authentication backend enforces Session-Timeout attributes using RFC4478 repeated authentication and acts upon RADIUS Dynamic Authorization extensions, RFC 5176. Currently supported are disconnect requests and CoA messages containing a Session-Timeout. - The eap-radius plugin can forward arbitrary RADIUS attributes from and to clients using custom IKEv2 notify payloads. The new radattr plugin reads attributes to include from files and prints received attributes to the console. - Added support for untruncated MD5 and SHA1 HMACs in ESP as used in RFC 4595. - The cmac plugin implements the AES-CMAC-96 and AES-CMAC-PRF-128 algorithms as defined in RFC 4494 and RFC 4615, respectively. - The resolve plugin automatically installs nameservers via resolvconf(8), if it is installed, instead of modifying /etc/resolv.conf directly. - The IKEv2 charon daemon supports now raw RSA public keys in RFC 3110 DNSKEY and PKCS#1 file format. - The farp plugin sends ARP responses for any tunneled address, not only virtual IPs. - Charon resolves hosts again during additional keying tries. - Fixed switching back to original address pair during MOBIKE. - When resending IKE_SA_INIT with a COOKIE charon reuses the previous DH value, as specified in RFC 5996. This has an effect on the lifecycle of diffie_hellman_t, see source:src/libcharon/sa/keymat.h#39 for details. - COOKIEs are now kept enabled a bit longer to avoid certain race OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=44
2012-05-10 12:02:51 +02:00
Requires: strongswan-libs0 = %{version}
Provides: ikev2
Provides: strongswan-daemon = %{version}
Conflicts: openswan strongswan < %{version}
%description ikev2
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
This package provides the charon IKEv2 daemon.
%package ipsec
Summary: OpenSource IPsec-based VPN Solution
- Updated to strongSwan 4.6.3 release: - The tnc-pdp plugin implements a RADIUS server interface allowing a strongSwan TNC server to act as a Policy Decision Point. - The eap-radius authentication backend enforces Session-Timeout attributes using RFC4478 repeated authentication and acts upon RADIUS Dynamic Authorization extensions, RFC 5176. Currently supported are disconnect requests and CoA messages containing a Session-Timeout. - The eap-radius plugin can forward arbitrary RADIUS attributes from and to clients using custom IKEv2 notify payloads. The new radattr plugin reads attributes to include from files and prints received attributes to the console. - Added support for untruncated MD5 and SHA1 HMACs in ESP as used in RFC 4595. - The cmac plugin implements the AES-CMAC-96 and AES-CMAC-PRF-128 algorithms as defined in RFC 4494 and RFC 4615, respectively. - The resolve plugin automatically installs nameservers via resolvconf(8), if it is installed, instead of modifying /etc/resolv.conf directly. - The IKEv2 charon daemon supports now raw RSA public keys in RFC 3110 DNSKEY and PKCS#1 file format. - The farp plugin sends ARP responses for any tunneled address, not only virtual IPs. - Charon resolves hosts again during additional keying tries. - Fixed switching back to original address pair during MOBIKE. - When resending IKE_SA_INIT with a COOKIE charon reuses the previous DH value, as specified in RFC 5996. This has an effect on the lifecycle of diffie_hellman_t, see source:src/libcharon/sa/keymat.h#39 for details. - COOKIEs are now kept enabled a bit longer to avoid certain race OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=44
2012-05-10 12:02:51 +02:00
Group: Productivity/Networking/Security
PreReq: grep %insserv_prereq %fillup_prereq
Requires: strongswan-daemon = %{version}
- Updated to strongSwan 4.6.3 release: - The tnc-pdp plugin implements a RADIUS server interface allowing a strongSwan TNC server to act as a Policy Decision Point. - The eap-radius authentication backend enforces Session-Timeout attributes using RFC4478 repeated authentication and acts upon RADIUS Dynamic Authorization extensions, RFC 5176. Currently supported are disconnect requests and CoA messages containing a Session-Timeout. - The eap-radius plugin can forward arbitrary RADIUS attributes from and to clients using custom IKEv2 notify payloads. The new radattr plugin reads attributes to include from files and prints received attributes to the console. - Added support for untruncated MD5 and SHA1 HMACs in ESP as used in RFC 4595. - The cmac plugin implements the AES-CMAC-96 and AES-CMAC-PRF-128 algorithms as defined in RFC 4494 and RFC 4615, respectively. - The resolve plugin automatically installs nameservers via resolvconf(8), if it is installed, instead of modifying /etc/resolv.conf directly. - The IKEv2 charon daemon supports now raw RSA public keys in RFC 3110 DNSKEY and PKCS#1 file format. - The farp plugin sends ARP responses for any tunneled address, not only virtual IPs. - Charon resolves hosts again during additional keying tries. - Fixed switching back to original address pair during MOBIKE. - When resending IKE_SA_INIT with a COOKIE charon reuses the previous DH value, as specified in RFC 5996. This has an effect on the lifecycle of diffie_hellman_t, see source:src/libcharon/sa/keymat.h#39 for details. - COOKIEs are now kept enabled a bit longer to avoid certain race OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=44
2012-05-10 12:02:51 +02:00
Requires: strongswan-libs0 = %{version}
Provides: VPN
Provides: ipsec
Provides: strongswan = %{version}
Provides: strongswan-daemon-starter = %{version}
Obsoletes: strongswan < %{version}
Conflicts: freeswan openswan
%description ipsec
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
This package provides the /etc/init.d/ipsec service script and allows
to maintain both, IKEv1 and IKEv2 daemons, using /etc/ipsec.conf and
/etc/ipsec.sectes files.
%if %with_mysql
%package mysql
Summary: OpenSource IPsec-based VPN Solution
- Updated to strongSwan 4.6.3 release: - The tnc-pdp plugin implements a RADIUS server interface allowing a strongSwan TNC server to act as a Policy Decision Point. - The eap-radius authentication backend enforces Session-Timeout attributes using RFC4478 repeated authentication and acts upon RADIUS Dynamic Authorization extensions, RFC 5176. Currently supported are disconnect requests and CoA messages containing a Session-Timeout. - The eap-radius plugin can forward arbitrary RADIUS attributes from and to clients using custom IKEv2 notify payloads. The new radattr plugin reads attributes to include from files and prints received attributes to the console. - Added support for untruncated MD5 and SHA1 HMACs in ESP as used in RFC 4595. - The cmac plugin implements the AES-CMAC-96 and AES-CMAC-PRF-128 algorithms as defined in RFC 4494 and RFC 4615, respectively. - The resolve plugin automatically installs nameservers via resolvconf(8), if it is installed, instead of modifying /etc/resolv.conf directly. - The IKEv2 charon daemon supports now raw RSA public keys in RFC 3110 DNSKEY and PKCS#1 file format. - The farp plugin sends ARP responses for any tunneled address, not only virtual IPs. - Charon resolves hosts again during additional keying tries. - Fixed switching back to original address pair during MOBIKE. - When resending IKE_SA_INIT with a COOKIE charon reuses the previous DH value, as specified in RFC 5996. This has an effect on the lifecycle of diffie_hellman_t, see source:src/libcharon/sa/keymat.h#39 for details. - COOKIEs are now kept enabled a bit longer to avoid certain race OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=44
2012-05-10 12:02:51 +02:00
Group: Productivity/Networking/Security
Requires: strongswan-libs0 = %{version}
%description mysql
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
This package provides the strongswan mysql plugin.
%endif
%if %with_sqlite
%package sqlite
Summary: OpenSource IPsec-based VPN Solution
- Updated to strongSwan 4.6.3 release: - The tnc-pdp plugin implements a RADIUS server interface allowing a strongSwan TNC server to act as a Policy Decision Point. - The eap-radius authentication backend enforces Session-Timeout attributes using RFC4478 repeated authentication and acts upon RADIUS Dynamic Authorization extensions, RFC 5176. Currently supported are disconnect requests and CoA messages containing a Session-Timeout. - The eap-radius plugin can forward arbitrary RADIUS attributes from and to clients using custom IKEv2 notify payloads. The new radattr plugin reads attributes to include from files and prints received attributes to the console. - Added support for untruncated MD5 and SHA1 HMACs in ESP as used in RFC 4595. - The cmac plugin implements the AES-CMAC-96 and AES-CMAC-PRF-128 algorithms as defined in RFC 4494 and RFC 4615, respectively. - The resolve plugin automatically installs nameservers via resolvconf(8), if it is installed, instead of modifying /etc/resolv.conf directly. - The IKEv2 charon daemon supports now raw RSA public keys in RFC 3110 DNSKEY and PKCS#1 file format. - The farp plugin sends ARP responses for any tunneled address, not only virtual IPs. - Charon resolves hosts again during additional keying tries. - Fixed switching back to original address pair during MOBIKE. - When resending IKE_SA_INIT with a COOKIE charon reuses the previous DH value, as specified in RFC 5996. This has an effect on the lifecycle of diffie_hellman_t, see source:src/libcharon/sa/keymat.h#39 for details. - COOKIEs are now kept enabled a bit longer to avoid certain race OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=44
2012-05-10 12:02:51 +02:00
Group: Productivity/Networking/Security
Requires: strongswan-libs0 = %{version}
%description sqlite
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
This package provides the strongswan sqlite plugin.
%endif
%if %with_nm
%package nm
Summary: OpenSource IPsec-based VPN Solution
- Updated to strongSwan 4.6.3 release: - The tnc-pdp plugin implements a RADIUS server interface allowing a strongSwan TNC server to act as a Policy Decision Point. - The eap-radius authentication backend enforces Session-Timeout attributes using RFC4478 repeated authentication and acts upon RADIUS Dynamic Authorization extensions, RFC 5176. Currently supported are disconnect requests and CoA messages containing a Session-Timeout. - The eap-radius plugin can forward arbitrary RADIUS attributes from and to clients using custom IKEv2 notify payloads. The new radattr plugin reads attributes to include from files and prints received attributes to the console. - Added support for untruncated MD5 and SHA1 HMACs in ESP as used in RFC 4595. - The cmac plugin implements the AES-CMAC-96 and AES-CMAC-PRF-128 algorithms as defined in RFC 4494 and RFC 4615, respectively. - The resolve plugin automatically installs nameservers via resolvconf(8), if it is installed, instead of modifying /etc/resolv.conf directly. - The IKEv2 charon daemon supports now raw RSA public keys in RFC 3110 DNSKEY and PKCS#1 file format. - The farp plugin sends ARP responses for any tunneled address, not only virtual IPs. - Charon resolves hosts again during additional keying tries. - Fixed switching back to original address pair during MOBIKE. - When resending IKE_SA_INIT with a COOKIE charon reuses the previous DH value, as specified in RFC 5996. This has an effect on the lifecycle of diffie_hellman_t, see source:src/libcharon/sa/keymat.h#39 for details. - COOKIEs are now kept enabled a bit longer to avoid certain race OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=44
2012-05-10 12:02:51 +02:00
Group: Productivity/Networking/Security
Requires: strongswan-ikev2 = %{version}
- Updated to strongSwan 4.6.3 release: - The tnc-pdp plugin implements a RADIUS server interface allowing a strongSwan TNC server to act as a Policy Decision Point. - The eap-radius authentication backend enforces Session-Timeout attributes using RFC4478 repeated authentication and acts upon RADIUS Dynamic Authorization extensions, RFC 5176. Currently supported are disconnect requests and CoA messages containing a Session-Timeout. - The eap-radius plugin can forward arbitrary RADIUS attributes from and to clients using custom IKEv2 notify payloads. The new radattr plugin reads attributes to include from files and prints received attributes to the console. - Added support for untruncated MD5 and SHA1 HMACs in ESP as used in RFC 4595. - The cmac plugin implements the AES-CMAC-96 and AES-CMAC-PRF-128 algorithms as defined in RFC 4494 and RFC 4615, respectively. - The resolve plugin automatically installs nameservers via resolvconf(8), if it is installed, instead of modifying /etc/resolv.conf directly. - The IKEv2 charon daemon supports now raw RSA public keys in RFC 3110 DNSKEY and PKCS#1 file format. - The farp plugin sends ARP responses for any tunneled address, not only virtual IPs. - Charon resolves hosts again during additional keying tries. - Fixed switching back to original address pair during MOBIKE. - When resending IKE_SA_INIT with a COOKIE charon reuses the previous DH value, as specified in RFC 5996. This has an effect on the lifecycle of diffie_hellman_t, see source:src/libcharon/sa/keymat.h#39 for details. - COOKIEs are now kept enabled a bit longer to avoid certain race OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=44
2012-05-10 12:02:51 +02:00
Requires: strongswan-libs0 = %{version}
Provides: strongswan-daemon-starter = %{version}
%description nm
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
This package provides the NetworkManager plugin to control the
charon IKEv2 daemon through D-Bus, designed to work using the
NetworkManager-strongswan graphical user interface.
%endif
%if %with_tests
%package tests
Summary: OpenSource IPsec-based VPN Solution
- Updated to strongSwan 4.6.3 release: - The tnc-pdp plugin implements a RADIUS server interface allowing a strongSwan TNC server to act as a Policy Decision Point. - The eap-radius authentication backend enforces Session-Timeout attributes using RFC4478 repeated authentication and acts upon RADIUS Dynamic Authorization extensions, RFC 5176. Currently supported are disconnect requests and CoA messages containing a Session-Timeout. - The eap-radius plugin can forward arbitrary RADIUS attributes from and to clients using custom IKEv2 notify payloads. The new radattr plugin reads attributes to include from files and prints received attributes to the console. - Added support for untruncated MD5 and SHA1 HMACs in ESP as used in RFC 4595. - The cmac plugin implements the AES-CMAC-96 and AES-CMAC-PRF-128 algorithms as defined in RFC 4494 and RFC 4615, respectively. - The resolve plugin automatically installs nameservers via resolvconf(8), if it is installed, instead of modifying /etc/resolv.conf directly. - The IKEv2 charon daemon supports now raw RSA public keys in RFC 3110 DNSKEY and PKCS#1 file format. - The farp plugin sends ARP responses for any tunneled address, not only virtual IPs. - Charon resolves hosts again during additional keying tries. - Fixed switching back to original address pair during MOBIKE. - When resending IKE_SA_INIT with a COOKIE charon reuses the previous DH value, as specified in RFC 5996. This has an effect on the lifecycle of diffie_hellman_t, see source:src/libcharon/sa/keymat.h#39 for details. - COOKIEs are now kept enabled a bit longer to avoid certain race OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=44
2012-05-10 12:02:51 +02:00
Group: Productivity/Networking/Security
Requires: strongswan-libs0 = %{version}
%description tests
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
This package provides the strongswan crypto test-vectors plugin
and the load testing plugin for IKEv2 daemon.
%endif
%prep
%setup -q -n %{name}-%{upstream_version}
%patch1 -p0
%patch2 -p0
%patch3 -p1
sed -e 's|@libexecdir@|%_libexecdir|g' \
< $RPM_SOURCE_DIR/strongswan.init.in \
> strongswan.init
%build
CFLAGS="$RPM_OPT_FLAGS -W -Wall -Wno-pointer-sign -Wno-strict-aliasing"
export RPM_OPT_FLAGS CFLAGS
#libtoolize --force
#autoreconf
%configure \
--enable-integrity-test \
--with-capabilities=libcap \
--with-plugindir=%{strongswan_plugins} \
--with-resolv-conf=%{_localstatedir}/run/strongswan/resolv.conf \
--enable-smartcard \
--with-default-pkcs11=%{_libdir}/opensc-pkcs11.so \
--enable-cisco-quirks \
--enable-openssl \
--enable-agent \
- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are: * Support of xfrm marks in IPsec SAs and IPsec policies introduced with the Linux 2.6.34 kernel. For details see the example scenarios ikev2/nat-two-rw-mark, ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp. * The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be used in a user-specific updown script to set marks on inbound ESP or ESP_IN_UDP packets. * The openssl plugin now supports X.509 certificate and CRL functions. * OCSP/CRL checking in IKEv2 has been moved to the revocation plugin, enabled by default. Plase update manual load directives in strongswan.conf. * RFC3779 ipAddrBlock constraint checking has been moved to the addrblock plugin, disabled by default. Enable it and update manual load directives in strongswan.conf, if required. * The pki utility supports CRL generation using the --signcrl command. * The ipsec pki --self, --issue and --req commands now support output in PEM format using the --outform pem option. * The major refactoring of the IKEv1 Mode Config functionality now allows the transport and handling of any Mode Config attribute. * The RADIUS proxy plugin eap-radius now supports multiple servers. Configured servers are chosen randomly, with the option to prefer a specific server. Non-responding servers are degraded by the selection process. * The ipsec pool tool manages arbitrary configuration attributes stored in an SQL database. ipsec pool --help gives the details. * The new eap-simaka-sql plugin acts as a backend for EAP-SIM and EAP-AKA, reading triplets/quintuplets from an SQL database. * The High Availability plugin now supports a HA enabled in-memory address pool and Node reintegration without IKE_SA rekeying. The latter allows clients without IKE_SA rekeying support to keep connected during reintegration. Additionally, many other issues have been fixed in the ha plugin. * Fixed a potential remote code execution vulnerability resulting from the misuse of snprintf(). The vulnerability is exploitable by unauthenticated users. - Removed obsolete snprintf security fix, adopted spec file - Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth, eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins. - Enabled the mysql, sqlite, load-tester and test-vectors plugins, that are packaged into separate mysql,sqlite,tests sub packages. OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18
2010-08-10 13:02:18 +02:00
--enable-md4 \
--enable-blowfish \
--enable-eap-sim \
--enable-eap-sim-file \
--enable-eap-simaka-sql \
--enable-eap-simaka-pseudonym \
--enable-eap-simaka-reauth \
--enable-eap-md5 \
--enable-eap-gtc \
--enable-eap-aka \
--enable-eap-radius \
--enable-eap-identity \
--enable-eap-mschapv2 \
- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are: * Support of xfrm marks in IPsec SAs and IPsec policies introduced with the Linux 2.6.34 kernel. For details see the example scenarios ikev2/nat-two-rw-mark, ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp. * The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be used in a user-specific updown script to set marks on inbound ESP or ESP_IN_UDP packets. * The openssl plugin now supports X.509 certificate and CRL functions. * OCSP/CRL checking in IKEv2 has been moved to the revocation plugin, enabled by default. Plase update manual load directives in strongswan.conf. * RFC3779 ipAddrBlock constraint checking has been moved to the addrblock plugin, disabled by default. Enable it and update manual load directives in strongswan.conf, if required. * The pki utility supports CRL generation using the --signcrl command. * The ipsec pki --self, --issue and --req commands now support output in PEM format using the --outform pem option. * The major refactoring of the IKEv1 Mode Config functionality now allows the transport and handling of any Mode Config attribute. * The RADIUS proxy plugin eap-radius now supports multiple servers. Configured servers are chosen randomly, with the option to prefer a specific server. Non-responding servers are degraded by the selection process. * The ipsec pool tool manages arbitrary configuration attributes stored in an SQL database. ipsec pool --help gives the details. * The new eap-simaka-sql plugin acts as a backend for EAP-SIM and EAP-AKA, reading triplets/quintuplets from an SQL database. * The High Availability plugin now supports a HA enabled in-memory address pool and Node reintegration without IKE_SA rekeying. The latter allows clients without IKE_SA rekeying support to keep connected during reintegration. Additionally, many other issues have been fixed in the ha plugin. * Fixed a potential remote code execution vulnerability resulting from the misuse of snprintf(). The vulnerability is exploitable by unauthenticated users. - Removed obsolete snprintf security fix, adopted spec file - Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth, eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins. - Enabled the mysql, sqlite, load-tester and test-vectors plugins, that are packaged into separate mysql,sqlite,tests sub packages. OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18
2010-08-10 13:02:18 +02:00
--enable-eap-aka-3gpp2 \
--enable-ha \
--enable-dhcp \
--enable-farp \
--enable-sql \
--enable-attr-sql \
- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are: * Support of xfrm marks in IPsec SAs and IPsec policies introduced with the Linux 2.6.34 kernel. For details see the example scenarios ikev2/nat-two-rw-mark, ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp. * The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be used in a user-specific updown script to set marks on inbound ESP or ESP_IN_UDP packets. * The openssl plugin now supports X.509 certificate and CRL functions. * OCSP/CRL checking in IKEv2 has been moved to the revocation plugin, enabled by default. Plase update manual load directives in strongswan.conf. * RFC3779 ipAddrBlock constraint checking has been moved to the addrblock plugin, disabled by default. Enable it and update manual load directives in strongswan.conf, if required. * The pki utility supports CRL generation using the --signcrl command. * The ipsec pki --self, --issue and --req commands now support output in PEM format using the --outform pem option. * The major refactoring of the IKEv1 Mode Config functionality now allows the transport and handling of any Mode Config attribute. * The RADIUS proxy plugin eap-radius now supports multiple servers. Configured servers are chosen randomly, with the option to prefer a specific server. Non-responding servers are degraded by the selection process. * The ipsec pool tool manages arbitrary configuration attributes stored in an SQL database. ipsec pool --help gives the details. * The new eap-simaka-sql plugin acts as a backend for EAP-SIM and EAP-AKA, reading triplets/quintuplets from an SQL database. * The High Availability plugin now supports a HA enabled in-memory address pool and Node reintegration without IKE_SA rekeying. The latter allows clients without IKE_SA rekeying support to keep connected during reintegration. Additionally, many other issues have been fixed in the ha plugin. * Fixed a potential remote code execution vulnerability resulting from the misuse of snprintf(). The vulnerability is exploitable by unauthenticated users. - Removed obsolete snprintf security fix, adopted spec file - Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth, eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins. - Enabled the mysql, sqlite, load-tester and test-vectors plugins, that are packaged into separate mysql,sqlite,tests sub packages. OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18
2010-08-10 13:02:18 +02:00
--enable-addrblock \
%if %with_mysql
--enable-mysql \
%endif
%if %with_sqlite
--enable-sqlite \
%endif
%if %with_gcrypt
--enable-gcrypt \
%endif
%if %with_nm
--enable-nm \
%endif
%if %with_tests
- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are: * Support of xfrm marks in IPsec SAs and IPsec policies introduced with the Linux 2.6.34 kernel. For details see the example scenarios ikev2/nat-two-rw-mark, ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp. * The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be used in a user-specific updown script to set marks on inbound ESP or ESP_IN_UDP packets. * The openssl plugin now supports X.509 certificate and CRL functions. * OCSP/CRL checking in IKEv2 has been moved to the revocation plugin, enabled by default. Plase update manual load directives in strongswan.conf. * RFC3779 ipAddrBlock constraint checking has been moved to the addrblock plugin, disabled by default. Enable it and update manual load directives in strongswan.conf, if required. * The pki utility supports CRL generation using the --signcrl command. * The ipsec pki --self, --issue and --req commands now support output in PEM format using the --outform pem option. * The major refactoring of the IKEv1 Mode Config functionality now allows the transport and handling of any Mode Config attribute. * The RADIUS proxy plugin eap-radius now supports multiple servers. Configured servers are chosen randomly, with the option to prefer a specific server. Non-responding servers are degraded by the selection process. * The ipsec pool tool manages arbitrary configuration attributes stored in an SQL database. ipsec pool --help gives the details. * The new eap-simaka-sql plugin acts as a backend for EAP-SIM and EAP-AKA, reading triplets/quintuplets from an SQL database. * The High Availability plugin now supports a HA enabled in-memory address pool and Node reintegration without IKE_SA rekeying. The latter allows clients without IKE_SA rekeying support to keep connected during reintegration. Additionally, many other issues have been fixed in the ha plugin. * Fixed a potential remote code execution vulnerability resulting from the misuse of snprintf(). The vulnerability is exploitable by unauthenticated users. - Removed obsolete snprintf security fix, adopted spec file - Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth, eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins. - Enabled the mysql, sqlite, load-tester and test-vectors plugins, that are packaged into separate mysql,sqlite,tests sub packages. OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18
2010-08-10 13:02:18 +02:00
--enable-load-tester \
--enable-test-vectors \
%endif
--enable-ldap \
--enable-curl
make %{?_smp_mflags:%_smp_mflags}
%install
export RPM_BUILD_ROOT
install -m755 -d ${RPM_BUILD_ROOT}%{_sbindir}/
install -m755 -d ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.d/
install -m755 -d ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/
install -m755 strongswan.init ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/ipsec
ln -s %{_sysconfdir}/init.d/ipsec ${RPM_BUILD_ROOT}%{_sbindir}/rcipsec
#
make install DESTDIR="$RPM_BUILD_ROOT"
#
rm -f ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.secrets
cat << EOT > ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.secrets
#
# ipsec.secrets
#
# This file holds the RSA private keys or the PSK preshared secrets for
# the IKE/IPsec authentication. See the ipsec.secrets(5) manual page.
#
EOT
#
- Updated to strongSwan 4.6.3 release: - The tnc-pdp plugin implements a RADIUS server interface allowing a strongSwan TNC server to act as a Policy Decision Point. - The eap-radius authentication backend enforces Session-Timeout attributes using RFC4478 repeated authentication and acts upon RADIUS Dynamic Authorization extensions, RFC 5176. Currently supported are disconnect requests and CoA messages containing a Session-Timeout. - The eap-radius plugin can forward arbitrary RADIUS attributes from and to clients using custom IKEv2 notify payloads. The new radattr plugin reads attributes to include from files and prints received attributes to the console. - Added support for untruncated MD5 and SHA1 HMACs in ESP as used in RFC 4595. - The cmac plugin implements the AES-CMAC-96 and AES-CMAC-PRF-128 algorithms as defined in RFC 4494 and RFC 4615, respectively. - The resolve plugin automatically installs nameservers via resolvconf(8), if it is installed, instead of modifying /etc/resolv.conf directly. - The IKEv2 charon daemon supports now raw RSA public keys in RFC 3110 DNSKEY and PKCS#1 file format. - The farp plugin sends ARP responses for any tunneled address, not only virtual IPs. - Charon resolves hosts again during additional keying tries. - Fixed switching back to original address pair during MOBIKE. - When resending IKE_SA_INIT with a COOKIE charon reuses the previous DH value, as specified in RFC 5996. This has an effect on the lifecycle of diffie_hellman_t, see source:src/libcharon/sa/keymat.h#39 for details. - COOKIEs are now kept enabled a bit longer to avoid certain race OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=44
2012-05-10 12:02:51 +02:00
rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{charon,hydra,radius,strongswan,simaka}.so
find $RPM_BUILD_ROOT%{strongswan_libdir} \
-name "*.a" -o -name "*.la" | xargs -r rm -f
#
install -m755 -d ${RPM_BUILD_ROOT}%{strongswan_docdir}/
install -m644 TODO NEWS README COPYING CREDITS \
${RPM_SOURCE_DIR}/README.SUSE \
${RPM_BUILD_ROOT}%{strongswan_docdir}/
install -m755 -d $RPM_BUILD_ROOT%{_localstatedir}/run/strongswan
%post libs0
%{run_ldconfig}
test -d %{_localstatedir}/run/strongswan || \
%{__mkdir_p} %{_localstatedir}/run/strongswan
%postun libs0
%{run_ldconfig}
%post ipsec
%{fillup_and_insserv ipsec}
%preun ipsec
%{stop_on_removal ipsec}
if test -s %{_sysconfdir}/ipsec.secrets.rpmsave; then
cp -p --backup=numbered %{_sysconfdir}/ipsec.secrets.rpmsave %{_sysconfdir}/ipsec.secrets.rpmsave.old
fi
if test -s %{_sysconfdir}/ipsec.conf.rpmsave; then
cp -p --backup=numbered %{_sysconfdir}/ipsec.conf.rpmsave %{_sysconfdir}/ipsec.conf.rpmsave.old
fi
%postun ipsec
%{insserv_cleanup}
%files
%defattr(-,root,root)
%dir %{strongswan_docdir}
%{strongswan_docdir}/README.SUSE
%files ipsec
%defattr(-,root,root)
%config(noreplace) %attr(600,root,root) %{_sysconfdir}/ipsec.conf
%config(noreplace) %attr(600,root,root) %{_sysconfdir}/ipsec.secrets
%dir %{_sysconfdir}/ipsec.d
%dir %{_sysconfdir}/ipsec.d/crls
%dir %{_sysconfdir}/ipsec.d/reqs
%dir %{_sysconfdir}/ipsec.d/certs
%dir %{_sysconfdir}/ipsec.d/acerts
%dir %{_sysconfdir}/ipsec.d/aacerts
%dir %{_sysconfdir}/ipsec.d/cacerts
%dir %{_sysconfdir}/ipsec.d/ocspcerts
%dir %attr(700,root,root) %{_sysconfdir}/ipsec.d/private
%config %{_sysconfdir}/init.d/ipsec
%{_sbindir}/rcipsec
%{_sbindir}/ipsec
%{_mandir}/man8/ipsec.8*
%{_mandir}/man5/ipsec.conf.5*
%{_mandir}/man5/ipsec.secrets.5*
- Updated to strongSwan 4.5.0 release, changes since 4.4.1 are: * IMPORTANT: the default keyexchange mode 'ike' is changing with release 4.5 from 'ikev1' to 'ikev2', thus commemorating the five year anniversary of the IKEv2 RFC 4306 and its mature successor RFC 5996. The time has definitively come for IKEv1 to go into retirement and to cede its place to the much more robust, powerful and versatile IKEv2 protocol! * Added new ctr, ccm and gcm plugins providing Counter, Counter with CBC-MAC and Galois/Counter Modes based on existing CBC implementations. These new plugins bring support for AES and Camellia Counter and CCM algorithms and the AES GCM algorithms for use in IKEv2. * The new pkcs11 plugin brings full Smartcard support to the IKEv2 daemon and the pki utility using one or more PKCS#11 libraries. It currently supports RSA private and public key operations and loads X.509 certificates from tokens. * Implemented a general purpose TLS stack based on crypto and credential primitives of libstrongswan. libtls supports TLS versions 1.0, 1.1 and 1.2, ECDHE-ECDSA/RSA, DHE-RSA and RSA key exchange algorithms and RSA/ECDSA based client authentication. * Based on libtls, the eap-tls plugin brings certificate based EAP authentication for client and server. It is compatible to Windows 7 IKEv2 Smartcard authentication and the OpenSSL based FreeRADIUS EAP-TLS backend. * Implemented the TNCCS 1.1 Trusted Network Connect protocol using the libtnc library on the strongSwan client and server side via the tnccs_11 plugin and optionally connecting to a TNC@FHH-enhanced FreeRADIUS AAA server. Depending on the resulting TNC Recommendation, strongSwan clients are granted access to a network behind a strongSwan gateway (allow), are put into a remediation zone (isolate) or are blocked (none), respectively. Any number of Integrity Measurement Collector/Verifier pairs can be attached via the tnc-imc and tnc-imv charon plugins. * The IKEv1 daemon pluto now uses the same kernel interfaces as the IKEv2 daemon charon. As a result of this, pluto now supports xfrm marks which were introduced in charon with 4.4.1. * The RADIUS plugin eap-radius now supports multiple RADIUS servers for redundant setups. Servers are selected by a defined priority, server load and availability. * The simple led plugin controls hardware LEDs through the Linux LED subsystem. It currently shows activity of the IKE daemon and is a good example how to implement a simple event listener. * Improved MOBIKE behavior in several corner cases, for instance, if the initial responder moves to a different address. * Fixed left-/rightnexthop option, which was broken since 4.4.0. * Fixed a bug not releasing a virtual IP address to a pool if the XAUTH identity was different from the IKE identity. * Fixed the alignment of ModeConfig messages on 4-byte boundaries in the case where the attributes are not a multiple of 4 bytes (e.g. Cisco's UNITY_BANNER). * Fixed the interoperability of the socket_raw and socket_default charon plugins. * Added man page for strongswan.conf - Adopted spec file, removed obsolete error range patch. OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=20
2010-11-16 13:10:30 +01:00
%{_mandir}/man5/strongswan.conf.5*
%dir %{_libexecdir}/ipsec
%{_libexecdir}/ipsec/_updown
%{_libexecdir}/ipsec/_updown_espmark
%{_libexecdir}/ipsec/_copyright
%{_libexecdir}/ipsec/pki
%{_libexecdir}/ipsec/openac
%{_libexecdir}/ipsec/scepclient
%{_libexecdir}/ipsec/starter
%{_libexecdir}/ipsec/stroke
%dir %{strongswan_plugins}
%{strongswan_plugins}/libstrongswan-stroke.so
%{strongswan_plugins}/libstrongswan-updown.so
%files ikev1
%defattr(-,root,root)
%dir %{_libexecdir}/ipsec
%{_libexecdir}/ipsec/whack
%{_libexecdir}/ipsec/pluto
%{_libexecdir}/ipsec/_pluto_adns
%files ikev2
%defattr(-,root,root)
%dir %{_libexecdir}/ipsec
%{_libexecdir}/ipsec/charon
%files doc
%defattr(-,root,root)
%dir %{strongswan_docdir}
%{strongswan_docdir}/TODO
%{strongswan_docdir}/NEWS
%{strongswan_docdir}/README
%{strongswan_docdir}/COPYING
%{strongswan_docdir}/CREDITS
%{_mandir}/man3/anyaddr.3*
%{_mandir}/man3/atoaddr.3*
%{_mandir}/man3/atoasr.3*
%{_mandir}/man3/atoul.3*
%{_mandir}/man3/goodmask.3*
%{_mandir}/man3/initaddr.3*
%{_mandir}/man3/initsubnet.3*
%{_mandir}/man3/portof.3*
%{_mandir}/man3/rangetosubnet.3*
%{_mandir}/man3/sameaddr.3*
%{_mandir}/man3/subnetof.3*
%{_mandir}/man3/ttoaddr.3*
%{_mandir}/man3/ttodata.3*
%{_mandir}/man3/ttosa.3*
%{_mandir}/man3/ttoul.3*
%{_mandir}/man8/_updown.8*
%{_mandir}/man8/_updown_espmark.8*
%{_mandir}/man8/openac.8*
%{_mandir}/man8/pluto.8*
%{_mandir}/man8/scepclient.8*
%files libs0
%defattr(-,root,root)
%config(noreplace) %attr(600,root,root) %{_sysconfdir}/strongswan.conf
%dir %{_libexecdir}/ipsec
%dir %{_libexecdir}/ipsec/pool
%dir %{strongswan_libdir}
%{strongswan_libdir}/libchecksum.so
%{strongswan_libdir}/libhydra.so.0
%{strongswan_libdir}/libhydra.so.0.0.0
%{strongswan_libdir}/libcharon.so.0
%{strongswan_libdir}/libcharon.so.0.0.0
- Updated to strongSwan 4.6.3 release: - The tnc-pdp plugin implements a RADIUS server interface allowing a strongSwan TNC server to act as a Policy Decision Point. - The eap-radius authentication backend enforces Session-Timeout attributes using RFC4478 repeated authentication and acts upon RADIUS Dynamic Authorization extensions, RFC 5176. Currently supported are disconnect requests and CoA messages containing a Session-Timeout. - The eap-radius plugin can forward arbitrary RADIUS attributes from and to clients using custom IKEv2 notify payloads. The new radattr plugin reads attributes to include from files and prints received attributes to the console. - Added support for untruncated MD5 and SHA1 HMACs in ESP as used in RFC 4595. - The cmac plugin implements the AES-CMAC-96 and AES-CMAC-PRF-128 algorithms as defined in RFC 4494 and RFC 4615, respectively. - The resolve plugin automatically installs nameservers via resolvconf(8), if it is installed, instead of modifying /etc/resolv.conf directly. - The IKEv2 charon daemon supports now raw RSA public keys in RFC 3110 DNSKEY and PKCS#1 file format. - The farp plugin sends ARP responses for any tunneled address, not only virtual IPs. - Charon resolves hosts again during additional keying tries. - Fixed switching back to original address pair during MOBIKE. - When resending IKE_SA_INIT with a COOKIE charon reuses the previous DH value, as specified in RFC 5996. This has an effect on the lifecycle of diffie_hellman_t, see source:src/libcharon/sa/keymat.h#39 for details. - COOKIEs are now kept enabled a bit longer to avoid certain race OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=44
2012-05-10 12:02:51 +02:00
%{strongswan_libdir}/libradius.so.0
%{strongswan_libdir}/libradius.so.0.0.0
- Updated to strongSwan 4.6.1 release: Changes in 4.6.1: - Because of changing checksums before and after installation which caused the integrity tests to fail we avoided directly linking libsimaka, libtls and libtnccs to those libcharon plugins which make use of these dynamiclibraries. Instead we linked the libraries to the charon daemon. Unfortunately Ubuntu 11.10 activated the --as-needed ld option which discards explicit links to dynamic libraries that are not actually used by the charon daemon itself, thus causing failures during the loading of the plugins which depend on these libraries for resolving external symbols. - Therefore our approach of computing integrity checksums for plugins had to be changed radically by moving the hash generation from the compilation to the post-installation phase. Changes in 4.6.0: - The new libstrongswan certexpire plugin collects expiration information of all used certificates and exports them to CSV files. It either directly exports them or uses cron style scheduling for batch exports. - Starter passes unresolved hostnames to charon, allowing it to do name resolution not before the connection attempt. This is especially useful with connections between hosts using dynamic IP addresses. Thanks to Mirko Parthey for the initial patch. - The android plugin can now be used without the Android frontend patch and provides DNS server registration and logging to logcat. - Pluto and starter (plus stroke and whack) have been ported to Android. - Support for ECDSA private and public key operations has been added to the pkcs11 plugin. The plugin now also provides DH and ECDH via PKCS#11 and can use tokens as random number generators (RNG). By default only private key operations are enabled, more advanced features have to be enabled by their option in strongswan.conf. This also applies to public OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=39
2012-02-15 14:32:28 +01:00
%{strongswan_libdir}/libsimaka.so.0
%{strongswan_libdir}/libsimaka.so.0.0.0
%{strongswan_libdir}/libstrongswan.so.0
%{strongswan_libdir}/libstrongswan.so.0.0.0
%dir %{strongswan_plugins}
- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are: * Support of xfrm marks in IPsec SAs and IPsec policies introduced with the Linux 2.6.34 kernel. For details see the example scenarios ikev2/nat-two-rw-mark, ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp. * The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be used in a user-specific updown script to set marks on inbound ESP or ESP_IN_UDP packets. * The openssl plugin now supports X.509 certificate and CRL functions. * OCSP/CRL checking in IKEv2 has been moved to the revocation plugin, enabled by default. Plase update manual load directives in strongswan.conf. * RFC3779 ipAddrBlock constraint checking has been moved to the addrblock plugin, disabled by default. Enable it and update manual load directives in strongswan.conf, if required. * The pki utility supports CRL generation using the --signcrl command. * The ipsec pki --self, --issue and --req commands now support output in PEM format using the --outform pem option. * The major refactoring of the IKEv1 Mode Config functionality now allows the transport and handling of any Mode Config attribute. * The RADIUS proxy plugin eap-radius now supports multiple servers. Configured servers are chosen randomly, with the option to prefer a specific server. Non-responding servers are degraded by the selection process. * The ipsec pool tool manages arbitrary configuration attributes stored in an SQL database. ipsec pool --help gives the details. * The new eap-simaka-sql plugin acts as a backend for EAP-SIM and EAP-AKA, reading triplets/quintuplets from an SQL database. * The High Availability plugin now supports a HA enabled in-memory address pool and Node reintegration without IKE_SA rekeying. The latter allows clients without IKE_SA rekeying support to keep connected during reintegration. Additionally, many other issues have been fixed in the ha plugin. * Fixed a potential remote code execution vulnerability resulting from the misuse of snprintf(). The vulnerability is exploitable by unauthenticated users. - Removed obsolete snprintf security fix, adopted spec file - Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth, eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins. - Enabled the mysql, sqlite, load-tester and test-vectors plugins, that are packaged into separate mysql,sqlite,tests sub packages. OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18
2010-08-10 13:02:18 +02:00
%{strongswan_plugins}/libstrongswan-addrblock.so
%{strongswan_plugins}/libstrongswan-aes.so
%{strongswan_plugins}/libstrongswan-agent.so
%{strongswan_plugins}/libstrongswan-attr.so
%{strongswan_plugins}/libstrongswan-attr-sql.so
- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are: * Support of xfrm marks in IPsec SAs and IPsec policies introduced with the Linux 2.6.34 kernel. For details see the example scenarios ikev2/nat-two-rw-mark, ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp. * The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be used in a user-specific updown script to set marks on inbound ESP or ESP_IN_UDP packets. * The openssl plugin now supports X.509 certificate and CRL functions. * OCSP/CRL checking in IKEv2 has been moved to the revocation plugin, enabled by default. Plase update manual load directives in strongswan.conf. * RFC3779 ipAddrBlock constraint checking has been moved to the addrblock plugin, disabled by default. Enable it and update manual load directives in strongswan.conf, if required. * The pki utility supports CRL generation using the --signcrl command. * The ipsec pki --self, --issue and --req commands now support output in PEM format using the --outform pem option. * The major refactoring of the IKEv1 Mode Config functionality now allows the transport and handling of any Mode Config attribute. * The RADIUS proxy plugin eap-radius now supports multiple servers. Configured servers are chosen randomly, with the option to prefer a specific server. Non-responding servers are degraded by the selection process. * The ipsec pool tool manages arbitrary configuration attributes stored in an SQL database. ipsec pool --help gives the details. * The new eap-simaka-sql plugin acts as a backend for EAP-SIM and EAP-AKA, reading triplets/quintuplets from an SQL database. * The High Availability plugin now supports a HA enabled in-memory address pool and Node reintegration without IKE_SA rekeying. The latter allows clients without IKE_SA rekeying support to keep connected during reintegration. Additionally, many other issues have been fixed in the ha plugin. * Fixed a potential remote code execution vulnerability resulting from the misuse of snprintf(). The vulnerability is exploitable by unauthenticated users. - Removed obsolete snprintf security fix, adopted spec file - Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth, eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins. - Enabled the mysql, sqlite, load-tester and test-vectors plugins, that are packaged into separate mysql,sqlite,tests sub packages. OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18
2010-08-10 13:02:18 +02:00
%{strongswan_plugins}/libstrongswan-blowfish.so
- Updated to strongSwan 4.6.3 release: - The tnc-pdp plugin implements a RADIUS server interface allowing a strongSwan TNC server to act as a Policy Decision Point. - The eap-radius authentication backend enforces Session-Timeout attributes using RFC4478 repeated authentication and acts upon RADIUS Dynamic Authorization extensions, RFC 5176. Currently supported are disconnect requests and CoA messages containing a Session-Timeout. - The eap-radius plugin can forward arbitrary RADIUS attributes from and to clients using custom IKEv2 notify payloads. The new radattr plugin reads attributes to include from files and prints received attributes to the console. - Added support for untruncated MD5 and SHA1 HMACs in ESP as used in RFC 4595. - The cmac plugin implements the AES-CMAC-96 and AES-CMAC-PRF-128 algorithms as defined in RFC 4494 and RFC 4615, respectively. - The resolve plugin automatically installs nameservers via resolvconf(8), if it is installed, instead of modifying /etc/resolv.conf directly. - The IKEv2 charon daemon supports now raw RSA public keys in RFC 3110 DNSKEY and PKCS#1 file format. - The farp plugin sends ARP responses for any tunneled address, not only virtual IPs. - Charon resolves hosts again during additional keying tries. - Fixed switching back to original address pair during MOBIKE. - When resending IKE_SA_INIT with a COOKIE charon reuses the previous DH value, as specified in RFC 5996. This has an effect on the lifecycle of diffie_hellman_t, see source:src/libcharon/sa/keymat.h#39 for details. - COOKIEs are now kept enabled a bit longer to avoid certain race OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=44
2012-05-10 12:02:51 +02:00
%{strongswan_plugins}/libstrongswan-cmac.so
%{strongswan_plugins}/libstrongswan-constraints.so
%{strongswan_plugins}/libstrongswan-curl.so
%{strongswan_plugins}/libstrongswan-des.so
%{strongswan_plugins}/libstrongswan-dhcp.so
%{strongswan_plugins}/libstrongswan-dnskey.so
- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are: * Support of xfrm marks in IPsec SAs and IPsec policies introduced with the Linux 2.6.34 kernel. For details see the example scenarios ikev2/nat-two-rw-mark, ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp. * The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be used in a user-specific updown script to set marks on inbound ESP or ESP_IN_UDP packets. * The openssl plugin now supports X.509 certificate and CRL functions. * OCSP/CRL checking in IKEv2 has been moved to the revocation plugin, enabled by default. Plase update manual load directives in strongswan.conf. * RFC3779 ipAddrBlock constraint checking has been moved to the addrblock plugin, disabled by default. Enable it and update manual load directives in strongswan.conf, if required. * The pki utility supports CRL generation using the --signcrl command. * The ipsec pki --self, --issue and --req commands now support output in PEM format using the --outform pem option. * The major refactoring of the IKEv1 Mode Config functionality now allows the transport and handling of any Mode Config attribute. * The RADIUS proxy plugin eap-radius now supports multiple servers. Configured servers are chosen randomly, with the option to prefer a specific server. Non-responding servers are degraded by the selection process. * The ipsec pool tool manages arbitrary configuration attributes stored in an SQL database. ipsec pool --help gives the details. * The new eap-simaka-sql plugin acts as a backend for EAP-SIM and EAP-AKA, reading triplets/quintuplets from an SQL database. * The High Availability plugin now supports a HA enabled in-memory address pool and Node reintegration without IKE_SA rekeying. The latter allows clients without IKE_SA rekeying support to keep connected during reintegration. Additionally, many other issues have been fixed in the ha plugin. * Fixed a potential remote code execution vulnerability resulting from the misuse of snprintf(). The vulnerability is exploitable by unauthenticated users. - Removed obsolete snprintf security fix, adopted spec file - Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth, eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins. - Enabled the mysql, sqlite, load-tester and test-vectors plugins, that are packaged into separate mysql,sqlite,tests sub packages. OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18
2010-08-10 13:02:18 +02:00
%{strongswan_plugins}/libstrongswan-eap-aka-3gpp2.so
%{strongswan_plugins}/libstrongswan-eap-aka.so
%{strongswan_plugins}/libstrongswan-eap-gtc.so
%{strongswan_plugins}/libstrongswan-eap-identity.so
%{strongswan_plugins}/libstrongswan-eap-md5.so
%{strongswan_plugins}/libstrongswan-eap-mschapv2.so
%{strongswan_plugins}/libstrongswan-eap-radius.so
- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are: * Support of xfrm marks in IPsec SAs and IPsec policies introduced with the Linux 2.6.34 kernel. For details see the example scenarios ikev2/nat-two-rw-mark, ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp. * The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be used in a user-specific updown script to set marks on inbound ESP or ESP_IN_UDP packets. * The openssl plugin now supports X.509 certificate and CRL functions. * OCSP/CRL checking in IKEv2 has been moved to the revocation plugin, enabled by default. Plase update manual load directives in strongswan.conf. * RFC3779 ipAddrBlock constraint checking has been moved to the addrblock plugin, disabled by default. Enable it and update manual load directives in strongswan.conf, if required. * The pki utility supports CRL generation using the --signcrl command. * The ipsec pki --self, --issue and --req commands now support output in PEM format using the --outform pem option. * The major refactoring of the IKEv1 Mode Config functionality now allows the transport and handling of any Mode Config attribute. * The RADIUS proxy plugin eap-radius now supports multiple servers. Configured servers are chosen randomly, with the option to prefer a specific server. Non-responding servers are degraded by the selection process. * The ipsec pool tool manages arbitrary configuration attributes stored in an SQL database. ipsec pool --help gives the details. * The new eap-simaka-sql plugin acts as a backend for EAP-SIM and EAP-AKA, reading triplets/quintuplets from an SQL database. * The High Availability plugin now supports a HA enabled in-memory address pool and Node reintegration without IKE_SA rekeying. The latter allows clients without IKE_SA rekeying support to keep connected during reintegration. Additionally, many other issues have been fixed in the ha plugin. * Fixed a potential remote code execution vulnerability resulting from the misuse of snprintf(). The vulnerability is exploitable by unauthenticated users. - Removed obsolete snprintf security fix, adopted spec file - Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth, eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins. - Enabled the mysql, sqlite, load-tester and test-vectors plugins, that are packaged into separate mysql,sqlite,tests sub packages. OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18
2010-08-10 13:02:18 +02:00
%{strongswan_plugins}/libstrongswan-eap-simaka-pseudonym.so
%{strongswan_plugins}/libstrongswan-eap-simaka-reauth.so
%{strongswan_plugins}/libstrongswan-eap-simaka-sql.so
%{strongswan_plugins}/libstrongswan-eap-sim-file.so
%{strongswan_plugins}/libstrongswan-eap-sim.so
%{strongswan_plugins}/libstrongswan-farp.so
%{strongswan_plugins}/libstrongswan-fips-prf.so
%if %with_gcrypt
%{strongswan_plugins}/libstrongswan-gcrypt.so
%endif
%{strongswan_plugins}/libstrongswan-gmp.so
%{strongswan_plugins}/libstrongswan-ha.so
%{strongswan_plugins}/libstrongswan-hmac.so
%{strongswan_plugins}/libstrongswan-kernel-netlink.so
%{strongswan_plugins}/libstrongswan-ldap.so
- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are: * Support of xfrm marks in IPsec SAs and IPsec policies introduced with the Linux 2.6.34 kernel. For details see the example scenarios ikev2/nat-two-rw-mark, ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp. * The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be used in a user-specific updown script to set marks on inbound ESP or ESP_IN_UDP packets. * The openssl plugin now supports X.509 certificate and CRL functions. * OCSP/CRL checking in IKEv2 has been moved to the revocation plugin, enabled by default. Plase update manual load directives in strongswan.conf. * RFC3779 ipAddrBlock constraint checking has been moved to the addrblock plugin, disabled by default. Enable it and update manual load directives in strongswan.conf, if required. * The pki utility supports CRL generation using the --signcrl command. * The ipsec pki --self, --issue and --req commands now support output in PEM format using the --outform pem option. * The major refactoring of the IKEv1 Mode Config functionality now allows the transport and handling of any Mode Config attribute. * The RADIUS proxy plugin eap-radius now supports multiple servers. Configured servers are chosen randomly, with the option to prefer a specific server. Non-responding servers are degraded by the selection process. * The ipsec pool tool manages arbitrary configuration attributes stored in an SQL database. ipsec pool --help gives the details. * The new eap-simaka-sql plugin acts as a backend for EAP-SIM and EAP-AKA, reading triplets/quintuplets from an SQL database. * The High Availability plugin now supports a HA enabled in-memory address pool and Node reintegration without IKE_SA rekeying. The latter allows clients without IKE_SA rekeying support to keep connected during reintegration. Additionally, many other issues have been fixed in the ha plugin. * Fixed a potential remote code execution vulnerability resulting from the misuse of snprintf(). The vulnerability is exploitable by unauthenticated users. - Removed obsolete snprintf security fix, adopted spec file - Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth, eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins. - Enabled the mysql, sqlite, load-tester and test-vectors plugins, that are packaged into separate mysql,sqlite,tests sub packages. OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18
2010-08-10 13:02:18 +02:00
%{strongswan_plugins}/libstrongswan-md4.so
%{strongswan_plugins}/libstrongswan-md5.so
%{strongswan_plugins}/libstrongswan-openssl.so
%{strongswan_plugins}/libstrongswan-pem.so
%{strongswan_plugins}/libstrongswan-pgp.so
%{strongswan_plugins}/libstrongswan-pkcs1.so
%{strongswan_plugins}/libstrongswan-pkcs8.so
%{strongswan_plugins}/libstrongswan-pubkey.so
%{strongswan_plugins}/libstrongswan-random.so
%{strongswan_plugins}/libstrongswan-resolve.so
- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are: * Support of xfrm marks in IPsec SAs and IPsec policies introduced with the Linux 2.6.34 kernel. For details see the example scenarios ikev2/nat-two-rw-mark, ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp. * The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be used in a user-specific updown script to set marks on inbound ESP or ESP_IN_UDP packets. * The openssl plugin now supports X.509 certificate and CRL functions. * OCSP/CRL checking in IKEv2 has been moved to the revocation plugin, enabled by default. Plase update manual load directives in strongswan.conf. * RFC3779 ipAddrBlock constraint checking has been moved to the addrblock plugin, disabled by default. Enable it and update manual load directives in strongswan.conf, if required. * The pki utility supports CRL generation using the --signcrl command. * The ipsec pki --self, --issue and --req commands now support output in PEM format using the --outform pem option. * The major refactoring of the IKEv1 Mode Config functionality now allows the transport and handling of any Mode Config attribute. * The RADIUS proxy plugin eap-radius now supports multiple servers. Configured servers are chosen randomly, with the option to prefer a specific server. Non-responding servers are degraded by the selection process. * The ipsec pool tool manages arbitrary configuration attributes stored in an SQL database. ipsec pool --help gives the details. * The new eap-simaka-sql plugin acts as a backend for EAP-SIM and EAP-AKA, reading triplets/quintuplets from an SQL database. * The High Availability plugin now supports a HA enabled in-memory address pool and Node reintegration without IKE_SA rekeying. The latter allows clients without IKE_SA rekeying support to keep connected during reintegration. Additionally, many other issues have been fixed in the ha plugin. * Fixed a potential remote code execution vulnerability resulting from the misuse of snprintf(). The vulnerability is exploitable by unauthenticated users. - Removed obsolete snprintf security fix, adopted spec file - Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth, eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins. - Enabled the mysql, sqlite, load-tester and test-vectors plugins, that are packaged into separate mysql,sqlite,tests sub packages. OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18
2010-08-10 13:02:18 +02:00
%{strongswan_plugins}/libstrongswan-revocation.so
%{strongswan_plugins}/libstrongswan-sha1.so
%{strongswan_plugins}/libstrongswan-sha2.so
- Updated to strongSwan 4.5.0 release, changes since 4.4.1 are: * IMPORTANT: the default keyexchange mode 'ike' is changing with release 4.5 from 'ikev1' to 'ikev2', thus commemorating the five year anniversary of the IKEv2 RFC 4306 and its mature successor RFC 5996. The time has definitively come for IKEv1 to go into retirement and to cede its place to the much more robust, powerful and versatile IKEv2 protocol! * Added new ctr, ccm and gcm plugins providing Counter, Counter with CBC-MAC and Galois/Counter Modes based on existing CBC implementations. These new plugins bring support for AES and Camellia Counter and CCM algorithms and the AES GCM algorithms for use in IKEv2. * The new pkcs11 plugin brings full Smartcard support to the IKEv2 daemon and the pki utility using one or more PKCS#11 libraries. It currently supports RSA private and public key operations and loads X.509 certificates from tokens. * Implemented a general purpose TLS stack based on crypto and credential primitives of libstrongswan. libtls supports TLS versions 1.0, 1.1 and 1.2, ECDHE-ECDSA/RSA, DHE-RSA and RSA key exchange algorithms and RSA/ECDSA based client authentication. * Based on libtls, the eap-tls plugin brings certificate based EAP authentication for client and server. It is compatible to Windows 7 IKEv2 Smartcard authentication and the OpenSSL based FreeRADIUS EAP-TLS backend. * Implemented the TNCCS 1.1 Trusted Network Connect protocol using the libtnc library on the strongSwan client and server side via the tnccs_11 plugin and optionally connecting to a TNC@FHH-enhanced FreeRADIUS AAA server. Depending on the resulting TNC Recommendation, strongSwan clients are granted access to a network behind a strongSwan gateway (allow), are put into a remediation zone (isolate) or are blocked (none), respectively. Any number of Integrity Measurement Collector/Verifier pairs can be attached via the tnc-imc and tnc-imv charon plugins. * The IKEv1 daemon pluto now uses the same kernel interfaces as the IKEv2 daemon charon. As a result of this, pluto now supports xfrm marks which were introduced in charon with 4.4.1. * The RADIUS plugin eap-radius now supports multiple RADIUS servers for redundant setups. Servers are selected by a defined priority, server load and availability. * The simple led plugin controls hardware LEDs through the Linux LED subsystem. It currently shows activity of the IKE daemon and is a good example how to implement a simple event listener. * Improved MOBIKE behavior in several corner cases, for instance, if the initial responder moves to a different address. * Fixed left-/rightnexthop option, which was broken since 4.4.0. * Fixed a bug not releasing a virtual IP address to a pool if the XAUTH identity was different from the IKE identity. * Fixed the alignment of ModeConfig messages on 4-byte boundaries in the case where the attributes are not a multiple of 4 bytes (e.g. Cisco's UNITY_BANNER). * Fixed the interoperability of the socket_raw and socket_default charon plugins. * Added man page for strongswan.conf - Adopted spec file, removed obsolete error range patch. OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=20
2010-11-16 13:10:30 +01:00
%{strongswan_plugins}/libstrongswan-socket*.so
%{strongswan_plugins}/libstrongswan-sql.so
%{strongswan_plugins}/libstrongswan-x509.so
- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are: * Support of xfrm marks in IPsec SAs and IPsec policies introduced with the Linux 2.6.34 kernel. For details see the example scenarios ikev2/nat-two-rw-mark, ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp. * The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be used in a user-specific updown script to set marks on inbound ESP or ESP_IN_UDP packets. * The openssl plugin now supports X.509 certificate and CRL functions. * OCSP/CRL checking in IKEv2 has been moved to the revocation plugin, enabled by default. Plase update manual load directives in strongswan.conf. * RFC3779 ipAddrBlock constraint checking has been moved to the addrblock plugin, disabled by default. Enable it and update manual load directives in strongswan.conf, if required. * The pki utility supports CRL generation using the --signcrl command. * The ipsec pki --self, --issue and --req commands now support output in PEM format using the --outform pem option. * The major refactoring of the IKEv1 Mode Config functionality now allows the transport and handling of any Mode Config attribute. * The RADIUS proxy plugin eap-radius now supports multiple servers. Configured servers are chosen randomly, with the option to prefer a specific server. Non-responding servers are degraded by the selection process. * The ipsec pool tool manages arbitrary configuration attributes stored in an SQL database. ipsec pool --help gives the details. * The new eap-simaka-sql plugin acts as a backend for EAP-SIM and EAP-AKA, reading triplets/quintuplets from an SQL database. * The High Availability plugin now supports a HA enabled in-memory address pool and Node reintegration without IKE_SA rekeying. The latter allows clients without IKE_SA rekeying support to keep connected during reintegration. Additionally, many other issues have been fixed in the ha plugin. * Fixed a potential remote code execution vulnerability resulting from the misuse of snprintf(). The vulnerability is exploitable by unauthenticated users. - Removed obsolete snprintf security fix, adopted spec file - Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth, eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins. - Enabled the mysql, sqlite, load-tester and test-vectors plugins, that are packaged into separate mysql,sqlite,tests sub packages. OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18
2010-08-10 13:02:18 +02:00
%{strongswan_plugins}/libstrongswan-xauth.so
%{strongswan_plugins}/libstrongswan-xcbc.so
%dir %ghost %{_localstatedir}/run/strongswan
%if %with_nm
%files nm
%defattr(-,root,root)
%dir %{_libexecdir}/ipsec
%dir %{strongswan_plugins}
%{strongswan_plugins}/libstrongswan-nm.so
%endif
%if %with_mysql
- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are: * Support of xfrm marks in IPsec SAs and IPsec policies introduced with the Linux 2.6.34 kernel. For details see the example scenarios ikev2/nat-two-rw-mark, ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp. * The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be used in a user-specific updown script to set marks on inbound ESP or ESP_IN_UDP packets. * The openssl plugin now supports X.509 certificate and CRL functions. * OCSP/CRL checking in IKEv2 has been moved to the revocation plugin, enabled by default. Plase update manual load directives in strongswan.conf. * RFC3779 ipAddrBlock constraint checking has been moved to the addrblock plugin, disabled by default. Enable it and update manual load directives in strongswan.conf, if required. * The pki utility supports CRL generation using the --signcrl command. * The ipsec pki --self, --issue and --req commands now support output in PEM format using the --outform pem option. * The major refactoring of the IKEv1 Mode Config functionality now allows the transport and handling of any Mode Config attribute. * The RADIUS proxy plugin eap-radius now supports multiple servers. Configured servers are chosen randomly, with the option to prefer a specific server. Non-responding servers are degraded by the selection process. * The ipsec pool tool manages arbitrary configuration attributes stored in an SQL database. ipsec pool --help gives the details. * The new eap-simaka-sql plugin acts as a backend for EAP-SIM and EAP-AKA, reading triplets/quintuplets from an SQL database. * The High Availability plugin now supports a HA enabled in-memory address pool and Node reintegration without IKE_SA rekeying. The latter allows clients without IKE_SA rekeying support to keep connected during reintegration. Additionally, many other issues have been fixed in the ha plugin. * Fixed a potential remote code execution vulnerability resulting from the misuse of snprintf(). The vulnerability is exploitable by unauthenticated users. - Removed obsolete snprintf security fix, adopted spec file - Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth, eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins. - Enabled the mysql, sqlite, load-tester and test-vectors plugins, that are packaged into separate mysql,sqlite,tests sub packages. OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18
2010-08-10 13:02:18 +02:00
%files mysql
%defattr(-,root,root)
%dir %{strongswan_plugins}
%{strongswan_plugins}/libstrongswan-mysql.so
%endif
- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are: * Support of xfrm marks in IPsec SAs and IPsec policies introduced with the Linux 2.6.34 kernel. For details see the example scenarios ikev2/nat-two-rw-mark, ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp. * The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be used in a user-specific updown script to set marks on inbound ESP or ESP_IN_UDP packets. * The openssl plugin now supports X.509 certificate and CRL functions. * OCSP/CRL checking in IKEv2 has been moved to the revocation plugin, enabled by default. Plase update manual load directives in strongswan.conf. * RFC3779 ipAddrBlock constraint checking has been moved to the addrblock plugin, disabled by default. Enable it and update manual load directives in strongswan.conf, if required. * The pki utility supports CRL generation using the --signcrl command. * The ipsec pki --self, --issue and --req commands now support output in PEM format using the --outform pem option. * The major refactoring of the IKEv1 Mode Config functionality now allows the transport and handling of any Mode Config attribute. * The RADIUS proxy plugin eap-radius now supports multiple servers. Configured servers are chosen randomly, with the option to prefer a specific server. Non-responding servers are degraded by the selection process. * The ipsec pool tool manages arbitrary configuration attributes stored in an SQL database. ipsec pool --help gives the details. * The new eap-simaka-sql plugin acts as a backend for EAP-SIM and EAP-AKA, reading triplets/quintuplets from an SQL database. * The High Availability plugin now supports a HA enabled in-memory address pool and Node reintegration without IKE_SA rekeying. The latter allows clients without IKE_SA rekeying support to keep connected during reintegration. Additionally, many other issues have been fixed in the ha plugin. * Fixed a potential remote code execution vulnerability resulting from the misuse of snprintf(). The vulnerability is exploitable by unauthenticated users. - Removed obsolete snprintf security fix, adopted spec file - Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth, eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins. - Enabled the mysql, sqlite, load-tester and test-vectors plugins, that are packaged into separate mysql,sqlite,tests sub packages. OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18
2010-08-10 13:02:18 +02:00
%if %with_sqlite
- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are: * Support of xfrm marks in IPsec SAs and IPsec policies introduced with the Linux 2.6.34 kernel. For details see the example scenarios ikev2/nat-two-rw-mark, ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp. * The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be used in a user-specific updown script to set marks on inbound ESP or ESP_IN_UDP packets. * The openssl plugin now supports X.509 certificate and CRL functions. * OCSP/CRL checking in IKEv2 has been moved to the revocation plugin, enabled by default. Plase update manual load directives in strongswan.conf. * RFC3779 ipAddrBlock constraint checking has been moved to the addrblock plugin, disabled by default. Enable it and update manual load directives in strongswan.conf, if required. * The pki utility supports CRL generation using the --signcrl command. * The ipsec pki --self, --issue and --req commands now support output in PEM format using the --outform pem option. * The major refactoring of the IKEv1 Mode Config functionality now allows the transport and handling of any Mode Config attribute. * The RADIUS proxy plugin eap-radius now supports multiple servers. Configured servers are chosen randomly, with the option to prefer a specific server. Non-responding servers are degraded by the selection process. * The ipsec pool tool manages arbitrary configuration attributes stored in an SQL database. ipsec pool --help gives the details. * The new eap-simaka-sql plugin acts as a backend for EAP-SIM and EAP-AKA, reading triplets/quintuplets from an SQL database. * The High Availability plugin now supports a HA enabled in-memory address pool and Node reintegration without IKE_SA rekeying. The latter allows clients without IKE_SA rekeying support to keep connected during reintegration. Additionally, many other issues have been fixed in the ha plugin. * Fixed a potential remote code execution vulnerability resulting from the misuse of snprintf(). The vulnerability is exploitable by unauthenticated users. - Removed obsolete snprintf security fix, adopted spec file - Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth, eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins. - Enabled the mysql, sqlite, load-tester and test-vectors plugins, that are packaged into separate mysql,sqlite,tests sub packages. OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18
2010-08-10 13:02:18 +02:00
%files sqlite
%defattr(-,root,root)
%dir %{strongswan_plugins}
%{strongswan_plugins}/libstrongswan-sqlite.so
%endif
- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are: * Support of xfrm marks in IPsec SAs and IPsec policies introduced with the Linux 2.6.34 kernel. For details see the example scenarios ikev2/nat-two-rw-mark, ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp. * The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be used in a user-specific updown script to set marks on inbound ESP or ESP_IN_UDP packets. * The openssl plugin now supports X.509 certificate and CRL functions. * OCSP/CRL checking in IKEv2 has been moved to the revocation plugin, enabled by default. Plase update manual load directives in strongswan.conf. * RFC3779 ipAddrBlock constraint checking has been moved to the addrblock plugin, disabled by default. Enable it and update manual load directives in strongswan.conf, if required. * The pki utility supports CRL generation using the --signcrl command. * The ipsec pki --self, --issue and --req commands now support output in PEM format using the --outform pem option. * The major refactoring of the IKEv1 Mode Config functionality now allows the transport and handling of any Mode Config attribute. * The RADIUS proxy plugin eap-radius now supports multiple servers. Configured servers are chosen randomly, with the option to prefer a specific server. Non-responding servers are degraded by the selection process. * The ipsec pool tool manages arbitrary configuration attributes stored in an SQL database. ipsec pool --help gives the details. * The new eap-simaka-sql plugin acts as a backend for EAP-SIM and EAP-AKA, reading triplets/quintuplets from an SQL database. * The High Availability plugin now supports a HA enabled in-memory address pool and Node reintegration without IKE_SA rekeying. The latter allows clients without IKE_SA rekeying support to keep connected during reintegration. Additionally, many other issues have been fixed in the ha plugin. * Fixed a potential remote code execution vulnerability resulting from the misuse of snprintf(). The vulnerability is exploitable by unauthenticated users. - Removed obsolete snprintf security fix, adopted spec file - Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth, eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins. - Enabled the mysql, sqlite, load-tester and test-vectors plugins, that are packaged into separate mysql,sqlite,tests sub packages. OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18
2010-08-10 13:02:18 +02:00
%if %with_tests
- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are: * Support of xfrm marks in IPsec SAs and IPsec policies introduced with the Linux 2.6.34 kernel. For details see the example scenarios ikev2/nat-two-rw-mark, ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp. * The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be used in a user-specific updown script to set marks on inbound ESP or ESP_IN_UDP packets. * The openssl plugin now supports X.509 certificate and CRL functions. * OCSP/CRL checking in IKEv2 has been moved to the revocation plugin, enabled by default. Plase update manual load directives in strongswan.conf. * RFC3779 ipAddrBlock constraint checking has been moved to the addrblock plugin, disabled by default. Enable it and update manual load directives in strongswan.conf, if required. * The pki utility supports CRL generation using the --signcrl command. * The ipsec pki --self, --issue and --req commands now support output in PEM format using the --outform pem option. * The major refactoring of the IKEv1 Mode Config functionality now allows the transport and handling of any Mode Config attribute. * The RADIUS proxy plugin eap-radius now supports multiple servers. Configured servers are chosen randomly, with the option to prefer a specific server. Non-responding servers are degraded by the selection process. * The ipsec pool tool manages arbitrary configuration attributes stored in an SQL database. ipsec pool --help gives the details. * The new eap-simaka-sql plugin acts as a backend for EAP-SIM and EAP-AKA, reading triplets/quintuplets from an SQL database. * The High Availability plugin now supports a HA enabled in-memory address pool and Node reintegration without IKE_SA rekeying. The latter allows clients without IKE_SA rekeying support to keep connected during reintegration. Additionally, many other issues have been fixed in the ha plugin. * Fixed a potential remote code execution vulnerability resulting from the misuse of snprintf(). The vulnerability is exploitable by unauthenticated users. - Removed obsolete snprintf security fix, adopted spec file - Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth, eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins. - Enabled the mysql, sqlite, load-tester and test-vectors plugins, that are packaged into separate mysql,sqlite,tests sub packages. OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18
2010-08-10 13:02:18 +02:00
%files tests
%defattr(-,root,root)
%dir %{strongswan_plugins}
%{strongswan_plugins}/libstrongswan-load-tester.so
%{strongswan_plugins}/libstrongswan-test-vectors.so
%endif
- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are: * Support of xfrm marks in IPsec SAs and IPsec policies introduced with the Linux 2.6.34 kernel. For details see the example scenarios ikev2/nat-two-rw-mark, ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp. * The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be used in a user-specific updown script to set marks on inbound ESP or ESP_IN_UDP packets. * The openssl plugin now supports X.509 certificate and CRL functions. * OCSP/CRL checking in IKEv2 has been moved to the revocation plugin, enabled by default. Plase update manual load directives in strongswan.conf. * RFC3779 ipAddrBlock constraint checking has been moved to the addrblock plugin, disabled by default. Enable it and update manual load directives in strongswan.conf, if required. * The pki utility supports CRL generation using the --signcrl command. * The ipsec pki --self, --issue and --req commands now support output in PEM format using the --outform pem option. * The major refactoring of the IKEv1 Mode Config functionality now allows the transport and handling of any Mode Config attribute. * The RADIUS proxy plugin eap-radius now supports multiple servers. Configured servers are chosen randomly, with the option to prefer a specific server. Non-responding servers are degraded by the selection process. * The ipsec pool tool manages arbitrary configuration attributes stored in an SQL database. ipsec pool --help gives the details. * The new eap-simaka-sql plugin acts as a backend for EAP-SIM and EAP-AKA, reading triplets/quintuplets from an SQL database. * The High Availability plugin now supports a HA enabled in-memory address pool and Node reintegration without IKE_SA rekeying. The latter allows clients without IKE_SA rekeying support to keep connected during reintegration. Additionally, many other issues have been fixed in the ha plugin. * Fixed a potential remote code execution vulnerability resulting from the misuse of snprintf(). The vulnerability is exploitable by unauthenticated users. - Removed obsolete snprintf security fix, adopted spec file - Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth, eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins. - Enabled the mysql, sqlite, load-tester and test-vectors plugins, that are packaged into separate mysql,sqlite,tests sub packages. OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18
2010-08-10 13:02:18 +02:00
%changelog