diff --git a/README.SUSE b/README.SUSE new file mode 100644 index 0000000..140478d --- /dev/null +++ b/README.SUSE @@ -0,0 +1,14 @@ +Dear Customer, + +this package does no provide any files any more, but triggers the +installation of both, IKEv1 (pluto) and IKEv2 (charon) daemons and +the traditional starter scripts inclusive of the /etc/init.d/ipsec +init script and /etc/ipsec.conf file. + +There is a new strongswan-nm package with a NetworkManager plugin +to control the charon IKEv2 daemon through D-Bus, designed to work +using the NetworkManager-strongswan graphical user interface. +It does not depend on the traditional starter scripts, but on the +IKEv2 charon daemon and plugins only. + +Have a lot of fun... diff --git a/strongswan-4.3.6-rpmlintrc b/strongswan-4.3.6-rpmlintrc deleted file mode 100644 index deae116..0000000 --- a/strongswan-4.3.6-rpmlintrc +++ /dev/null @@ -1,4 +0,0 @@ -addFilter("strongswan.* incoherent-init-script-name ipsec") -addFilter('strongswan.* shlib-policy-missing-suffix') -#addFilter("strongswan.* devel-file-in-non-devel-package .*/usr/lib.*/ipsec/plugins") -#addFilter("strongswan.* unstripped-binary-or-object") diff --git a/strongswan-4.3.6-time_t_ptr.diff b/strongswan-4.3.6-time_t_ptr.diff deleted file mode 100644 index c0ed607..0000000 --- a/strongswan-4.3.6-time_t_ptr.diff +++ /dev/null @@ -1,11 +0,0 @@ ---- src/pluto/timer.c -+++ src/pluto/timer.c 2010/03/02 17:03:41 -@@ -48,7 +48,7 @@ time_t now(void) - { - static time_t delta = 0 - , last_time = 0; -- time_t n = time((time_t)NULL); -+ time_t n = time((time_t *)NULL); - - passert(n != (time_t)-1); - if (last_time > n) diff --git a/strongswan-4.3.6.tar.bz2 b/strongswan-4.3.6.tar.bz2 deleted file mode 100644 index 0c65c8a..0000000 --- a/strongswan-4.3.6.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:39a311c62f4f2474faf239c0edf6518a14a953b9c2092bbfa473cd34dcb8f5e7 -size 2831944 diff --git a/strongswan-4.3.6.tar.bz2.sig b/strongswan-4.3.6.tar.bz2.sig deleted file mode 100644 index 645c744..0000000 --- a/strongswan-4.3.6.tar.bz2.sig +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.9 (GNU/Linux) - -iQGcBAABAgAGBQJLcr+BAAoJEN9CwXCzTbp3fp4L/js5E69jqpEIKe82amRjLewK -orEWWfaXq7p/Ob8KYICUBt4lXtDNka8NspMZ88bWTUYLkDMTITBB9JiYVu2NXTYY -6CQAR9eNB6E+uOOkj6udU1Y/dt+MY5uvbrjOgTN2Kcue+AlVrngSuruN71r+GOnD -vWDf6AxU8LtiPUaY8WTC7Nn8Qgi1g10I5HXn5D6QN6Cz4oWf/hx1VvOZ1s7gTekW -4E/V2ladLFKhXIC2D3tUn5J8FwKXFyqdooBnWvqhrDidNEQ8CDr62lkfOwJ3/qTP -wpvQkwlOdX5TQQJAaYeW/S39MorK/E10lZWvkF/rkW6vGU5pgQkfGyozP6O/A4w5 -MkRtCsbcbtRIDicsYj4oX+2SiazZtmB5eMVc6SO0GT0dXgEMTGUKC3ezUV03LwXR -PiWLVtrlqnVMxyzfr59HFd8B9c7l5rXcyYpYpspWlfdDM6K83NTOydn4i6HT1DgZ -x5QkqBzdcH7dUmyZmRRUoopNtTRiu4+nmKmHugzrgA== -=n9aW ------END PGP SIGNATURE----- diff --git a/strongswan-4.4.0-rpmlintrc b/strongswan-4.4.0-rpmlintrc new file mode 100644 index 0000000..1a4d703 --- /dev/null +++ b/strongswan-4.4.0-rpmlintrc @@ -0,0 +1,5 @@ +### Known warnings: +# - traditional name +addFilter("strongswan.* incoherent-init-script-name ipsec") +# - readme only, triggers full ipsec + ikev1&ikev2 install +addFilter("strongswan.* no-binary") diff --git a/strongswan-4.4.0.tar.bz2 b/strongswan-4.4.0.tar.bz2 new file mode 100644 index 0000000..54b006c --- /dev/null +++ b/strongswan-4.4.0.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:df40d9daf963ce4f4bef4177ed02d68c083521b307f52bebb1872c2ded4b2718 +size 2863754 diff --git a/strongswan-4.4.0.tar.bz2.sig b/strongswan-4.4.0.tar.bz2.sig new file mode 100644 index 0000000..32cf91a --- /dev/null +++ b/strongswan-4.4.0.tar.bz2.sig @@ -0,0 +1,14 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.9 (GNU/Linux) + +iQGcBAABAgAGBQJL3c/MAAoJEN9CwXCzTbp386wL+gNDpVVgxsom7LkOyDNGmtyS +kTNI7gwW29aDzoara6wL/BeN38whxkA6d8JJ4XUQhytGcJMr/SA59ghVTjIUnK71 +7LtUP1VcTnJu7NTgtKcGCgmTWKgiZYRMNumneiePNOQHBZ1TAHo/HP1mxjUN3Q27 +ULTyAmfyzjuiaZOb/Cs3r9f4qZRZFJBxHrTzOP91f/bGF3Z+DQyiWwSFg9VYPTeC +EQ/MrXQMQaJp2qPvglCAqaSEseqkCbsH85WBE1VO8+h4NxO0vGVLnowVvVHkUfmL +otDW/zeBBnnazAZQ2QurnyqmxDh4Bt2xkFITHNAj2oDGCsKau/NuQ6A8efx51et+ +P1yMmjfbrtTSjiNBZ5v5g1iTjc93krzkMnFwzStmir4qeZklW5Ium/gufwE89L59 +zEG2OQGVTBVFg+hK8jq6mLyW7UOKmNSRw/dJQe1IODd9PQ2+9PbMix/AXcS7qNjV +VL8oHxoQfb5Fjfwi8HUxmRJAyBAYE7b2299fsRANBg== +=p3Rw +-----END PGP SIGNATURE----- diff --git a/strongswan.changes b/strongswan.changes index b4ceacb..b64797c 100644 --- a/strongswan.changes +++ b/strongswan.changes @@ -1,3 +1,51 @@ +------------------------------------------------------------------- +Fri May 14 19:19:04 UTC 2010 - mt@suse.de + +- Updated to strongSwan 4.4.0 release, changes since 4.3.6 are: + * The IKEv2 High Availability plugin has been integrated. It + provides load sharing and failover capabilities in a cluster of + currently two nodes, based on an extend ClusterIP kernel module. + More information is available at + http://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability. + The development of the High Availability functionality was sponsored + by secunet Security Networks AG. + * Added IKEv1 and IKEv2 configuration support for the AES-GMAC + authentication-only ESP cipher. Our aes_gmac kernel patch or a Linux + 2.6.34 kernel is required to make AES-GMAC available via the XFRM + kernel interface. + * Added support for Diffie-Hellman groups 22, 23 and 24 to the gmp, + gcrypt and openssl plugins, usable by both pluto and charon. The new + proposal keywords are modp1024s160, modp2048s224 and modp2048s256. + Thanks to Joy Latten from IBM for her contribution. + * The IKEv1 pluto daemon supports RAM-based virtual IP pools using + the rightsourceip directive with a subnet from which addresses + are allocated. + * The ipsec pki --gen and --pub commands now allow the output of + private and public keys in PEM format using the --outform pem + command line option. + * The new DHCP plugin queries virtual IP addresses for clients from + a DHCP server using broadcasts, or a defined server using the + charon.plugins.dhcp.server strongswan.conf option. DNS/WINS server + information is additionally served to clients if the DHCP server + provides such information. The plugin is used in ipsec.conf + configurations having rightsourceip set to %dhcp. + * A new plugin called farp fakes ARP responses for virtual IP + addresses handed out to clients from the IKEv2 daemon charon. The + plugin lets a road-warrior act as a client on the local LAN if it + uses a virtual IP from the responders subnet, e.g. acquired using + the DHCP plugin. + * The existing IKEv2 socket implementations have been migrated to + the socket-default and the socket-raw plugins. The new + socket-dynamic plugin binds sockets dynamically to ports configured + via the left-/rightikeport ipsec.conf connection parameters. + * The android charon plugin stores received DNS server information + as "net.dns" system properties, as used by the Android platform. +- Splitted package into strongswan-ipsec, that install the traditional + ipsec service starter scripts, -ikev1 and -ikev2 installing daemons + and -libs0, that contains the library and plugins. +- Enabled dhcp, farp, ha, socket-dynamic, agent, eap and sql plugins. +- Enabled NetworkManager nm plugin in a separate strongswan-nm package. + ------------------------------------------------------------------- Tue Mar 2 21:42:10 CET 2010 - mt@suse.de diff --git a/strongswan.spec b/strongswan.spec index 3f2c1a5..0d7a7a2 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -1,5 +1,5 @@ # -# spec file for package strongswan (Version 4.3.6) +# spec file for package strongswan (Version 4.4.0) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -19,33 +19,35 @@ Name: strongswan -%define upstream_version 4.3.6 -%define strongswan_docdir %{_docdir}/%{name} -Version: 4.3.6 +%define upstream_version 4.4.0 +%define strongswan_docdir %{_docdir}/%{name} +%define strongswan_plugins %{_libexecdir}/ipsec/plugins +Version: 4.4.0 Release: 1 License: GPLv2+ Group: Productivity/Networking/Security -Summary: StrongSwan -- OpenSource IPsec-based VPN Solution +Summary: OpenSource IPsec-based VPN Solution Url: http://www.strongswan.org/ -PreReq: gmp grep %insserv_prereq %fillup_prereq -Requires: iproute2 -Provides: pluto klips ipsec VPN freeswan -Obsoletes: freeswan -Conflicts: openswan +Requires: strongswan-ikev1 = %{version} +Requires: strongswan-ikev2 = %{version} +Requires: strongswan-ipsec = %{version} AutoReqProv: on Source0: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2 Source1: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2.sig Source2: %{name}.init.in Source3: %{name}-%{version}-rpmlintrc Patch1: %{name}_modprobe_syslog.patch -Patch2: strongswan-4.3.6-time_t_ptr.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bison flex gmp-devel gperf pkg-config BuildRequires: libcap-devel BuildRequires: libopenssl-devel BuildRequires: libgcrypt-devel BuildRequires: openldap2-devel -BuildRequires: curl-devel +BuildRequires: curl-devel pam-devel +%if 0%{suse_version} >= 1110 +BuildRequires: libuuid-devel +BuildRequires: NetworkManager-devel +%endif %description StrongSwan is an OpenSource IPsec-based VPN Solution for Linux @@ -75,7 +77,9 @@ StrongSwan is an OpenSource IPsec-based VPN Solution for Linux * Modular plugins for crypto algorithms and relational database interfaces * Support of elliptic curve DH groups and ECDSA certificates (Suite B, RFC 4869) * Optional built-in integrity and crypto tests for plugins and libraries +* Smooth Linux desktop integration via the strongSwan NetworkManager applet +This package triggers the installation of both, IKEv1 and IKEv2 daemons. Authors: -------- @@ -84,7 +88,7 @@ Authors: %package doc License: GPLv2+ -Summary: StrongSwan -- OpenSource IPsec-based VPN Solution +Summary: OpenSource IPsec-based VPN Solution Group: Productivity/Networking/Security %description doc @@ -99,10 +103,91 @@ Authors: Andreas Steffen and others +%package libs0 +License: GPLv2+ +Summary: OpenSource IPsec-based VPN Solution +Group: Productivity/Networking/Security +Conflicts: strongswan < %{version} + +%description libs0 +StrongSwan is an OpenSource IPsec-based VPN Solution for Linux + +This package provides the strongswan library and plugins. + +%package ikev1 +License: GPLv2+ +Summary: OpenSource IPsec-based VPN Solution +Group: Productivity/Networking/Security +Requires: iproute2 +Requires: strongswan-libs0 = %{version} +Requires: strongswan-ipsec = %{version} +Provides: strongswan-daemon = %{version} ikev1 +Provides: pluto +Conflicts: freeswan openswan strongswan < %{version} + +%description ikev1 +StrongSwan is an OpenSource IPsec-based VPN Solution for Linux + +This package provides the pluto IKEv1 daemon. + +%package ikev2 +License: GPLv2+ +Summary: OpenSource IPsec-based VPN Solution +Group: Productivity/Networking/Security +Requires: iproute2 +Requires: strongswan-libs0 = %{version} +Requires: strongswan-daemon-starter = %{version} +Provides: strongswan-daemon = %{version} ikev2 +Conflicts: openswan strongswan < %{version} + +%description ikev2 +StrongSwan is an OpenSource IPsec-based VPN Solution for Linux + +This package provides the charon IKEv2 daemon. + +%package ipsec +License: GPLv2+ +Summary: OpenSource IPsec-based VPN Solution +Group: Productivity/Networking/Security +PreReq: grep %insserv_prereq %fillup_prereq +Requires: strongswan-libs0 = %{version} +Requires: strongswan-daemon = %{version} +#Recommends: strongswan-ikev1 = %{version} +#Recommends: strongswan-ikev2 = %{version} +Provides: strongswan-daemon-starter = %{version} +Provides: strongswan = %{version} ipsec VPN +Obsoletes: strongswan < %{version} +Conflicts: freeswan openswan + +%description ipsec +StrongSwan is an OpenSource IPsec-based VPN Solution for Linux + +This package provides the /etc/init.d/ipsec service script and allows +to maintain both, IKEv1 and IKEv2 daemons, using /etc/ipsec.conf and +/etc/ipsec.sectes files. + +%if 0%{suse_version} >= 1110 + +%package nm +License: GPLv2+ +Summary: OpenSource IPsec-based VPN Solution +Group: Productivity/Networking/Security +Requires: strongswan-libs0 = %{version} +Requires: strongswan-ikev2 = %{version} +Provides: strongswan-daemon-starter = %{version} + +%description nm +StrongSwan is an OpenSource IPsec-based VPN Solution for Linux + +This package provides the NetworkManager plugin to control the +charon IKEv2 daemon through D-Bus, designed to work using the +NetworkManager-strongswan graphical user interface. + +%endif + %prep %setup -q -n %{name}-%{upstream_version} %patch1 -p0 -%patch2 -p0 sed -e 's|@libexecdir@|%_libexecdir|g' \ < $RPM_SOURCE_DIR/strongswan.init.in \ > strongswan.init @@ -112,17 +197,32 @@ CFLAGS="$RPM_OPT_FLAGS -W -Wall -Wno-pointer-sign -Wno-strict-aliasing" export RPM_OPT_FLAGS CFLAGS #libtoolize --force %{?suse_update_config:%{suse_update_config -f}} -autoreconf +#autoreconf %configure \ --enable-integrity-test \ --with-capabilities=libcap \ + --with-plugindir=%{strongswan_plugins} \ --with-resolv-conf=%{_localstatedir}/run/strongswan/resolv.conf \ --enable-smartcard \ --with-default-pkcs11=%{_libdir}/opensc-pkcs11.so \ --enable-cisco-quirks \ --enable-openssl \ + --enable-agent \ + --enable-eap-md5 \ + --enable-eap-gtc \ + --enable-eap-aka \ + --enable-eap-radius \ + --enable-eap-identity \ + --enable-eap-mschapv2 \ + --enable-ha \ + --enable-dhcp \ + --enable-farp \ + --enable-sql \ + --enable-attr-sql \ + --enable-socket-dynamic \ %if 0%{suse_version} >= 1110 --enable-gcrypt \ + --enable-nm \ %endif --enable-ldap \ --enable-curl @@ -134,7 +234,7 @@ install -m755 -d ${RPM_BUILD_ROOT}%{_sbindir}/ install -m755 -d ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.d/ install -m755 -d ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/ install -m755 strongswan.init ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/ipsec -ln -s %{_sysconfdir}/init.d/ipsec ${RPM_BUILD_ROOT}%{_sbindir}/rcipsec +ln -s %{_sysconfdir}/init.d/ipsec ${RPM_BUILD_ROOT}%{_sbindir}/rcipsec # make install DESTDIR="$RPM_BUILD_ROOT" # @@ -148,20 +248,28 @@ cat << EOT > ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.secrets # EOT # -rm -f $RPM_BUILD_ROOT%{_libdir}/libstrongswan.{so,a,la} +rm -f $RPM_BUILD_ROOT%{_libdir}/lib*.{so,a,la} find $RPM_BUILD_ROOT%{_libexecdir}/ipsec \ -name "*.a" -o -name "*.la" | xargs -r rm -f # install -m755 -d ${RPM_BUILD_ROOT}%{strongswan_docdir}/ install -m644 TODO NEWS README COPYING CREDITS \ + ${RPM_SOURCE_DIR}/README.SUSE \ ${RPM_BUILD_ROOT}%{strongswan_docdir}/ install -m755 -d $RPM_BUILD_ROOT%{_localstatedir}/run/strongswan -%post +%post libs0 %{run_ldconfig} +test -d %{_localstatedir}/run/strongswan || \ +%{__mkdir_p} %{_localstatedir}/run/strongswan + +%postun libs0 +%{run_ldconfig} + +%post ipsec %{fillup_and_insserv ipsec} -%preun +%preun ipsec %{stop_on_removal ipsec} if test -s %{_sysconfdir}/ipsec.secrets.rpmsave; then cp -p --backup=numbered %{_sysconfdir}/ipsec.secrets.rpmsave %{_sysconfdir}/ipsec.secrets.rpmsave.old @@ -170,15 +278,18 @@ if test -s %{_sysconfdir}/ipsec.conf.rpmsave; then cp -p --backup=numbered %{_sysconfdir}/ipsec.conf.rpmsave %{_sysconfdir}/ipsec.conf.rpmsave.old fi -%postun -%{run_ldconfig} +%postun ipsec %{insserv_cleanup} %files %defattr(-,root,root) +%dir %{strongswan_docdir} +%{strongswan_docdir}/README.SUSE + +%files ipsec +%defattr(-,root,root) %config(noreplace) %attr(600,root,root) %{_sysconfdir}/ipsec.conf %config(noreplace) %attr(600,root,root) %{_sysconfdir}/ipsec.secrets -%config(noreplace) %attr(600,root,root) %{_sysconfdir}/strongswan.conf %dir %{_sysconfdir}/ipsec.d %dir %{_sysconfdir}/ipsec.d/crls %dir %{_sysconfdir}/ipsec.d/reqs @@ -191,12 +302,43 @@ fi %config %{_sysconfdir}/init.d/ipsec %{_sbindir}/rcipsec %{_sbindir}/ipsec -%{_libexecdir}/ipsec -%{_libdir}/libstrongswan.* +%{_mandir}/man8/ipsec.8* %{_mandir}/man5/ipsec.conf.5* %{_mandir}/man5/ipsec.secrets.5* -%{_mandir}/man8/ipsec.8* -%dir %{_localstatedir}/run/strongswan +%dir %{_libexecdir}/ipsec +%{_libexecdir}/ipsec/_updown +%{_libexecdir}/ipsec/_updown_espmark +%{_libexecdir}/ipsec/_copyright +%{_libexecdir}/ipsec/pki +%{_libexecdir}/ipsec/openac +%{_libexecdir}/ipsec/scepclient +%{_libexecdir}/ipsec/starter +%{_libexecdir}/ipsec/stroke +%dir %{strongswan_plugins} +%{strongswan_plugins}/libstrongswan-stroke.so +%{strongswan_plugins}/libstrongswan-updown.so + +%files ikev1 +%defattr(-,root,root) +%dir %{_libexecdir}/ipsec +%{_libexecdir}/ipsec/whack +%{_libexecdir}/ipsec/pluto +%{_libexecdir}/ipsec/_pluto_adns + +%files ikev2 +%defattr(-,root,root) +%dir %{_libexecdir}/ipsec +%{_libexecdir}/ipsec/charon +#%dir %{strongswan_plugins} + +%if 0%{suse_version} >= 1110 + +%files nm +%defattr(-,root,root) +%dir %{_libexecdir}/ipsec +%dir %{strongswan_plugins} +%{strongswan_plugins}/libstrongswan-nm.so +%endif %files doc %defattr(-,root,root) @@ -232,4 +374,58 @@ fi %{_mandir}/man8/scepclient.8* %{_mandir}/man8/starter.8* +%files libs0 +%defattr(-,root,root) +%config(noreplace) %attr(600,root,root) %{_sysconfdir}/strongswan.conf +%{_libdir}/libhydra.so.0 +%{_libdir}/libhydra.so.0.0.0 +%{_libdir}/libcharon.so.0 +%{_libdir}/libcharon.so.0.0.0 +%{_libdir}/libstrongswan.so.0 +%{_libdir}/libstrongswan.so.0.0.0 +%dir %{_libexecdir}/ipsec +%dir %{_libexecdir}/ipsec/pool +%{_libexecdir}/ipsec/libchecksum.so +%dir %{strongswan_plugins} +%{strongswan_plugins}/libstrongswan-aes.so +%{strongswan_plugins}/libstrongswan-agent.so +%{strongswan_plugins}/libstrongswan-attr.so +%{strongswan_plugins}/libstrongswan-attr-sql.so +%{strongswan_plugins}/libstrongswan-curl.so +%{strongswan_plugins}/libstrongswan-des.so +%{strongswan_plugins}/libstrongswan-dhcp.so +%{strongswan_plugins}/libstrongswan-dnskey.so +%{strongswan_plugins}/libstrongswan-eap-aka.so +%{strongswan_plugins}/libstrongswan-eap-gtc.so +%{strongswan_plugins}/libstrongswan-eap-identity.so +%{strongswan_plugins}/libstrongswan-eap-md5.so +%{strongswan_plugins}/libstrongswan-eap-mschapv2.so +%{strongswan_plugins}/libstrongswan-eap-radius.so +%{strongswan_plugins}/libstrongswan-farp.so +%{strongswan_plugins}/libstrongswan-fips-prf.so +%if 0%{suse_version} >= 1110 +%{strongswan_plugins}/libstrongswan-gcrypt.so +%endif +%{strongswan_plugins}/libstrongswan-gmp.so +%{strongswan_plugins}/libstrongswan-ha.so +%{strongswan_plugins}/libstrongswan-hmac.so +%{strongswan_plugins}/libstrongswan-kernel-netlink.so +%{strongswan_plugins}/libstrongswan-ldap.so +%{strongswan_plugins}/libstrongswan-md5.so +%{strongswan_plugins}/libstrongswan-openssl.so +%{strongswan_plugins}/libstrongswan-pem.so +%{strongswan_plugins}/libstrongswan-pgp.so +%{strongswan_plugins}/libstrongswan-pkcs1.so +%{strongswan_plugins}/libstrongswan-pubkey.so +%{strongswan_plugins}/libstrongswan-random.so +%{strongswan_plugins}/libstrongswan-resolve.so +%{strongswan_plugins}/libstrongswan-sha1.so +%{strongswan_plugins}/libstrongswan-sha2.so +%{strongswan_plugins}/libstrongswan-socket-dynamic.so +%{strongswan_plugins}/libstrongswan-socket-raw.so +%{strongswan_plugins}/libstrongswan-sql.so +%{strongswan_plugins}/libstrongswan-x509.so +%{strongswan_plugins}/libstrongswan-xcbc.so +%dir %ghost %{_localstatedir}/run/strongswan + %changelog