diff --git a/README.SUSE b/README.SUSE index 140478d..ae2311b 100644 --- a/README.SUSE +++ b/README.SUSE @@ -1,14 +1,30 @@ Dear Customer, -this package does no provide any files any more, but triggers the -installation of both, IKEv1 (pluto) and IKEv2 (charon) daemons and -the traditional starter scripts inclusive of the /etc/init.d/ipsec -init script and /etc/ipsec.conf file. +please note, that the strongswan release 4.5 changes the keyexchange mode +to IKEv2 as default -- from strongswan-4.5.0/NEWS: +"[...] +IMPORTANT: the default keyexchange mode 'ike' is changing with release 4.5 +from 'ikev1' to 'ikev2', thus commemorating the five year anniversary of the +IKEv2 RFC 4306 and its mature successor RFC 5996. The time has definitively +come for IKEv1 to go into retirement and to cede its place to the much more +robust, powerful and versatile IKEv2 protocol! +[...]" -There is a new strongswan-nm package with a NetworkManager plugin -to control the charon IKEv2 daemon through D-Bus, designed to work -using the NetworkManager-strongswan graphical user interface. -It does not depend on the traditional starter scripts, but on the -IKEv2 charon daemon and plugins only. +This requires adoption of either the "conn %default" or all other IKEv1 +"conn" sections in the /etc/ipsec.conf to use explicit: + + keyexchange=ikev1 + + +The strongswan package does no provide any files any more, but triggers +the installation of both, IKEv1 (pluto) and IKEv2 (charon) daemons and the +traditional starter scripts inclusive of the /etc/init.d/ipsec init script +and /etc/ipsec.conf file. + +There is a new strongswan-nm package with a NetworkManager plugin to +control the charon IKEv2 daemon through D-Bus, designed to work using the +NetworkManager-strongswan graphical user interface. +It does not depend on the traditional starter scripts, but on the IKEv2 +charon daemon and plugins only. Have a lot of fun... diff --git a/strongswan-4.4.1-fix_notify_error_range.patch b/strongswan-4.4.1-fix_notify_error_range.patch deleted file mode 100644 index 79f2c2e..0000000 --- a/strongswan-4.4.1-fix_notify_error_range.patch +++ /dev/null @@ -1,22 +0,0 @@ -From 30d8e8d04d132e046a19b6a29439e6efb8ff3e06 Mon Sep 17 00:00:00 2001 -From: Jiri Bohac -Date: Thu, 5 Aug 2010 17:13:38 +0200 -Subject: [PATCH] fix error-type range in parsing of NOTIFY payloads - - -diff --git a/src/libcharon/sa/tasks/ike_init.c b/src/libcharon/sa/tasks/ike_init.c -index 38fb572..dd4a5f5 100644 ---- a/src/libcharon/sa/tasks/ike_init.c -+++ b/src/libcharon/sa/tasks/ike_init.c -@@ -468,7 +468,7 @@ static status_t process_i(private_ike_init_t *this, message_t *message) - } - default: - { -- if (type < 16383) -+ if (type <= 16383) - { - DBG1(DBG_IKE, "received %N notify error", - notify_type_names, type); --- -1.7.1 - diff --git a/strongswan-4.4.1.tar.bz2 b/strongswan-4.4.1.tar.bz2 deleted file mode 100644 index ae192f3..0000000 --- a/strongswan-4.4.1.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:2bee6fb9f43c251827f530cd629af1195a566cf99e9d0320c338f1497cbf99c2 -size 2982652 diff --git a/strongswan-4.4.1.tar.bz2.sig b/strongswan-4.4.1.tar.bz2.sig deleted file mode 100644 index f96e554..0000000 --- a/strongswan-4.4.1.tar.bz2.sig +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.10 (GNU/Linux) - -iQGcBAABAgAGBQJMUuERAAoJEN9CwXCzTbp3oqYL/3Gg3EDh4ZhMAvJunRK40JUI -Sw8Ekp3XNFASLDDAOTjZAOOfd/ZAtC3zLDxaT9vRfq4mmWmhtKBHcnAnURDtNees -fraJiv/flvmJ4enZbXp3R3NgIQcXNGDrOi2P7XSydzqq80pW1P4v8JZcMf+glFJO -sdzMgnL2Tg9/TTiivBFtymtknf+yqT4cDKNNolzIuKWPzJ1dR+hSoLlVZ+4efUAS -qGK8EsqTDawZ5AsEvx7BVfusn38wMgQehKV5DhyhM29sm9hYj6nfO99NEfXq8VhG -eYTWU4uJNH5ghTOllc3s9zA8jK49aG+ITIlpqn9xUi41uRlr3DdvMINDBETjGL8E -eKd8AkV0NCDWRsia2mHJLBW9/W107/w3BPKMCm23avMtiRRezsSB0OQ2XpzgDjEH -iPLj0xY4cK6Ratd9qfApfafU1sJSll/Hj0XOiv/UEoIgZUaStVKOO+5d5SrljTlp -hIGJFjWcK262L+aDTGrckDqEpQ/1xHc8KLGF/XiKFg== -=TTSf ------END PGP SIGNATURE----- diff --git a/strongswan-4.4.1-rpmlintrc b/strongswan-4.5.0-rpmlintrc similarity index 100% rename from strongswan-4.4.1-rpmlintrc rename to strongswan-4.5.0-rpmlintrc diff --git a/strongswan-4.5.0.tar.bz2 b/strongswan-4.5.0.tar.bz2 new file mode 100644 index 0000000..11ae48f --- /dev/null +++ b/strongswan-4.5.0.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:108b0fbbf119011b24eb6ccabc3d9f8888f4036382dd3aad011dec04100ad559 +size 3154064 diff --git a/strongswan-4.5.0.tar.bz2.sig b/strongswan-4.5.0.tar.bz2.sig new file mode 100644 index 0000000..0d16c14 --- /dev/null +++ b/strongswan-4.5.0.tar.bz2.sig @@ -0,0 +1,14 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.10 (GNU/Linux) + +iQGcBAABAgAGBQJMykZ7AAoJEN9CwXCzTbp36BYL/A9q4F2n7EHvVW7HTmG6ogMw +are1n1ZYRdqUmrdk2woCqJPfkzihHMa1nc7u6hgucRDi7wJfJBXoAT0Rvd9AN8qw +bKuaajKRvXFA14qtORvkX4z+Se+/nqL3+ZlvlnPS6rgpdBD+kZY+sFNdSAhJxShJ +zbJ4U+jnO74pyzp8I9hp1HccPKJjt/ljlCB7izPqJ1bQAbrNTQr90JHPNz9BSQkq +BIF5T+nsRWE1p2tWzz6IAjvbC3ghc2lmVy5FGKjItMXWxsyCYuira4MlbGp2ObKE +1aa9QbNYxJ0aD0vsX+r8usXvpdq5QLQotp1bLG2m2XYWdzC4yBwRHj2pS8JHIENP +y9o4za9finsG1Ahb661+2Pw7xO/R2blLDDQyhxH5e6AO7p4Pz050yiicCxVKEwG0 +mJM6c5TbAerBCH2ovgwNeGV3hsOt9ng7e63SMIBkYtN41uQV8hqUjZbtYcvpsER2 +bB/Jdp14aR1F9jMgEmt/I6tNHizJWvB5FFGLqH2cTQ== +=o5iz +-----END PGP SIGNATURE----- diff --git a/strongswan.changes b/strongswan.changes index c90352f..2b05921 100644 --- a/strongswan.changes +++ b/strongswan.changes @@ -1,3 +1,61 @@ +------------------------------------------------------------------- +Tue Nov 16 12:01:46 UTC 2010 - mt@suse.de + +- Updated to strongSwan 4.5.0 release, changes since 4.4.1 are: + * IMPORTANT: the default keyexchange mode 'ike' is changing with + release 4.5 from 'ikev1' to 'ikev2', thus commemorating the five + year anniversary of the IKEv2 RFC 4306 and its mature successor + RFC 5996. The time has definitively come for IKEv1 to go into + retirement and to cede its place to the much more robust, powerful + and versatile IKEv2 protocol! + * Added new ctr, ccm and gcm plugins providing Counter, Counter + with CBC-MAC and Galois/Counter Modes based on existing CBC + implementations. These new plugins bring support for AES and + Camellia Counter and CCM algorithms and the AES GCM algorithms + for use in IKEv2. + * The new pkcs11 plugin brings full Smartcard support to the IKEv2 + daemon and the pki utility using one or more PKCS#11 libraries. It + currently supports RSA private and public key operations and loads + X.509 certificates from tokens. + * Implemented a general purpose TLS stack based on crypto and + credential primitives of libstrongswan. libtls supports TLS + versions 1.0, 1.1 and 1.2, ECDHE-ECDSA/RSA, DHE-RSA and RSA key + exchange algorithms and RSA/ECDSA based client authentication. + * Based on libtls, the eap-tls plugin brings certificate based EAP + authentication for client and server. It is compatible to Windows + 7 IKEv2 Smartcard authentication and the OpenSSL based FreeRADIUS + EAP-TLS backend. + * Implemented the TNCCS 1.1 Trusted Network Connect protocol using + the libtnc library on the strongSwan client and server side via + the tnccs_11 plugin and optionally connecting to a TNC@FHH-enhanced + FreeRADIUS AAA server. Depending on the resulting TNC Recommendation, + strongSwan clients are granted access to a network behind a + strongSwan gateway (allow), are put into a remediation zone (isolate) + or are blocked (none), respectively. + Any number of Integrity Measurement Collector/Verifier pairs can be + attached via the tnc-imc and tnc-imv charon plugins. + * The IKEv1 daemon pluto now uses the same kernel interfaces as the + IKEv2 daemon charon. As a result of this, pluto now supports xfrm + marks which were introduced in charon with 4.4.1. + * The RADIUS plugin eap-radius now supports multiple RADIUS servers + for redundant setups. Servers are selected by a defined priority, + server load and availability. + * The simple led plugin controls hardware LEDs through the Linux LED + subsystem. It currently shows activity of the IKE daemon and is a + good example how to implement a simple event listener. + * Improved MOBIKE behavior in several corner cases, for instance, + if the initial responder moves to a different address. + * Fixed left-/rightnexthop option, which was broken since 4.4.0. + * Fixed a bug not releasing a virtual IP address to a pool if the + XAUTH identity was different from the IKE identity. + * Fixed the alignment of ModeConfig messages on 4-byte boundaries + in the case where the attributes are not a multiple of 4 bytes + (e.g. Cisco's UNITY_BANNER). + * Fixed the interoperability of the socket_raw and socket_default + charon plugins. + * Added man page for strongswan.conf +- Adopted spec file, removed obsolete error range patch. + ------------------------------------------------------------------- Tue Aug 10 11:43:38 UTC 2010 - mt@suse.de diff --git a/strongswan.spec b/strongswan.spec index e4eb9e8..32af3af 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -1,5 +1,5 @@ # -# spec file for package strongswan (Version 4.4.1) +# spec file for package strongswan (Version 4.5.0) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -19,10 +19,10 @@ Name: strongswan -%define upstream_version 4.4.1 +%define upstream_version 4.5.0 %define strongswan_docdir %{_docdir}/%{name} %define strongswan_plugins %{_libexecdir}/ipsec/plugins -Version: 4.4.1 +Version: 4.5.0 Release: 0 License: GPLv2+ Group: Productivity/Networking/Security @@ -38,7 +38,6 @@ Source2: %{name}.init.in Source3: %{name}-%{version}-rpmlintrc Source4: README.SUSE Patch1: %{name}_modprobe_syslog.patch -Patch2: %{name}-4.4.1-fix_notify_error_range.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bison flex gmp-devel gperf pkg-config BuildRequires: libcap-devel @@ -230,7 +229,6 @@ NetworkManager-strongswan graphical user interface. %prep %setup -q -n %{name}-%{upstream_version} %patch1 -p0 -%patch2 -p1 sed -e 's|@libexecdir@|%_libexecdir|g' \ < $RPM_SOURCE_DIR/strongswan.init.in \ > strongswan.init @@ -271,7 +269,6 @@ export RPM_OPT_FLAGS CFLAGS --enable-sql \ --enable-attr-sql \ --enable-addrblock \ - --enable-socket-dynamic \ %if 0%{suse_version} >= 1110 --enable-gcrypt \ --enable-nm \ @@ -361,6 +358,7 @@ fi %{_mandir}/man8/ipsec.8* %{_mandir}/man5/ipsec.conf.5* %{_mandir}/man5/ipsec.secrets.5* +%{_mandir}/man5/strongswan.conf.5* %dir %{_libexecdir}/ipsec %{_libexecdir}/ipsec/_updown %{_libexecdir}/ipsec/_updown_espmark @@ -487,8 +485,7 @@ fi %{strongswan_plugins}/libstrongswan-revocation.so %{strongswan_plugins}/libstrongswan-sha1.so %{strongswan_plugins}/libstrongswan-sha2.so -%{strongswan_plugins}/libstrongswan-socket-dynamic.so -%{strongswan_plugins}/libstrongswan-socket-raw.so +%{strongswan_plugins}/libstrongswan-socket*.so %{strongswan_plugins}/libstrongswan-sql.so %{strongswan_plugins}/libstrongswan-x509.so %{strongswan_plugins}/libstrongswan-xauth.so