diff options
author | Noel Kuntze | 2015-06-08 14:49:04 +0200 |
---|---|---|
committer | Noel Kuntze | 2015-06-08 14:49:04 +0200 |
commit | 9f98fc8ab2ac77eaf412604047c85cc35dd31f2e (patch) | |
tree | 6488216d7d1c6512fe2b32a08bfbb3ac54da6ba6 | |
download | aur-9f98fc8ab2ac77eaf412604047c85cc35dd31f2e.tar.gz |
initial commit
-rw-r--r-- | .SRCINFO | 24 | ||||
-rw-r--r-- | CHANGELOG | 68 | ||||
-rw-r--r-- | PKGBUILD | 60 |
3 files changed, 152 insertions, 0 deletions
diff --git a/.SRCINFO b/.SRCINFO new file mode 100644 index 000000000000..1037f9d43b4d --- /dev/null +++ b/.SRCINFO @@ -0,0 +1,24 @@ +# Generated by makepkg 4.2.1 +# Mon Jun 8 12:35:09 UTC 2015 +pkgbase = strongswan + pkgdesc = open source IPsec implementation + pkgver = 5.3.2 + pkgrel = 1 + url = http://www.strongswan.org + arch = i686 + arch = x86_64 + license = GPL + depends = curl + depends = gmp + depends = iproute2 + depends = openssl + depends = sqlite + conflicts = openswan + options = !libtool + backup = etc/ipsec.conf + backup = etc/strongswan.conf + source = https://download.strongswan.org/strongswan-5.3.2.tar.bz2 + sha256sums = a4a9bc8c4e42bdc4366a87a05a02bf9f425169a7ab0c6f4482d347e44acbf225 + +pkgname = strongswan + diff --git a/CHANGELOG b/CHANGELOG new file mode 100644 index 000000000000..f7041712694e --- /dev/null +++ b/CHANGELOG @@ -0,0 +1,68 @@ +Added support for IKEv2 make-before-break reauthentication. By using a global +CHILD_SA reqid allocation mechanism, charon supports overlapping CHILD_SAs. +This allows the use of make-before-break instead of the previously supported +break-before-make reauthentication, avoiding connectivity gaps during that +procedure. As the new mechanism may fail with peers not supporting it (such +as any previous strongSwan release) it must be explicitly enabled using +the charon.make_before_break strongswan.conf option. + +Support for Signature Authentication in IKEv2 (RFC 7427) has been added. +This allows the use of stronger hash algorithms for public key authentication. + +By default, signature schemes are chosen based on the strength of the +signature key, but specific hash algorithms may be configured in leftauth. +Key types and hash algorithms specified in rightauth are now also checked +against IKEv2 signature schemes. If such constraints are used for certificate +chain validation in existing configurations, in particular with peers that +don't support RFC 7427, it may be necessary to disable this feature with the +charon.signature_authentication_constraints setting, because the signature +scheme used in classic IKEv2 public key authentication may not be strong +enough. + +The new connmark plugin allows a host to bind conntrack flows to a specific +CHILD_SA by applying and restoring the SA mark to conntrack entries. This +allows a peer to handle multiple transport mode connections coming over the +same NAT device for client-initiated flows (a common use case is to protect +L2TP/IPsec). See ikev2/host2host-transport-connmark for an example. + +The forecast plugin can forward broadcast and multicast messages between +connected clients and a LAN. For CHILD_SA using unique marks, it sets up +the required Netfilter rules and uses a multicast/broadcast listener that +forwards such messages to all connected clients. This plugin is designed for +Windows 7 IKEv2 clients, which announce their services over the tunnel if the +negotiated IPsec policy allows it. See ikev2/forecast for an example. + +For the vici plugin a Python Egg has been added to allow Python applications +to control or monitor the IKE daemon using the VICI interface, similar to the +existing ruby gem. The Python library has been contributed by Björn Schuberg. + +EAP server methods now can fulfill public key constraints, such as rightcert +or rightca. Additionally, public key and signature constraints can be +specified for EAP methods in the rightauth keyword. Currently the EAP-TLS and +EAP-TTLS methods provide verification details to constraints checking. + +Upgrade of the BLISS post-quantum signature algorithm to the improved BLISS-B +variant. Can be used in conjunction with the SHA256, SHA384 and SHA512 hash +algorithms with SHA512 being the default. + +The IF-IMV 1.4 interface now makes the IP address of the TNC access requestor +as seen by the TNC server available to all IMVs. This information can be +forwarded to policy enforcement points (e.g. firewalls or routers). + +The new mutual tnccs-20 plugin parameter activates mutual TNC measurements +in PB-TNC half-duplex mode between two endpoints over either a PT-EAP or +PT-TLS transport medium. + +SPIs in IKEv1 DELETE payloads are now compared to those of the current IKE SA. +This is required for interoperability with OpenBSD's isakmpd, which always uses the +latest IKE SA to delete other expired SAs. + +The files plugin provides a simple fetcher for file:// URIs (1735d80f38). + +Fixed CRL verification for PKIs that don't use SHA-1 hashes of the public key +as subjectKeyIdentifier or authorityKeyIdentifier (6133770db4). + +Route priorities are now considered when doing manual route lookups (6b57790270). + +Policies are now removed from the kernel before IPsec SAs, to avoid acquires +for untrapped policies (46188b0eb0). diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 000000000000..5cfec62957f1 --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,60 @@ +## Contributor: nikicat <develniks at gmail dot com> +# Contributor: danilo <gezuru at gmail dot com> +# Contributor: Jason Begley <jayray at digitalgoat dot com> +# Contributor: Ray Kohler <ataraxia937 at gmail dot com> +# Contributor: Daniel Riedemann <daniel.riedemann [at] googlemail [dot] com> +# Contributor: 458italia <svenskaparadox [at] gmail dot com> +# Contributor: Thermi <noel [at] familie-kuntze dot com> +# Former maintainer: dkorzhevin <dkorzhevin at gmail dot com> +# Maintainer: Thermi <noel [at] familie-kuntze dot com> + +pkgname=strongswan +pkgver=5.3.2 +pkgrel=1 +pkgdesc="open source IPsec implementation" +url='http://www.strongswan.org' +license=("GPL") +arch=('i686' 'x86_64') +depends=('curl' 'gmp' 'iproute2' 'openssl' 'sqlite') +conflicts=('openswan') +options=(!libtool) +backup=(etc/ipsec.conf etc/strongswan.conf) + +source=("https://download.strongswan.org/strongswan-${pkgver}.tar.bz2") + +# md5 is broken. We use sha256 now. Alternatively, we could check the signature of the file, but that +# doesn't yield any more security and just increases the work users initially have to invest. +sha256sums=('a4a9bc8c4e42bdc4366a87a05a02bf9f425169a7ab0c6f4482d347e44acbf225') + +# We don't build libipsec because it would get loaded before kernel-netlink and netkey, which +# would case processing to be handled in user space. Also, the plugin is experimental. If you need it, +# add --enable-libipsec and --enable-kernel-libipsec + +build() { + cd ${srcdir}/${pkgname}-${pkgver} + + ./configure --prefix=/usr \ + --sbindir=/usr/bin \ + --sysconfdir=/etc \ + --libexecdir=/usr/lib \ + --with-ipsecdir=/usr/lib/strongswan \ + --enable-sqlite \ + --enable-openssl --enable-curl \ + --enable-sql --enable-attr-sql \ + --enable-farp --enable-dhcp \ + --enable-eap-sim --enable-eap-sim-file --enable-eap-simaka-pseudonym \ + --enable-eap-simaka-reauth --enable-eap-identity --enable-eap-md5 \ + --enable-eap-gtc --enable-eap-aka --enable-eap-aka-3gpp2 \ + --enable-eap-mschapv2 --enable-eap-radius --enable-xauth-eap \ + --enable-ha --enable-vici --enable-swanctl --enable-systemd --enable-ext-auth \ + --disable-mysql --disable-ldap -enable-cmd --enable-forecast --enable-connmark \ + --enable-aesni +# --enable-ruby-gems --enable-python-eggs + make +} + +package() { + cd "${srcdir}/${pkgname}-${pkgver}" + make DESTDIR=${pkgdir} install +} + |