pool/strongswan
SHA256
2
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
117 Commits 2 Branches 0 Tags 11 MiB
Shell 93%
Standard ML 7%
abbd490880
Go to file
Jan Engelhardt abbd490880 Accepting request 991798 from home:p_conrad:branches 
This resolves one issue in particular that caused failures in Tumbleweed, see https://forums.opensuse.org/showthread.php/569960-Latest-strongswan-ipsec-crashes-on-startup .

- Update to release 5.9.7
  * The IKEv2 key derivation is now delayed until the keys are actually needed to process or send the next message.
  * Inbound IKEv2 messages, in particular requests, are now processed differently.
  * The retransmission logic in the dhcp plugin has been fixed (#1154).
  * The connmark plugin now considers configured masks in installed firewall rules (#1087).
  * Child config selection has been fixed as responder in cases where multiple children use transport mode traffic selectors (#1143).
  * The outbound SA/policy is now also removed after IKEv1 CHILD_SA rekeyings (#1041).
  * The openssl plugin supports AES and Camellia in CTR mode (112bb46).
  * The AES-XCBC/CMAC PRFs are demoted in the default proposal (after HMAC-based PRFs) since they were never widely adopted
  * The kdf plugin is now automatically enabled if any of the aesni, cmac or xcbc plugins are enabled, or if none of the plugins that directly provide HMAC-based KDFs are enabled (botan, openssl or wolfssl).
  * The CALLBACK macros (and some other issues) have been fixed when compiling with GCC 12 (#1053).

OBS-URL: https://build.opensuse.org/request/show/991798
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=136
2022-07-30 09:43:14 +00:00
.gitattributes OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=1 2007-12-13 03:49:24 +00:00
.gitignore OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=1 2007-12-13 03:49:24 +00:00
0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch Accepting request 513652 from home:ndas:branches:network:vpn 2017-08-01 07:21:05 +00:00
fips-enforce.conf - Added generation of fips hmac hash files using fipshmac utility 2014-11-21 12:01:59 +00:00
fipscheck.sh.in - Added generation of fips hmac hash files using fipshmac utility 2014-11-21 12:01:59 +00:00
harden_strongswan.service.patch Accepting request 960489 from home:msmeissn:branches:network:vpn 2022-03-09 18:30:05 +00:00
README.SUSE - Added generation of fips hmac hash files using fipshmac utility 2014-11-21 12:01:59 +00:00
strongswan_fipscheck.patch Accepting request 513652 from home:ndas:branches:network:vpn 2017-08-01 07:21:05 +00:00
strongswan_ipsec_service.patch osc copypac from project:openSUSE:Factory package:strongswan revision:70 2020-01-30 15:50:32 +00:00
strongswan-5.9.7.tar.bz2 Accepting request 991798 from home:p_conrad:branches 2022-07-30 09:43:14 +00:00
strongswan-5.9.7.tar.bz2.sig Accepting request 991798 from home:p_conrad:branches 2022-07-30 09:43:14 +00:00
strongswan-rpmlintrc osc copypac from project:openSUSE:Factory package:strongswan revision:70 2020-01-30 15:50:32 +00:00
strongswan.changes Accepting request 991798 from home:p_conrad:branches 2022-07-30 09:43:14 +00:00
strongswan.init.in - Fixed rpmlint runlevel & fsf warnings, updated rpmlintrc 2012-02-15 13:48:10 +00:00
strongswan.keyring Accepting request 143934 from home:sbrabec:gpg-offline-verify 2012-12-04 10:25:06 +00:00
strongswan.spec Accepting request 991798 from home:p_conrad:branches 2022-07-30 09:43:14 +00:00

README.SUSE 

Dear Customer,

please note, that the strongswan release 4.5 changes the keyexchange mode
to IKEv2 as default -- from strongswan-4.5.0/NEWS:
"[...]
IMPORTANT: the default keyexchange mode 'ike' is changing with release 4.5
from 'ikev1' to 'ikev2', thus commemorating the five year anniversary of the
IKEv2 RFC 4306 and its mature successor RFC 5996. The time has definitively
come for IKEv1 to go into retirement and to cede its place to the much more
robust, powerful and versatile IKEv2 protocol!
[...]"

This requires adoption of either the "conn %default" or all other IKEv1
"conn" sections in the /etc/ipsec.conf to use explicit:

	keyexchange=ikev1

The charon daemon in strongswan 5.x versions supports IKEv1 and IKEv2,
thus a separate pluto IKEv1 daemon is not needed / not shipped any more.


The strongswan package does not provide any files except of this README,
but triggers the installation of the charon daemon and the "traditional"
strongswan-ipsec package providing the "ipsec" script and service.
The ipsec.service is an alias link to the "strongswan.service" systemd
service unit and created by "systemctl enable strongswan.service".


There is a new strongswan-nm package with a NetworkManager specific charon-nm
binary controlling the charon daemon through D-Bus and designed to work using
the NetworkManager-strongswan graphical user interface.
It does not depend on the traditional starter scripts, but on the IKEv2
charon daemon and plugins only. 


The stongswan-hmac package provides the fips hmac hash files, a _fipscheck
script and a /etc/strongswan.d/charon/zzz_fips-enforce.conf config file,
which disables all non-openssl algorithm implementations.

When fips operation mode is enabled in the kernel using the fips=1 boot
parameter, the strongswan fips checks are executed in front of any start
action of the "ipsec" script provided by the "strongswan-ipsec" package
and a verification problem causes a failure as required by fips-140-2.
Further, it is not required to enable the fips_mode in the openssl plugin
(/etc/strongswan.d/charon/openssl.conf); the kernel entablement enables
it automatically as needed.

The "ipsec _fipscheck" command allows to execute the fips checks manually
without a check if fips is enabled (/proc/sys/crypto/fips_enabled is 1),
e.g. for testing purposes.


Have a lot of fun...