strongswan 5.8.1-1ubuntu1 source package in Ubuntu
Changelog
strongswan (5.8.1-1ubuntu1) focal; urgency=medium * Merge with Debian unstable (LP: #1852579). Remaining changes: - d/control: Transition from strongswan-tnc-* being in extra packages to libcharon-extra-plugins * Added Changes: - d/control: Transition from former Ubuntu only libcharon-standard-plugins to common libcharon-extauth-plugins (drop after 20.04) - d/control: strongswan-starter hard-depends on strongswan-charon, therefore bump the dependency from Recommends to Depends. At the same time avoid a circular dependency by dropping strongswan-charon->strongswan-starter from Depends to Recommends as the binaries can work without the services but not vice versa. * Dropped Changes (now in Debian): - Clean up d/strongswan-starter.postinst: section about runlevel changes - Clean up d/strongswan-starter.postinst: Removed entire section on opportunistic encryption disabling - this was never in strongSwan and won't be see upstream issue #2160. - d/rules: Removed patching ipsec.conf on build (not using the debconf-managed config.) - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was used for debconf-managed include of private key). - Add plugin kernel-libipsec to allow the use of strongswan in containers via this userspace implementation (please do note that this is still considered experimental by upstream). + d/libcharon-extra-plugins.install: Add kernel-libipsec components + d/control: List kernel-libipsec plugin at extra plugins description + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As upstream recommends to not load kernel-libipsec by default. - d/control: Mention mgf1 plugin which is in libstrongswan now - Complete the disabling of libfast; This was partially accepted in Debian, it is no more packaging medcli and medsrv, but still builds and mentions it. + d/rules: Add --disable-fast to avoid build time and dependencies + d/control: Remove medcli, medsrv from package description - Add now built (since 5.5.1) libraries libtpmtss and nttfft to libstrongswan-extra-plugins (no deps from default plugins). - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon plugins for the most common use cases from extra-plugins into a new standard-plugins package. This will allow those use cases without pulling in too much more plugins (a bit like the tnc package). Recommend that package from strongswan-libcharon. - d/usr.lib.ipsec.charon: allow reading of own FDs (LP 1786250) - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP 1773956) - executables need to be able to read map and execute themselves otherwise execution in some environments e.g. containers is blocked (LP 1780534) + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary - d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor profiles of both ways to start charon (LP 1807664) - d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP 1807962) - We fixed up tpmtss and nttfft in the past, but tpmtss is now packaged in Debian so this part was be dropped. Two changes remain - d/control: fix the mentioning of tpmtss in d/control - apparmor fixes for container and root usage (LP 1826238) + d/usr.sbin.swanctl: allow reading own binary + d/usr.sbin.charon-systemd: allow accessing the binary + d/usr.sbin.swanctl: add attach_disconnected to work inside containers + d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP to apparmor to allow dropping caps * Dropped Changes (too uncommon to support by default) - d/libstrongswan.install: Add kernel-netlink configuration files - d/usr.sbin.charon-systemd: allow to contact mysql for sql and attr-sql plugins (LP 1766240) - no more needed as itisn't enabled. - Mass enablement of extra plugins and features to allow a user to use strongswan for a variety of extra use cases without having to rebuild. + d/control: Add required additional build-deps + d/control: Mention addtionally enabled plugins + d/rules: Enable features at configure stage + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) + d/libstrongswan.install: Add plugins (so, conf) + d/strongswan-starter.install: Install pool feature, which is useful since we now have attr-sql plugin enabled it. - Enable additional TNC plugins and add them to libcharon-extra-plugins strongswan (5.8.1-1) unstable; urgency=medium * d/rules: disable http and stream tests under CI * New upstream version 5.8.1 strongswan (5.8.0-2) unstable; urgency=medium [ Christian Ehrhardt ] * d/control: Mention mgf1 plugin which is in libstrongswan now * Complete the disabling of libfast * Clean up d/strongswan-starter.postinst: section about runlevel changes * Clean up d/strongswan-starter.postinst: opportunistic encryption * Enable kernel-libipsec for use of strongswan in containers * d/control, d/libcharon-{extras,extauth}-plugins.install: Add extauth-plugins package (Recommends) * apparmor: d/usr.lib.ipsec.charon: sync notify rule from charon-systemd * apparmor: fix apparmor denies reading the own FDs (LP: 1786250) * apparmor: d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP: 1773956) * apparmor: d/usr.lib.ipsec.stroke: executables need to be able to read map and execute themselves * apparmor: d/usr.lib.ipsec.lookip: executables need to be able to read map and execute themselves * apparmor: d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP: 1807962) * d/control: libtpmtss is actually packaged in libstrongswan-extra-plugins [ Ryan Harper ] * Remove code related to unused debconf managed config [ Yves-Alexis Perez ] * ship xfrmi only on Linux, fix FTBFS on kfreebsd * d/libcharon-extra-plugins.install: drop plugins disabled in Debian * d/control: update standards version to 4.4.1 * d/strongswan-starter.templates: drop runlevel_changes * let dh_installinit handle update-rc.d calls * d/salsa-ci.yml: add a salsa pipeline config * d/rules: drop dbgsym migration * strongswan-starter: update line number in lintian override strongswan (5.8.0-1) unstable; urgency=medium [ Christian Ehrhardt ] * Fix fails in debian CI (Closes: #926479) [ Simon Deziel ] * d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP to apparmor to allow dropping caps * d/usr.sbin.swanctl: add attach_disconnected to work inside containers * d/usr.sbin.charon-systemd: allow accessing the binary * d/usr.sbin.swanctl: allow reading own binary [ Yves-Alexis Perez ] * New upstream version 5.8.0 * d/control: update standards version to 4.4.0 * use debhelper-compat b-d for dh compat level * d/control: bump dh compat level to 11 * d/rules: drop systemd addon, useless in compat 11 * strongswan-libcharon: install xfrmi binary * d/patches refreshed for new upstream release * handle renaming of systemd service files * d/control: remove obsolete breaks/replaces -- Christian Ehrhardt <email address hidden> Thu, 14 Nov 2019 15:00:15 +0100
Upload details
- Uploaded by:
- Christian Ehrhardt
- Uploaded to:
- Focal
- Original maintainer:
- Ubuntu Developers
- Architectures:
- any all
- Section:
- net
- Urgency:
- Medium Urgency
See full publishing history Publishing
Series | Published | Component | Section |
---|
Downloads
File | Size | SHA-256 Checksum |
---|---|---|
strongswan_5.8.1.orig.tar.bz2 | 4.3 MiB | d9af70acea5c054952ad1584916c1bf231b064eb6c8a9791dcb6ae90a769990c |
strongswan_5.8.1-1ubuntu1.debian.tar.xz | 123.0 KiB | 90abf941fbe039ba72cc8f67644a9304bd50b403e2166147aed7baf5a1660fdd |
strongswan_5.8.1-1ubuntu1.dsc | 3.8 KiB | 7782ad53b453408b74fd23045d100ad8cb73771febc3c3e2734e032c8ac8f6e4 |
Available diffs
- diff from 5.7.2-1ubuntu3 to 5.8.1-1ubuntu1 (736.1 KiB)
Binary packages built by this source
- charon-cmd: standalone IPsec client
The strongSwan VPN suite uses the native IPsec stack in the standard
Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
.
This package contains the charon-cmd command, which can be used as a client to
connect to a remote IKE daemon.
- charon-cmd-dbgsym: debug symbols for charon-cmd
- charon-systemd: strongSwan IPsec client, systemd support
The strongSwan VPN suite uses the native IPsec stack in the standard
Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
.
This package contains the charon-systemd files.
- charon-systemd-dbgsym: debug symbols for charon-systemd
- libcharon-extauth-plugins: strongSwan charon library (extended authentication plugins)
The strongSwan VPN suite uses the native IPsec stack in the standard
Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
.
This package provides extended authentication plugins for the charon library:
- eap-mschapv2 (EAP-MSCHAPv2 protocol handler using passwords/NT hashes)
Used for client side to connect to some VPN concentrators configured for
Windows 7+ and modern OSX/iOS using IKEv2 (identify with public key,
authenticate with MSCHAPv2).
- xauth-generic (Generic XAuth backend that provides passwords from
ipsec.secrets and other credential sets)
Used for the client side to connect to VPN concentrators configured for
Android and older OSX/iOS using IKEv1 and XAUTH (identify with public key,
authenticate with XAUTH password).
.
These are the "not always, but still more commonly used" plugins, for further
needs even more plugins can be found in the package libcharon-extra-plugins.
- libcharon-extauth-plugins-dbgsym: debug symbols for libcharon-extauth-plugins
- libcharon-extra-plugins: strongSwan charon library (extra plugins)
The strongSwan VPN suite uses the native IPsec stack in the standard
Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
.
This package provides extra plugins for the charon library:
- addrblock (Narrow traffic selectors to RFC 3779 address blocks in X.509
certificates)
- certexpire (Export expiration dates of used certificates)
- eap-aka (Generic EAP-AKA protocol handler using different backends)
- eap-gtc (EAP-GTC protocol handler authenticating with XAuth backends)
- eap-identity (EAP-Identity identity exchange algorithm, to use with other
EAP protocols)
- eap-md5 (EAP-MD5 protocol handler using passwords)
- eap-radius (EAP server proxy plugin forwarding EAP conversations to a
RADIUS server)
- eap-tls (EAP-TLS protocol handler, to authenticate with certificates in
EAP)
- eap-tnc (EAP-TNC protocol handler, Trusted Network Connect in a TLS tunnel)
- eap-ttls (EAP-TTLS protocol handler, wraps other EAP methods securely)
- error-notify (Notification about errors via UNIX socket)
- ha (High-Availability clustering)
- kernel-libipsec (Userspace IPsec Backend with TUN devices)
- led (Let Linux LED subsystem LEDs blink on IKE activity)
- lookip (Virtual IP lookup facility using a UNIX socket)
- tnc (Trusted Network Connect)
- unity (Cisco Unity extensions for IKEv1)
- xauth-eap (XAuth backend that uses EAP methods to verify passwords)
- xauth-pam (XAuth backend that uses PAM modules to verify passwords)
- eap-dynamic (EAP proxy plugin that dynamically selects an EAP method
requested/supported by the client (since 5.0.1))
- eap-peap (EAP-PEAP protocol handler, wraps other EAP methods securely)
- libcharon-extra-plugins-dbgsym: debug symbols for libcharon-extra-plugins
- libcharon-standard-plugins: transitional package
This is a transitional package. It can safely be removed.
- libstrongswan: strongSwan utility and crypto library
The strongSwan VPN suite uses the native IPsec stack in the standard
Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
.
This package provides the underlying libraries of charon and other strongSwan
components. It is built in a modular way and is extendable through various
plugins.
.
Some default (as specified by the strongSwan projet) plugins are included.
For libstrongswan (cryptographic backends, URI fetchers and database layers):
- aes (AES-128/192/256 cipher software implementation)
- constraints (X.509 certificate advanced constraint checking)
- dnskey (Parse RFC 4034 public keys)
- drbg (NIST SP-800-90A Deterministic Random Bit Generator)
- fips-prf (PRF specified by FIPS, used by EAP-SIM/AKA algorithms)
- gmp (RSA/DH crypto backend based on libgmp)
- hmac (HMAC wrapper using various hashers)
- md5 (MD5 hasher software implementation)
- mgf1 (Mask Generation Functions based on the SHA-1, SHA-256 and SHA-512)
- nonce (Default nonce generation plugin)
- pem (PEM encoding/decoding routines)
- pgp (PGP encoding/decoding routines)
- pkcs1 (PKCS#1 encoding/decoding routines)
- pkcs8 (PKCS#8 decoding routines)
- pkcs12 (PKCS#12 decoding routines)
- pubkey (Wrapper to handle raw public keys as trusted certificates)
- random (RNG reading from /dev/[u]random)
- rc2 (RC2 cipher software implementation)
- revocation (X.509 CRL/OCSP revocation checking)
- sha1 (SHA1 hasher software implementation)
- sha2 (SHA256/SHA384/ SHA512 hasher software implementation)
- sshkey (SSH key decoding routines)
- x509 (Advanced X.509 plugin for parsing/generating X.509 certificates/CRLs
and OCSP messages)
- xcbc (XCBC wrapper using various ciphers)
- attr (Provides IKE attributes configured in strongswan.conf)
- kernel-netlink [linux] (IPsec/Networking kernel interface using Linux
Netlink)
- kernel-pfkey [kfreebsd] (IPsec kernel interface using PF_KEY)
- kernel-pfroute [kfreebsd] (Networking kernel interface using PF_ROUTE)
- resolve (Writes name servers received via IKE to a resolv.conf file or
installs them via resolvconf(8))
- libstrongswan-dbgsym: debug symbols for libstrongswan
- libstrongswan-extra-plugins: strongSwan utility and crypto library (extra plugins)
The strongSwan VPN suite uses the native IPsec stack in the standard
Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
.
This package provides extra plugins for the strongSwan utility and
cryptographic library.
.
Included plugins are:
- af-alg [linux] (AF_ALG Linux crypto API interface, provides
ciphers/hashers/ hmac/xcbc)
- ccm (CCM cipher mode wrapper)
- cmac (CMAC cipher mode wrapper)
- ctr (CTR cipher mode wrapper)
- curl (libcurl based HTTP/FTP fetcher)
- curve25519 (support for Diffie-Hellman group 31 using Curve25519 and
support for the Ed25519 digital signature algorithm for IKEv2)
- gcrypt (Crypto backend based on libgcrypt, provides
RSA/DH/ciphers/ hashers/ rng)
- ldap (LDAP fetching plugin based on libldap)
- ntru (key exchanged based on post-quantum computer NTRU)
- padlock (VIA padlock crypto backend, provides AES128/SHA1)
- pkcs11 (PKCS#11 smartcard backend)
- rdrand (High quality / high performance random source using the Intel
rdrand instruction found on Ivy Bridge processors)
- test-vectors (Set of test vectors for various algorithms)
.
Also included is the libtpmtss library adding support for TPM plugin
(https://wiki.strongswa n.org/projects/ strongswan/ wiki/TpmPlugin)
- libstrongswan-extra-plugins-dbgsym: debug symbols for libstrongswan-extra-plugins
- libstrongswan-standard-plugins: strongSwan utility and crypto library (standard plugins)
The strongSwan VPN suite uses the native IPsec stack in the standard
Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
.
This package provides some common plugins for the strongSwan utility and
cryptograhic library.
.
Included plugins are:
- agent (RSA/ECDSA private key backend connecting to SSH-Agent)
- gcm (GCM cipher mode wrapper)
- openssl (Crypto backend based on OpenSSL, provides
RSA/ECDSA/DH/ ECDH/ciphers/ hashers/ HMAC/X. 509/CRL/ RNG)
- libstrongswan-standard-plugins-dbgsym: debug symbols for libstrongswan-standard-plugins
- strongswan: IPsec VPN solution metapackage
The strongSwan VPN suite uses the native IPsec stack in the standard Linux
kernel. It supports both the IKEv1 and IKEv2 protocols.
.
This metapackage installs the packages required to maintain IKEv1 and IKEv2
connections via ipsec.conf or ipsec.secrets.
- strongswan-charon: strongSwan Internet Key Exchange daemon
The strongSwan VPN suite uses the native IPsec stack in the standard
Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
.
charon is an IPsec IKEv2 daemon which can act as an initiator or a responder.
It is written from scratch using a fully multi-threaded design and a modular
architecture. Various plugins can provide additional functionality.
- strongswan-charon-dbgsym: debug symbols for strongswan-charon
- strongswan-libcharon: strongSwan charon library
The strongSwan VPN suite uses the native IPsec stack in the standard
Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
.
This package contains the charon library, used by IKE client like
strongswan-charon, strongswan-charon- cmd or strongswan-nm as well as standard
plugins:
- socket-default
- counters
- bypass-lan (disabled by default)
.
On Linux, it also contains the xfrmi binary which can be used on Linux 4.19+
to create XFRM interfaces (for more information, see
https://wiki.strongswa n.org/projects/ strongswan/ wiki/RouteBased VPN)
- strongswan-libcharon-dbgsym: debug symbols for strongswan-libcharon
- strongswan-nm: strongSwan plugin to interact with NetworkManager
The strongSwan VPN suite uses the native IPsec stack in the standard
Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
.
This plugin provides an interface which allows NetworkManager to configure
and control the IKEv2 daemon directly through D-Bus. It is designed to work
in conjunction with the network-manager- strongswan package, providing
a simple graphical frontend to configure IPsec based VPNs.
- strongswan-nm-dbgsym: debug symbols for strongswan-nm
- strongswan-pki: strongSwan IPsec client, pki command
The strongSwan VPN suite uses the native IPsec stack in the standard
Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
.
This package contains the pki tool which allows on to run a simple public key
infrastructure.
- strongswan-pki-dbgsym: debug symbols for strongswan-pki
- strongswan-scepclient: strongSwan IPsec client, SCEP client
The strongSwan VPN suite uses the native IPsec stack in the standard
Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
.
This package contains the SCEP client, an implementation of the Cisco System's
Simple Certificate Enrollment Protocol (SCEP).
- strongswan-scepclient-dbgsym: debug symbols for strongswan-scepclient
- strongswan-starter: strongSwan daemon starter and configuration file parser
The strongSwan VPN suite uses the native IPsec stack in the standard
Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
.
The starter and the associated "ipsec" script control the charon daemon from
the command line. It parses ipsec.conf and loads the configurations to the
daemon.
- strongswan-starter-dbgsym: debug symbols for strongswan-starter
- strongswan-swanctl: strongSwan IPsec client, swanctl command
The strongSwan VPN suite uses the native IPsec stack in the standard
Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
.
This package contains the swanctl interface, used to configure a running
charon daemon
- strongswan-swanctl-dbgsym: debug symbols for strongswan-swanctl
- strongswan-tnc-base: transitional package
This is a transitional package. It can safely be removed.
- strongswan-tnc-client: transitional package
This is a transitional package. It can safely be removed.
- strongswan-tnc-ifmap: transitional package
This is a transitional package. It can safely be removed.
- strongswan-tnc-pdp: transitional package
This is a transitional package. It can safely be removed.
- strongswan-tnc-server: transitional package
This is a transitional package. It can safely be removed.