pool/strongswan
SHA256
2
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1 Commit 2 Branches 0 Tags 11 MiB
Shell 93%
Standard ML 7%
cf0313df27
Go to file
Jan Engelhardt cf0313df27 - rename -hmac subpackage to -fips because it isn't providing 
the hmac files, it provides the configuration drop in to
  enforce fips mode.

- Removes deprecated SysV support
- Added prf-plus-modularization.patch that outsources the IKE
- move file %{_datadir}/dbus-1/system.d/nm-strongswan-service.conf
  to strongswan-nm subpackage, as it is needed for the
  NetworkManager plugin that uses strongswan-nm, not
- Removed unused requires and macro calls(bsc#1083261)
    improved oracle are not compatible with the earlier
    (wasn't the case since 5.0.0) and packets that have the flag
    also checked against IKEv2 signature schemes. If such
    constraints are used for certificate chain validation in
    transport mode connections coming over the same NAT device for
    Windows 7 IKEv2 clients, which announces its services over the
  * For the vici plugin a Python Egg has been added to allow
    Python applications to control or monitor the IKE daemon using
  * EAP server methods now can fulfill public key constraints,
- Fix build in factory
- Fix systemd unit dir
  from glibc
    IDr payload anymore.
  * Consistent logging of IKE and CHILD SAs at the audit (AUD) level.
  caused an INVALID_SYNTAX error on PowerPC platforms.
- Initial, unfinished package

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=165
2024-11-26 12:56:29 +00:00
.gitattributes - rename -hmac subpackage to -fips because it isn't providing 2024-11-26 12:56:29 +00:00
.gitignore - rename -hmac subpackage to -fips because it isn't providing 2024-11-26 12:56:29 +00:00
0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch - rename -hmac subpackage to -fips because it isn't providing 2024-11-26 12:56:29 +00:00
fips-enforce.conf - rename -hmac subpackage to -fips because it isn't providing 2024-11-26 12:56:29 +00:00
harden_strongswan.service.patch - rename -hmac subpackage to -fips because it isn't providing 2024-11-26 12:56:29 +00:00
README.SUSE - rename -hmac subpackage to -fips because it isn't providing 2024-11-26 12:56:29 +00:00
strongswan_ipsec_service.patch - rename -hmac subpackage to -fips because it isn't providing 2024-11-26 12:56:29 +00:00
strongswan-5.9.14.tar.bz2 - rename -hmac subpackage to -fips because it isn't providing 2024-11-26 12:56:29 +00:00
strongswan-5.9.14.tar.bz2.sig - rename -hmac subpackage to -fips because it isn't providing 2024-11-26 12:56:29 +00:00
strongswan-rpmlintrc - rename -hmac subpackage to -fips because it isn't providing 2024-11-26 12:56:29 +00:00
strongswan.changes - rename -hmac subpackage to -fips because it isn't providing 2024-11-26 12:56:29 +00:00
strongswan.init.in - rename -hmac subpackage to -fips because it isn't providing 2024-11-26 12:56:29 +00:00
strongswan.keyring - rename -hmac subpackage to -fips because it isn't providing 2024-11-26 12:56:29 +00:00
strongswan.spec - rename -hmac subpackage to -fips because it isn't providing 2024-11-26 12:56:29 +00:00

README.SUSE 

Dear Customer,

please note, that the strongswan release 4.5 changes the keyexchange mode
to IKEv2 as default -- from strongswan-4.5.0/NEWS:
"[...]
IMPORTANT: the default keyexchange mode 'ike' is changing with release 4.5
from 'ikev1' to 'ikev2', thus commemorating the five year anniversary of the
IKEv2 RFC 4306 and its mature successor RFC 5996. The time has definitively
come for IKEv1 to go into retirement and to cede its place to the much more
robust, powerful and versatile IKEv2 protocol!
[...]"

This requires adoption of either the "conn %default" or all other IKEv1
"conn" sections in the /etc/ipsec.conf to use explicit:

	keyexchange=ikev1

The charon daemon in strongswan 5.x versions supports IKEv1 and IKEv2,
thus a separate pluto IKEv1 daemon is not needed / not shipped any more.


The strongswan package does not provide any files except of this README,
but triggers the installation of the charon daemon and the "traditional"
strongswan-ipsec package providing the "ipsec" script and service.
The ipsec.service is an alias link to the "strongswan.service" systemd
service unit and created by "systemctl enable strongswan.service".


There is a new strongswan-nm package with a NetworkManager specific charon-nm
binary controlling the charon daemon through D-Bus and designed to work using
the NetworkManager-strongswan graphical user interface.
It does not depend on the traditional starter scripts, but on the IKEv2
charon daemon and plugins only. 


The stongswan-hmac package provides the fips hmac hash files, a _fipscheck
script and a /etc/strongswan.d/charon/zzz_fips-enforce.conf config file,
which disables all non-openssl algorithm implementations.

When fips operation mode is enabled in the kernel using the fips=1 boot
parameter, the strongswan fips checks are executed in front of any start
action of the "ipsec" script provided by the "strongswan-ipsec" package
and a verification problem causes a failure as required by fips-140-2.
Further, it is not required to enable the fips_mode in the openssl plugin
(/etc/strongswan.d/charon/openssl.conf); the kernel entablement enables
it automatically as needed.

The "ipsec _fipscheck" command allows to execute the fips checks manually
without a check if fips is enabled (/proc/sys/crypto/fips_enabled is 1),
e.g. for testing purposes.


Have a lot of fun...