# # spec file for package strongswan # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: strongswan Version: 5.0.4 Release: 0 %define upstream_version %{version} %define strongswan_docdir %{_docdir}/%{name} %define strongswan_libdir %{_libdir}/ipsec %define strongswan_plugins %{strongswan_libdir}/plugins %if 0 %bcond_without tests %else %bcond_with tests %endif %if 0%{suse_version} > 1110 %bcond_without mysql %else %bcond_with mysql %endif %if 0%{suse_version} > 1110 %bcond_without sqlite %bcond_without gcrypt %bcond_without nm %else %bcond_with sqlite %bcond_with gcrypt %bcond_with nm %endif %if 0%{suse_version} > 1220 %bcond_without systemd %else %bcond_with systemd %endif Summary: OpenSource IPsec-based VPN Solution License: GPL-2.0+ Group: Productivity/Networking/Security Url: http://www.strongswan.org/ Requires: strongswan-ipsec = %{version} Source0: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2 Source1: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2.sig Source2: %{name}.init.in Source3: %{name}-%{version}-rpmlintrc Source4: README.SUSE Source5: %{name}.keyring Patch1: %{name}_modprobe_syslog.patch Patch2: %{name}_ipsec_service.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bison BuildRequires: curl-devel BuildRequires: flex BuildRequires: gmp-devel BuildRequires: gperf BuildRequires: gpg-offline BuildRequires: libcap-devel BuildRequires: libopenssl-devel BuildRequires: libsoup-devel BuildRequires: openldap2-devel BuildRequires: pam-devel BuildRequires: pcsc-lite-devel BuildRequires: pkg-config %if %{with mysql} BuildRequires: libmysqlclient-devel %endif %if %{with sqlite} BuildRequires: sqlite3-devel %endif %if %{with gcrypt} BuildRequires: libgcrypt-devel %endif %if %{with nm} BuildRequires: NetworkManager-devel %endif %if %{with systemd} BuildRequires: systemd-devel %endif BuildRequires: iptables BuildRequires: libnl >= 1.1 %description StrongSwan is an OpenSource IPsec-based VPN Solution for Linux * runs both on Linux 2.4 (KLIPS IPsec) and Linux 2.6 (NETKEY IPsec) kernels * implements both the IKEv1 and IKEv2 (RFC 4306) key exchange protocols * Fully tested support of IPv6 IPsec tunnel and transport connections * Dynamical IP address and interface update with IKEv2 MOBIKE (RFC 4555) * Automatic insertion and deletion of IPsec-policy-based firewall rules * Strong 128/192/256 bit AES or Camellia encryption, 3DES support * NAT-Traversal via UDP encapsulation and port floating (RFC 3947) * Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels * Static virtual IPs and IKEv1 ModeConfig pull and push modes * XAUTH server and client functionality on top of IKEv1 Main Mode authentication * Virtual IP address pool managed by IKE daemon or SQL database * Secure IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-MSCHAPv2, etc.) * Optional relaying of EAP messages to AAA server via EAP-RADIUS plugin * Support of IKEv2 Multiple Authentication Exchanges (RFC 4739) * Authentication based on X.509 certificates or preshared keys * Generation of a default self-signed certificate during first strongSwan startup * Retrieval and local caching of Certificate Revocation Lists via HTTP or LDAP * Full support of the Online Certificate Status Protocol (OCSP, RCF 2560). * CA management (OCSP and CRL URIs, default LDAP server) * Powerful IPsec policies based on wildcards or intermediate CAs * Group policies based on X.509 attribute certificates (RFC 3281) * Storage of RSA private keys and certificates on a smartcard (PKCS #11 interface) * Modular plugins for crypto algorithms and relational database interfaces * Support of elliptic curve DH groups and ECDSA certificates (Suite B, RFC 4869) * Optional built-in integrity and crypto tests for plugins and libraries * Smooth Linux desktop integration via the strongSwan NetworkManager applet This package triggers the installation of both, IKEv1 and IKEv2 daemons. Authors: -------- Andreas Steffen and others %package doc BuildArch: noarch Summary: OpenSource IPsec-based VPN Solution Group: Productivity/Networking/Security %description doc StrongSwan is an OpenSource IPsec-based VPN Solution for Linux This package provides the StrongSwan documentation. Authors: -------- Andreas Steffen and others %package libs0 Summary: OpenSource IPsec-based VPN Solution Group: Productivity/Networking/Security Conflicts: strongswan < %{version} %description libs0 StrongSwan is an OpenSource IPsec-based VPN Solution for Linux This package provides the strongswan library and plugins. %package ipsec Summary: OpenSource IPsec-based VPN Solution Group: Productivity/Networking/Security PreReq: grep %insserv_prereq %fillup_prereq Requires: strongswan-libs0 = %{version} Provides: VPN Provides: ipsec Provides: strongswan = %{version} Obsoletes: strongswan < %{version} Conflicts: freeswan openswan %description ipsec StrongSwan is an OpenSource IPsec-based VPN Solution for Linux This package provides the /etc/init.d/ipsec service script and allows to maintain both, IKEv1 and IKEv2, using the /etc/ipsec.conf and the /etc/ipsec.sectes files. %if %{with mysql} %package mysql Summary: OpenSource IPsec-based VPN Solution Group: Productivity/Networking/Security Requires: strongswan-libs0 = %{version} %description mysql StrongSwan is an OpenSource IPsec-based VPN Solution for Linux This package provides the strongswan mysql plugin. %endif %if %{with sqlite} %package sqlite Summary: OpenSource IPsec-based VPN Solution Group: Productivity/Networking/Security Requires: strongswan-libs0 = %{version} %description sqlite StrongSwan is an OpenSource IPsec-based VPN Solution for Linux This package provides the strongswan sqlite plugin. %endif %if %{with nm} %package nm Summary: OpenSource IPsec-based VPN Solution Group: Productivity/Networking/Security Requires: strongswan-libs0 = %{version} %description nm StrongSwan is an OpenSource IPsec-based VPN Solution for Linux This package provides the NetworkManager plugin to control the charon IKEv2 daemon through D-Bus, designed to work using the NetworkManager-strongswan graphical user interface. %endif %if %{with tests} %package tests Summary: OpenSource IPsec-based VPN Solution Group: Productivity/Networking/Security Requires: strongswan-libs0 = %{version} %description tests StrongSwan is an OpenSource IPsec-based VPN Solution for Linux This package provides the strongswan crypto test-vectors plugin and the load testing plugin for IKEv2 daemon. %endif %prep %gpg_verify %{S:1} %setup -q -n %{name}-%{upstream_version} %patch1 -p0 %patch2 -p0 sed -e 's|@libexecdir@|%_libexecdir|g' \ < $RPM_SOURCE_DIR/strongswan.init.in \ > strongswan.init %build CFLAGS="$RPM_OPT_FLAGS -W -Wall -Wno-pointer-sign -Wno-strict-aliasing" export RPM_OPT_FLAGS CFLAGS #libtoolize --force #autoreconf %configure \ --enable-conftest \ --enable-integrity-test \ --with-capabilities=libcap \ --with-plugindir=%{strongswan_plugins} \ --with-resolv-conf=%{_localstatedir}/run/strongswan/resolv.conf \ --enable-pkcs11 \ --enable-openssl \ --enable-agent \ --enable-gcrypt \ --enable-blowfish \ --enable-ctr \ --enable-ccm \ --enable-gcm \ --enable-unity \ --enable-md4 \ --enable-af-alg \ --enable-eap-sim \ --enable-eap-sim-file \ --enable-eap-sim-pcsc \ --enable-eap-aka \ --enable-eap-aka-3gpp2 \ --enable-eap-simaka-sql \ --enable-eap-simaka-pseudonym \ --enable-eap-simaka-reauth \ --enable-eap-identity \ --enable-eap-md5 \ --enable-eap-gtc \ --enable-eap-mschapv2 \ --enable-eap-tls \ --enable-eap-ttls \ --enable-eap-peap \ --enable-eap-tnc \ --enable-eap-dynamic \ --enable-eap-radius \ --enable-xauth-eap \ --enable-xauth-pam \ --enable-tnc-pdp \ --enable-tnc-imc \ --enable-tnc-imv \ --enable-tnccs-11 \ --enable-tnccs-20 \ --enable-tnccs-dynamic \ --enable-imc-test \ --enable-imv-test \ --enable-imc-scanner \ --enable-imv-scanner \ --enable-ha \ --enable-dhcp \ --enable-farp \ --enable-smp \ --enable-sql \ --enable-attr-sql \ --enable-addrblock \ --enable-radattr \ --enable-mediation \ --enable-led \ --enable-certexpire \ --enable-duplicheck \ --enable-coupling \ %if %{with mysql} --enable-mysql \ %endif %if %{with sqlite} --enable-sqlite \ %endif %if %{with gcrypt} --enable-gcrypt \ %endif %if %{with nm} --enable-nm \ %else --disable-nm \ %endif %if %{with tests} --enable-load-tester \ --enable-test-vectors \ %endif --enable-ldap \ --enable-soup \ --enable-curl make %{?_smp_mflags:%_smp_mflags} %install export RPM_BUILD_ROOT install -d -m755 ${RPM_BUILD_ROOT}%{_sbindir}/ install -d -m755 ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.d/ %if ! %{with systemd} install -d -m755 ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/ install -m755 strongswan.init ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/ipsec ln -s %{_sysconfdir}/init.d/ipsec ${RPM_BUILD_ROOT}%{_sbindir}/rcipsec %endif # make install DESTDIR="$RPM_BUILD_ROOT" # rm -f ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.secrets cat << EOT > ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.secrets # # ipsec.secrets # # This file holds the RSA private keys or the PSK preshared secrets for # the IKE/IPsec authentication. See the ipsec.secrets(5) manual page. # EOT # rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{charon,hydra,strongswan,pttls}.so rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{radius,simaka,tls,tnccs,imcv}.so find $RPM_BUILD_ROOT%{strongswan_libdir} \ -name "*.a" -o -name "*.la" | xargs -r rm -f # install -d -m755 ${RPM_BUILD_ROOT}%{strongswan_docdir}/ install -c -m644 TODO NEWS README COPYING LICENSE \ AUTHORS ChangeLog \ ${RPM_BUILD_ROOT}%{strongswan_docdir}/ install -c -m644 ${RPM_SOURCE_DIR}/README.SUSE \ ${RPM_BUILD_ROOT}%{strongswan_docdir}/ install -d -m755 $RPM_BUILD_ROOT%{_localstatedir}/run/strongswan %post libs0 %{run_ldconfig} test -d %{_localstatedir}/run/strongswan || \ %{__mkdir_p} %{_localstatedir}/run/strongswan %postun libs0 %{run_ldconfig} %post ipsec %if ! %{with systemd} %{fillup_and_insserv ipsec} %endif %preun ipsec %if ! %{with systemd} %{stop_on_removal ipsec} %endif if test -s %{_sysconfdir}/ipsec.secrets.rpmsave ; then cp -p --backup=numbered %{_sysconfdir}/ipsec.secrets.rpmsave \ %{_sysconfdir}/ipsec.secrets.rpmsave.old fi if test -s %{_sysconfdir}/ipsec.conf.rpmsave ; then cp -p --backup=numbered %{_sysconfdir}/ipsec.conf.rpmsave \ %{_sysconfdir}/ipsec.conf.rpmsave.old fi %postun ipsec %if ! %{with systemd} %{insserv_cleanup} %endif %files %defattr(-,root,root) %dir %{strongswan_docdir} %{strongswan_docdir}/README.SUSE %files ipsec %defattr(-,root,root) %config(noreplace) %attr(600,root,root) %{_sysconfdir}/ipsec.conf %config(noreplace) %attr(600,root,root) %{_sysconfdir}/ipsec.secrets %dir %{_sysconfdir}/ipsec.d %dir %{_sysconfdir}/ipsec.d/crls %dir %{_sysconfdir}/ipsec.d/reqs %dir %{_sysconfdir}/ipsec.d/certs %dir %{_sysconfdir}/ipsec.d/acerts %dir %{_sysconfdir}/ipsec.d/aacerts %dir %{_sysconfdir}/ipsec.d/cacerts %dir %{_sysconfdir}/ipsec.d/ocspcerts %dir %attr(700,root,root) %{_sysconfdir}/ipsec.d/private %if %{with systemd} %{_unitdir}/strongswan.service %else %config %{_sysconfdir}/init.d/ipsec %{_sbindir}/rcipsec %endif %{_sbindir}/ipsec %{_mandir}/man8/ipsec.8* %{_mandir}/man5/ipsec.conf.5* %{_mandir}/man5/ipsec.secrets.5* %{_mandir}/man5/strongswan.conf.5* %dir %{_libexecdir}/ipsec %{_libexecdir}/ipsec/_copyright %{_libexecdir}/ipsec/_updown %{_libexecdir}/ipsec/_updown_espmark %{_libexecdir}/ipsec/conftest %{_libexecdir}/ipsec/duplicheck %{_libexecdir}/ipsec/openac %{_libexecdir}/ipsec/pki %{_libexecdir}/ipsec/pool %{_libexecdir}/ipsec/scepclient %{_libexecdir}/ipsec/starter %{_libexecdir}/ipsec/stroke %{_libexecdir}/ipsec/charon %dir %{strongswan_plugins} %{strongswan_plugins}/libstrongswan-stroke.so %{strongswan_plugins}/libstrongswan-updown.so %files doc %defattr(-,root,root) %dir %{strongswan_docdir} %{strongswan_docdir}/TODO %{strongswan_docdir}/NEWS %{strongswan_docdir}/README %{strongswan_docdir}/COPYING %{strongswan_docdir}/LICENSE %{strongswan_docdir}/AUTHORS %{strongswan_docdir}/ChangeLog %{_mandir}/man8/_updown.8* %{_mandir}/man8/_updown_espmark.8* %{_mandir}/man8/openac.8* %{_mandir}/man8/scepclient.8* %files libs0 %defattr(-,root,root) %config(noreplace) %attr(600,root,root) %{_sysconfdir}/strongswan.conf %dir %{_libexecdir}/ipsec %dir %{strongswan_libdir} %{strongswan_libdir}/libchecksum.so %{strongswan_libdir}/libcharon.so.* %{strongswan_libdir}/libhydra.so.* %{strongswan_libdir}/libpttls.so.* %{strongswan_libdir}/libradius.so.* %{strongswan_libdir}/libsimaka.so.* %{strongswan_libdir}/libstrongswan.so.* %{strongswan_libdir}/libtls.so.* %{strongswan_libdir}/libtnccs.so.* %{strongswan_libdir}/libimcv.so.* %dir %{strongswan_libdir}/imcvs %{strongswan_libdir}/imcvs/imc-scanner.so %{strongswan_libdir}/imcvs/imc-test.so %{strongswan_libdir}/imcvs/imv-scanner.so %{strongswan_libdir}/imcvs/imv-test.so %dir %{strongswan_plugins} %{strongswan_plugins}/libstrongswan-addrblock.so %{strongswan_plugins}/libstrongswan-aes.so %{strongswan_plugins}/libstrongswan-af-alg.so %{strongswan_plugins}/libstrongswan-agent.so %{strongswan_plugins}/libstrongswan-attr.so %{strongswan_plugins}/libstrongswan-attr-sql.so %{strongswan_plugins}/libstrongswan-blowfish.so %{strongswan_plugins}/libstrongswan-ccm.so %{strongswan_plugins}/libstrongswan-certexpire.so %{strongswan_plugins}/libstrongswan-cmac.so %{strongswan_plugins}/libstrongswan-constraints.so %{strongswan_plugins}/libstrongswan-coupling.so %{strongswan_plugins}/libstrongswan-ctr.so %{strongswan_plugins}/libstrongswan-curl.so %{strongswan_plugins}/libstrongswan-des.so %{strongswan_plugins}/libstrongswan-dhcp.so %{strongswan_plugins}/libstrongswan-dnskey.so %{strongswan_plugins}/libstrongswan-duplicheck.so %{strongswan_plugins}/libstrongswan-eap-aka-3gpp2.so %{strongswan_plugins}/libstrongswan-eap-aka.so %{strongswan_plugins}/libstrongswan-eap-dynamic.so %{strongswan_plugins}/libstrongswan-eap-gtc.so %{strongswan_plugins}/libstrongswan-eap-identity.so %{strongswan_plugins}/libstrongswan-eap-md5.so %{strongswan_plugins}/libstrongswan-eap-mschapv2.so %{strongswan_plugins}/libstrongswan-eap-peap.so %{strongswan_plugins}/libstrongswan-eap-radius.so %{strongswan_plugins}/libstrongswan-eap-sim-file.so %{strongswan_plugins}/libstrongswan-eap-sim-pcsc.so %{strongswan_plugins}/libstrongswan-eap-sim.so %{strongswan_plugins}/libstrongswan-eap-simaka-pseudonym.so %{strongswan_plugins}/libstrongswan-eap-simaka-reauth.so %{strongswan_plugins}/libstrongswan-eap-simaka-sql.so %{strongswan_plugins}/libstrongswan-eap-tls.so %{strongswan_plugins}/libstrongswan-eap-tnc.so %{strongswan_plugins}/libstrongswan-eap-ttls.so %{strongswan_plugins}/libstrongswan-farp.so %{strongswan_plugins}/libstrongswan-fips-prf.so %{strongswan_plugins}/libstrongswan-gcm.so %if %{with gcrypt} %{strongswan_plugins}/libstrongswan-gcrypt.so %endif %{strongswan_plugins}/libstrongswan-gmp.so %{strongswan_plugins}/libstrongswan-ha.so %{strongswan_plugins}/libstrongswan-hmac.so %{strongswan_plugins}/libstrongswan-kernel-netlink.so %{strongswan_plugins}/libstrongswan-ldap.so %{strongswan_plugins}/libstrongswan-led.so %{strongswan_plugins}/libstrongswan-md4.so %{strongswan_plugins}/libstrongswan-md5.so %{strongswan_plugins}/libstrongswan-nonce.so %{strongswan_plugins}/libstrongswan-openssl.so %{strongswan_plugins}/libstrongswan-pem.so %{strongswan_plugins}/libstrongswan-pgp.so %{strongswan_plugins}/libstrongswan-pkcs1.so %{strongswan_plugins}/libstrongswan-pkcs11.so %{strongswan_plugins}/libstrongswan-pkcs7.so %{strongswan_plugins}/libstrongswan-pkcs8.so %{strongswan_plugins}/libstrongswan-pubkey.so %{strongswan_plugins}/libstrongswan-radattr.so %{strongswan_plugins}/libstrongswan-random.so %{strongswan_plugins}/libstrongswan-resolve.so %{strongswan_plugins}/libstrongswan-revocation.so %{strongswan_plugins}/libstrongswan-sha1.so %{strongswan_plugins}/libstrongswan-sha2.so %{strongswan_plugins}/libstrongswan-smp.so %{strongswan_plugins}/libstrongswan-socket-default.so %{strongswan_plugins}/libstrongswan-soup.so %{strongswan_plugins}/libstrongswan-sql.so %{strongswan_plugins}/libstrongswan-tnc-imc.so %{strongswan_plugins}/libstrongswan-tnc-imv.so %{strongswan_plugins}/libstrongswan-tnc-pdp.so %{strongswan_plugins}/libstrongswan-tnc-tnccs.so %{strongswan_plugins}/libstrongswan-tnccs-11.so %{strongswan_plugins}/libstrongswan-tnccs-20.so %{strongswan_plugins}/libstrongswan-tnccs-dynamic.so %{strongswan_plugins}/libstrongswan-unity.so %{strongswan_plugins}/libstrongswan-x509.so %{strongswan_plugins}/libstrongswan-xauth-eap.so %{strongswan_plugins}/libstrongswan-xauth-generic.so %{strongswan_plugins}/libstrongswan-xauth-pam.so %{strongswan_plugins}/libstrongswan-xcbc.so %dir %ghost %{_localstatedir}/run/strongswan %if %{with nm} %files nm %defattr(-,root,root) %dir %{_libexecdir}/ipsec %dir %{strongswan_plugins} %{_libexecdir}/ipsec/charon-nm %endif %if %{with mysql} %files mysql %defattr(-,root,root) %dir %{strongswan_plugins} %{strongswan_plugins}/libstrongswan-mysql.so %endif %if %{with sqlite} %files sqlite %defattr(-,root,root) %dir %{strongswan_plugins} %{strongswan_plugins}/libstrongswan-sqlite.so %endif %if %{with tests} %files tests %defattr(-,root,root) %dir %{strongswan_plugins} %{strongswan_plugins}/libstrongswan-load-tester.so %{strongswan_plugins}/libstrongswan-test-vectors.so %endif %changelog