Marius Tomaschewski
9463c65a84
and a _fipscheck script to verify binaries/libraries/plugings shipped in the strongswan-hmac package. With enabled fips in the kernel, the ipsec script will call it before any action or in a enforced/manual "ipsec _fipscheck" call. Added config file to load openssl and kernel af-alg plugins, but not all the other modules which provide further/alternative algs. Applied a filter disallowing non-approved algorithms in fips mode. (fate#316931,bnc#856322). [+ strongswan_fipscheck.patch, strongswan_fipsfilter.patch] - Fixed file list in the optional (disabled) strongswan-test package. - Fixed build of the strongswan built-in integrity checksum library and enabled building it only on architectures tested to work. - Fix to use bug number 897048 instead 856322 in last changes entry. - Applied an upstream patch reverting to store algorithms in the registration order again as ordering them by identifier caused weaker algorithms to be proposed first by default (bsc#897512). [+0001-restore-registration-algorithm-order.bug897512.patch] OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=77
55 lines
2.3 KiB
Plaintext
55 lines
2.3 KiB
Plaintext
Dear Customer,
|
|
|
|
please note, that the strongswan release 4.5 changes the keyexchange mode
|
|
to IKEv2 as default -- from strongswan-4.5.0/NEWS:
|
|
"[...]
|
|
IMPORTANT: the default keyexchange mode 'ike' is changing with release 4.5
|
|
from 'ikev1' to 'ikev2', thus commemorating the five year anniversary of the
|
|
IKEv2 RFC 4306 and its mature successor RFC 5996. The time has definitively
|
|
come for IKEv1 to go into retirement and to cede its place to the much more
|
|
robust, powerful and versatile IKEv2 protocol!
|
|
[...]"
|
|
|
|
This requires adoption of either the "conn %default" or all other IKEv1
|
|
"conn" sections in the /etc/ipsec.conf to use explicit:
|
|
|
|
keyexchange=ikev1
|
|
|
|
The charon daemon in strongswan 5.x versions supports IKEv1 and IKEv2,
|
|
thus a separate pluto IKEv1 daemon is not needed / not shipped any more.
|
|
|
|
|
|
The strongswan package does not provide any files except of this README,
|
|
but triggers the installation of the charon daemon and the "traditional"
|
|
strongswan-ipsec package providing the "ipsec" script and service.
|
|
The ipsec.service is an alias link to the "strongswan.service" systemd
|
|
service unit and created by "systemctl enable strongswan.service".
|
|
|
|
|
|
There is a new strongswan-nm package with a NetworkManager specific charon-nm
|
|
binary controlling the charon daemon through D-Bus and designed to work using
|
|
the NetworkManager-strongswan graphical user interface.
|
|
It does not depend on the traditional starter scripts, but on the IKEv2
|
|
charon daemon and plugins only.
|
|
|
|
|
|
The stongswan-hmac package provides the fips hmac hash files, a _fipscheck
|
|
script and a /etc/strongswan.d/charon/zzz_fips-enforce.conf config file,
|
|
which disables all non-openssl algorithm implementations.
|
|
|
|
When fips operation mode is enabled in the kernel using the fips=1 boot
|
|
parameter, the strongswan fips checks are executed in front of any start
|
|
action of the "ipsec" script provided by the "strongswan-ipsec" package
|
|
and a verification problem causes a failure as required by fips-140-2.
|
|
Further, it is not required to enable the fips_mode in the openssl plugin
|
|
(/etc/strongswan.d/charon/openssl.conf); the kernel entablement enables
|
|
it automatically as needed.
|
|
|
|
The "ipsec _fipscheck" command allows to execute the fips checks manually
|
|
without a check if fips is enabled (/proc/sys/crypto/fips_enabled is 1),
|
|
e.g. for testing purposes.
|
|
|
|
|
|
Have a lot of fun...
|
|
|