strongswan: import, update, adopt

Signed-off-by: Steven Barth <steven@midlink.org>

8 files changed, 611 insertions, 0 deletions

diff --git a/net/strongswan/Config.in b/net/strongswan/Config.in
new file mode 100644
index 000000000..5bb78aeb8
--- /dev/null
+++ b/net/strongswan/Config.in
@@ -0,0 +1,16 @@
+menu "Configuration"
+	depends on PACKAGE_strongswan
+
+# --with-routing-table
+config STRONGSWAN_ROUTING_TABLE
+	string
+	prompt "Set the IPsec routing table ID"
+	default "220"
+
+#  --with-routing-table-prio
+config STRONGSWAN_ROUTING_TABLE_PRIO
+	string
+	prompt "Set the IPsec routing table priority"
+	default "220"
+
+endmenu
diff --git a/net/strongswan/Makefile b/net/strongswan/Makefile
new file mode 100644
index 000000000..803995122
--- /dev/null
+++ b/net/strongswan/Makefile
@@ -0,0 +1,503 @@
+#
+# Copyright (C) 2012-2014 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=strongswan
+PKG_VERSION:=5.2.0
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
+PKG_SOURCE_URL:=http://download.strongswan.org/ http://download2.strongswan.org/
+PKG_MD5SUM:=5cee4ee1a6ccb74400758b3ace54d46e
+PKG_LICENSE:=GPL-2.0+
+PKG_MAINTAINER:=Steven Barth <cyrus@openwrt.org>
+
+PKG_MOD_AVAILABLE:= \
+	addrblock \
+	aes \
+	af-alg \
+	agent \
+	attr \
+	attr-sql \
+	blowfish \
+	ccm \
+	cmac \
+	constraints \
+	coupling \
+	ctr \
+	curl \
+	des \
+	dhcp \
+	dnskey \
+	duplicheck \
+	eap-identity \
+	eap-md5 \
+	eap-mschapv2 \
+	eap-radius \
+	farp \
+	fips-prf \
+	gcm \
+	gcrypt \
+	gmp \
+	ha \
+	hmac \
+	kernel-libipsec \
+	kernel-netlink \
+	ldap \
+	led \
+	load-tester \
+	nonce \
+	md4 \
+	md5 \
+	mysql \
+	openssl \
+	padlock \
+	pem \
+	pgp \
+	pkcs1 \
+	pkcs8 \
+	pkcs11 \
+	pubkey \
+	random \
+	resolve \
+	revocation \
+	sha1 \
+	sha2 \
+	smp \
+	socket-default \
+	socket-dynamic \
+	sql \
+	sqlite \
+	stroke \
+	test-vectors \
+	unity \
+	uci \
+	updown \
+	whitelist \
+	x509 \
+	xauth-eap \
+	xauth-generic \
+	xcbc
+
+PKG_CONFIG_DEPENDS:= \
+	CONFIG_STRONGSWAN_ROUTING_TABLE \
+	CONFIG_STRONGSWAN_ROUTING_TABLE_PRIO \
+	$(patsubst %,CONFIG_PACKAGE_strongswan-mod-%,$(PKG_MOD_AVAILABLE)) \
+
+PKG_FIXUP:=autoreconf
+PKG_INSTALL:=1
+PKG_BUILD_PARALLEL:=1
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/strongswan/Default
+  SUBMENU:=VPN
+  SECTION:=net
+  CATEGORY:=Network
+  TITLE:=StrongSwan
+  URL:=http://www.strongswan.org/
+endef
+
+define Package/strongswan/description/Default
+ StrongSwan is an OpenSource IPsec implementation for the Linux operating system.
+endef
+
+define Package/strongswan
+$(call Package/strongswan/Default)
+  DEPENDS:= +libpthread +ip \
+	+kmod-crypto-authenc \
+	+kmod-ipsec +kmod-ipsec4 +kmod-ipsec6 \
+	+kmod-ipt-ipsec +iptables-mod-ipsec
+endef
+
+define Package/strongswan/config
+  source "$(SOURCE)/Config.in"
+endef
+
+define Package/strongswan/description
+$(call Package/strongswan/description/Default)
+ This package contains shared libraries and scripts.
+endef
+
+define Package/strongswan-full
+$(call Package/strongswan/Default)
+  TITLE+= (full)
+  DEPENDS:= +strongswan \
+	+strongswan-charon \
+	+strongswan-mod-addrblock \
+	+strongswan-mod-aes \
+	+strongswan-mod-af-alg \
+	+strongswan-mod-agent \
+	+strongswan-mod-attr \
+	+strongswan-mod-attr-sql \
+	+strongswan-mod-blowfish \
+	+strongswan-mod-ccm \
+	+strongswan-mod-cmac \
+	+strongswan-mod-constraints \
+	+strongswan-mod-coupling \
+	+strongswan-mod-ctr \
+	+strongswan-mod-curl \
+	+strongswan-mod-des \
+	+strongswan-mod-dhcp \
+	+strongswan-mod-dnskey \
+	+strongswan-mod-duplicheck \
+	+strongswan-mod-eap-identity \
+	+strongswan-mod-eap-md5 \
+	+strongswan-mod-eap-mschapv2 \
+	+strongswan-mod-eap-radius \
+	+strongswan-mod-farp \
+	+strongswan-mod-fips-prf \
+	+strongswan-mod-gcm \
+	+strongswan-mod-gcrypt \
+	+strongswan-mod-gmp \
+	+strongswan-mod-ha \
+	+strongswan-mod-hmac \
+	+strongswan-mod-kernel-netlink \
+	+strongswan-mod-ldap \
+	+strongswan-mod-led \
+	+strongswan-mod-load-tester \
+	+strongswan-mod-nonce \
+	+strongswan-mod-md4 \
+	+strongswan-mod-md5 \
+	+strongswan-mod-mysql \
+	+strongswan-mod-openssl \
+	+TARGET_x86:strongswan-mod-padlock \
+	+strongswan-mod-pem \
+	+strongswan-mod-pgp \
+	+strongswan-mod-pkcs1 \
+	+strongswan-mod-pkcs8 \
+	+strongswan-mod-pkcs11 \
+	+strongswan-mod-pubkey \
+	+strongswan-mod-random \
+	+strongswan-mod-resolve \
+	+strongswan-mod-revocation \
+	+strongswan-mod-sha1 \
+	+strongswan-mod-sha2 \
+	+strongswan-mod-smp \
+	+strongswan-mod-socket-default \
+	+strongswan-mod-sql \
+	+strongswan-mod-sqlite \
+	+strongswan-mod-stroke \
+	+strongswan-mod-test-vectors \
+	+strongswan-mod-uci \
+	+strongswan-mod-unity \
+	+strongswan-mod-updown \
+	+strongswan-mod-whitelist \
+	+strongswan-mod-x509 \
+	+strongswan-mod-xauth-eap \
+	+strongswan-mod-xauth-generic \
+	+strongswan-mod-xcbc \
+	+strongswan-utils \
+	@DEVEL
+endef
+
+define Package/strongswan-full/description
+$(call Package/strongswan/description/Default)
+ This meta-package contains dependencies for all of the strongswan plugins
+ except kernel-libipsec,
+ socket-dynamic and which are ommitted in favor of the kernel-netlink and
+ socket-default plugins.
+endef
+
+
+define Package/strongswan-default
+$(call Package/strongswan/Default)
+  TITLE+= (default)
+  DEPENDS:= +strongswan \
+	+strongswan-charon \
+	+strongswan-mod-aes \
+	+strongswan-mod-attr \
+	+strongswan-mod-constraints \
+	+strongswan-mod-des \
+	+strongswan-mod-dnskey \
+	+strongswan-mod-fips-prf \
+	+strongswan-mod-gmp \
+	+strongswan-mod-hmac \
+	+strongswan-mod-kernel-netlink \
+	+strongswan-mod-md5 \
+	+strongswan-mod-nonce \
+	+strongswan-mod-pem \
+	+strongswan-mod-pgp \
+	+strongswan-mod-pkcs1 \
+	+strongswan-mod-pubkey \
+	+strongswan-mod-random \
+	+strongswan-mod-resolve \
+	+strongswan-mod-revocation \
+	+strongswan-mod-sha1 \
+	+strongswan-mod-sha2 \
+	+strongswan-mod-socket-default \
+	+strongswan-mod-stroke \
+	+strongswan-mod-updown \
+	+strongswan-mod-x509 \
+	+strongswan-mod-xauth-generic \
+	+strongswan-mod-xcbc \
+	+strongswan-utils
+endef
+
+define Package/strongswan-default/description
+$(call Package/strongswan/description/Default)
+ This meta-package contains only dependencies to match upstream defaults.
+endef
+
+define Package/strongswan-minimal
+$(call Package/strongswan/Default)
+  TITLE+= (minimal)
+  DEPENDS:= +strongswan \
+	+strongswan-charon \
+	+strongswan-mod-aes \
+	+strongswan-mod-gmp \
+	+strongswan-mod-hmac \
+	+strongswan-mod-kernel-netlink \
+	+strongswan-mod-nonce \
+	+strongswan-mod-pubkey \
+	+strongswan-mod-random \
+	+strongswan-mod-sha1 \
+	+strongswan-mod-socket-default \
+	+strongswan-mod-stroke \
+	+strongswan-mod-updown \
+	+strongswan-mod-x509 \
+	+strongswan-mod-xcbc
+endef
+
+define Package/strongswan-minimal/description
+$(call Package/strongswan/description/Default)
+ This meta-package contains only dependencies for a minimal IKEv2 setup.
+endef
+
+define Package/strongswan-charon
+$(call Package/strongswan/Default)
+  TITLE+= IKEv1/IKEv2 keying daemon
+  DEPENDS:= +strongswan
+endef
+
+define Package/strongswan-charon/description
+$(call Package/strongswan/description/Default)
+ This package contains charon, an IKEv2 keying daemon.
+endef
+
+define Package/strongswan-utils
+$(call Package/strongswan/Default)
+  TITLE+= utilities
+  DEPENDS:= +strongswan
+endef
+
+define Package/strongswan-utils/description
+$(call Package/strongswan/description/Default)
+ This package contains the pki & scepclient utilities.
+endef
+
+define BuildPlugin
+  define Package/strongswan-mod-$(1)
+    $$(call Package/strongswan/Default)
+    TITLE:= StrongSwan $(2) plugin
+    DEPENDS:= +strongswan $(3)
+  endef
+
+  strongswan_mod_conf=$(wildcard $(PKG_INSTALL_DIR)/etc/strongswan.d/charon/$(1).conf)
+  define Package/strongswan-mod-$(1)/install
+	$(INSTALL_DIR) $$(1)/etc/strongswan.d/charon
+	$(if $(call strongswan_mod_conf,$(1)), \
+		$(INSTALL_DATA) \
+			$(call strongswan_mod_conf,$(1)) \
+			$$(1)/etc/strongswan.d/charon/ \
+	)
+	$(INSTALL_DIR) $$(1)/usr/lib/ipsec/plugins
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/plugins/libstrongswan-$(1).so \
+		$$(1)/usr/lib/ipsec/plugins/
+	$(call Plugin/$(1)/install,$$(1))
+  endef
+
+  Package/strongswan-mod-$(1)/conffiles=$(patsubst $(PKG_INSTALL_DIR)%,%,$(call strongswan_mod_conf,$(1)))
+
+  $$(eval $$(call BuildPackage,strongswan-mod-$(1)))
+endef
+
+CONFIGURE_ARGS+= \
+	--disable-scripts \
+	--disable-static \
+	--disable-fast \
+	--with-systemdsystemunitdir=no \
+	$(if $(CONFIG_PACKAGE_strongswan-utils),--enable-pki --enable-scepclient,--disable-pki --disable-scepclient) \
+	--with-random-device=/dev/random \
+	--with-urandom-device=/dev/urandom \
+	--with-routing-table="$(call qstrip,$(CONFIG_STRONGSWAN_ROUTING_TABLE))" \
+	--with-routing-table-prio="$(call qstrip,$(CONFIG_STRONGSWAN_ROUTING_TABLE_PRIO))" \
+	$(foreach m,$(PKG_MOD_AVAILABLE), \
+	  $(if $(CONFIG_PACKAGE_strongswan-mod-$(m)),--enable-$(m),--disable-$(m)) \
+	)
+
+EXTRA_LDFLAGS+= -Wl,-rpath-link,$(STAGING_DIR)/usr/lib
+
+define Package/strongswan/conffiles
+/etc/ipsec.conf
+/etc/ipsec.secrets
+/etc/ipsec.user
+/etc/strongswan.conf
+endef
+
+define Package/strongswan/install
+	$(INSTALL_DIR) $(1)/etc
+	$(CP) $(PKG_INSTALL_DIR)/etc/strongswan.conf $(1)/etc/
+	$(INSTALL_DIR) $(1)/usr/lib/ipsec
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/{libstrongswan.so.*,libhydra.so.*} $(1)/usr/lib/ipsec/
+	$(INSTALL_CONF) ./files/ipsec.secrets $(1)/etc/
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_BIN) ./files/ipsec.init $(1)/etc/init.d/ipsec
+endef
+
+define Package/strongswan-default/install
+	true
+endef
+
+define Package/strongswan-full/install
+	true
+endef
+
+define Package/strongswan-minimal/install
+	true
+endef
+
+define Package/strongswan-charon/install
+	$(INSTALL_DIR) $(1)/usr/lib/ipsec
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/ipsec/charon $(1)/usr/lib/ipsec/
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/libcharon.so.* $(1)/usr/lib/ipsec/
+endef
+
+define Package/strongswan-utils/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/ipsec $(1)/usr/sbin/
+	$(INSTALL_DIR) $(1)/usr/bin
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/pki $(1)/usr/bin/
+	$(INSTALL_DIR) $(1)/usr/lib/ipsec
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/ipsec/scepclient $(1)/usr/lib/ipsec/
+endef
+
+define Plugin/duplicheck/install
+	$(INSTALL_DIR) $(1)/usr/lib/ipsec/plugins
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/duplicheck $(1)/usr/lib/ipsec/
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/plugins/libstrongswan-duplicheck.so $(1)/usr/lib/ipsec/plugins/
+endef
+
+define Plugin/eap-radius/install
+	$(INSTALL_DIR) $(1)/usr/lib/ipsec/plugins
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/libradius.so.* $(1)/usr/lib/ipsec/
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/plugins/libstrongswan-eap-radius.so $(1)/usr/lib/ipsec/plugins/
+endef
+
+define Plugin/attr-sql/install
+	$(INSTALL_DIR) $(1)/usr/lib/ipsec
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/pool $(1)/usr/lib/ipsec/
+endef
+
+define Plugin/stroke/install
+	$(INSTALL_DIR) $(1)/etc/ipsec.d/aacerts
+	$(INSTALL_DIR) $(1)/etc/ipsec.d/acerts
+	$(INSTALL_DIR) $(1)/etc/ipsec.d/cacerts
+	$(INSTALL_DIR) $(1)/etc/ipsec.d/certs
+	$(INSTALL_DIR) $(1)/etc/ipsec.d/crls
+	$(INSTALL_DIR) $(1)/etc/ipsec.d/ocspcerts
+	$(INSTALL_DIR) $(1)/etc/ipsec.d/private
+	$(INSTALL_DIR) $(1)/etc/ipsec.d/reqs
+
+	$(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/ipsec.conf $(1)/etc/
+
+	$(INSTALL_DIR) $(1)/usr/lib/ipsec/plugins
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/ipsec/{starter,stroke} $(1)/usr/lib/ipsec/
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/plugins/libstrongswan-stroke.so $(1)/usr/lib/ipsec/plugins/
+endef
+
+define Plugin/updown/install
+	$(INSTALL_DIR) $(1)/usr/lib/ipsec/plugins
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/{_updown,_updown_espmark} $(1)/usr/lib/ipsec/
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/plugins/libstrongswan-updown.so $(1)/usr/lib/ipsec/plugins/
+	$(INSTALL_DIR) $(1)/etc
+	$(INSTALL_CONF) ./files/ipsec.user $(1)/etc/
+endef
+
+define Plugin/whitelist/install
+	$(INSTALL_DIR) $(1)/usr/lib/ipsec/plugins
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/whitelist $(1)/usr/lib/ipsec/
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/plugins/libstrongswan-whitelist.so $(1)/usr/lib/ipsec/plugins/
+endef
+
+define Plugin/kernel-libipsec/install
+	$(INSTALL_DIR) $(1)/usr/lib/ipsec
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/libipsec.so.* $(1)/usr/lib/ipsec/
+endef
+
+$(eval $(call BuildPackage,strongswan))
+$(eval $(call BuildPackage,strongswan-default))
+$(eval $(call BuildPackage,strongswan-full))
+$(eval $(call BuildPackage,strongswan-minimal))
+$(eval $(call BuildPackage,strongswan-charon))
+$(eval $(call BuildPackage,strongswan-utils))
+$(eval $(call BuildPlugin,addrblock,RFC 3779 address block constraint support,))
+$(eval $(call BuildPlugin,aes,AES crypto,))
+$(eval $(call BuildPlugin,af-alg,AF_ALG crypto interface to Linux Crypto API,+kmod-crypto-user))
+$(eval $(call BuildPlugin,agent,SSH agent signing,))
+$(eval $(call BuildPlugin,attr,file based config,))
+$(eval $(call BuildPlugin,attr-sql,SQL based config,+strongswan-mod-sql))
+$(eval $(call BuildPlugin,blowfish,Blowfish crypto,))
+$(eval $(call BuildPlugin,ccm,CCM AEAD wrapper crypto,))
+$(eval $(call BuildPlugin,cmac,CMAC crypto,))
+$(eval $(call BuildPlugin,constraints,advanced X509 constraint checking,))
+$(eval $(call BuildPlugin,coupling,IKEv2 plugin to couple peer certificates permanently to authentication,))
+$(eval $(call BuildPlugin,ctr,Counter Mode wrapper crypto,))
+$(eval $(call BuildPlugin,curl,cURL fetcher plugin,+PACKAGE_strongswan-mod-curl:libcurl))
+$(eval $(call BuildPlugin,des,DES crypto,))
+$(eval $(call BuildPlugin,dhcp,DHCP based attribute provider,))
+$(eval $(call BuildPlugin,dnskey,DNS RR key decoding,))
+$(eval $(call BuildPlugin,duplicheck,advanced duplicate checking,))
+$(eval $(call BuildPlugin,eap-identity,EAP identity helper,))
+$(eval $(call BuildPlugin,eap-md5,EAP MD5 (CHAP) EAP auth,))
+$(eval $(call BuildPlugin,eap-mschapv2,EAP MS-CHAPv2 EAP auth,+strongswan-mod-md4 +strongswan-mod-des))
+$(eval $(call BuildPlugin,eap-radius,EAP RADIUS auth,))
+$(eval $(call BuildPlugin,farp,fake arp respsonses,))
+$(eval $(call BuildPlugin,fips-prf,FIPS PRF crypto,+strongswan-mod-sha1))
+$(eval $(call BuildPlugin,gcm,GCM AEAD wrapper crypto,))
+$(eval $(call BuildPlugin,gcrypt,libgcrypt,+PACKAGE_strongswan-mod-gcrypt:libgcrypt))
+$(eval $(call BuildPlugin,gmp,libgmp,+PACKAGE_strongswan-mod-gmp:libgmp))
+$(eval $(call BuildPlugin,ha,high availability cluster,))
+$(eval $(call BuildPlugin,hmac,HMAC crypto,))
+$(eval $(call BuildPlugin,kernel-libipsec,libipsec kernel interface,))
+$(eval $(call BuildPlugin,kernel-netlink,netlink kernel interface,))
+$(eval $(call BuildPlugin,ldap,LDAP,+PACKAGE_strongswan-mod-ldap:libopenldap))
+$(eval $(call BuildPlugin,led,LED blink on IKE activity,))
+$(eval $(call BuildPlugin,load-tester,load testing,))
+$(eval $(call BuildPlugin,nonce,nonce genereation,))
+$(eval $(call BuildPlugin,md4,MD4 crypto,))
+$(eval $(call BuildPlugin,md5,MD5 crypto,))
+$(eval $(call BuildPlugin,mysql,MySQL database interface,+strongswan-mod-sql +PACKAGE_strongswan-mod-mysql:libmysqlclient-r))
+$(eval $(call BuildPlugin,openssl,OpenSSL crypto,+PACKAGE_strongswan-mod-openssl:libopenssl))
+$(eval $(call BuildPlugin,padlock,VIA PadLock crypto,@TARGET_x86))
+$(eval $(call BuildPlugin,pem,PEM decoding,))
+$(eval $(call BuildPlugin,pgp,PGP key decoding,))
+$(eval $(call BuildPlugin,pkcs1,PKCS1 key decoding,))
+$(eval $(call BuildPlugin,pkcs8,PKCS8 key decoding,))
+$(eval $(call BuildPlugin,pkcs11,PKCS11 key decoding,))
+$(eval $(call BuildPlugin,pubkey,raw public key,))
+$(eval $(call BuildPlugin,random,RNG,))
+$(eval $(call BuildPlugin,resolve,DNS resolver,))
+$(eval $(call BuildPlugin,revocation,X509 CRL/OCSP revocation,))
+$(eval $(call BuildPlugin,sha1,SHA1 crypto,))
+$(eval $(call BuildPlugin,sha2,SHA2 crypto,))
+$(eval $(call BuildPlugin,smp,SMP configuration and control interface,+PACKAGE_strongswan-mod-smp:libxml2))
+$(eval $(call BuildPlugin,socket-default,default socket implementation for charon,))
+$(eval $(call BuildPlugin,socket-dynamic,dynamic socket implementation for charon,))
+$(eval $(call BuildPlugin,sql,SQL database interface,))
+$(eval $(call BuildPlugin,sqlite,SQLite database interface,+strongswan-mod-sql +PACKAGE_strongswan-mod-sqlite:libsqlite3))
+$(eval $(call BuildPlugin,stroke,Stroke,+strongswan-utils))
+$(eval $(call BuildPlugin,test-vectors,crypto test vectors,))
+$(eval $(call BuildPlugin,uci,UCI config interface,+PACKAGE_strongswan-mod-uci:libuci))
+$(eval $(call BuildPlugin,unity,Cisco Unity extension,))
+$(eval $(call BuildPlugin,updown,updown firewall,))
+$(eval $(call BuildPlugin,whitelist,peer identity whitelisting,))
+$(eval $(call BuildPlugin,x509,x509 certificate,))
+$(eval $(call BuildPlugin,xauth-eap,EAP XAuth backend,))
+$(eval $(call BuildPlugin,xauth-generic,generic XAuth backend,))
+$(eval $(call BuildPlugin,xcbc,xcbc crypto,))
diff --git a/net/strongswan/files/ipsec.init b/net/strongswan/files/ipsec.init
new file mode 100644
index 000000000..391a2ae8c
--- /dev/null
+++ b/net/strongswan/files/ipsec.init
@@ -0,0 +1,20 @@
+#!/bin/sh /etc/rc.common
+
+START=90
+STOP=10
+
+start() {
+	ipsec start
+}
+
+stop() {
+	ipsec stop
+}
+
+restart() {
+	ipsec restart
+}
+
+reload() {
+	ipsec update
+}
diff --git a/net/strongswan/files/ipsec.secrets b/net/strongswan/files/ipsec.secrets
new file mode 100644
index 000000000..ddd495699
--- /dev/null
+++ b/net/strongswan/files/ipsec.secrets
@@ -0,0 +1 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
diff --git a/net/strongswan/files/ipsec.user b/net/strongswan/files/ipsec.user
new file mode 100644
index 000000000..4351ace39
--- /dev/null
+++ b/net/strongswan/files/ipsec.user
@@ -0,0 +1,6 @@
+# This file is interpreted as shell script.
+# Put your custom ip rules here, they will
+# be executed with each call to the script
+# /usr/lib/ipsec/_updown which by default
+# strongswan executes.
+
diff --git a/net/strongswan/patches/201-kmodloader.patch b/net/strongswan/patches/201-kmodloader.patch
new file mode 100644
index 000000000..7d4615638
--- /dev/null
+++ b/net/strongswan/patches/201-kmodloader.patch
@@ -0,0 +1,28 @@
+--- a/src/starter/netkey.c
++++ b/src/starter/netkey.c
+@@ -31,7 +31,7 @@ bool starter_netkey_init(void)
+ 		/* af_key module makes the netkey proc interface visible */
+ 		if (stat(PROC_MODULES, &stb) == 0)
+ 		{
+-			ignore_result(system("modprobe -qv af_key"));
++			ignore_result(system("modprobe af_key 2>&1 >/dev/null"));
+ 		}
+ 
+ 		/* now test again */
+@@ -45,11 +45,11 @@ bool starter_netkey_init(void)
+ 	/* make sure that all required IPsec modules are loaded */
+ 	if (stat(PROC_MODULES, &stb) == 0)
+ 	{
+-		ignore_result(system("modprobe -qv ah4"));
+-		ignore_result(system("modprobe -qv esp4"));
+-		ignore_result(system("modprobe -qv ipcomp"));
+-		ignore_result(system("modprobe -qv xfrm4_tunnel"));
+-		ignore_result(system("modprobe -qv xfrm_user"));
++		ignore_result(system("modprobe ah4 2>&1 >/dev/null"));
++		ignore_result(system("modprobe esp4 2>&1 >/dev/null"));
++		ignore_result(system("modprobe ipcomp 2>&1 >/dev/null"));
++		ignore_result(system("modprobe xfrm4_tunnel 2>&1 >/dev/null"));
++		ignore_result(system("modprobe xfrm_user 2>&1 >/dev/null"));
+ 	}
+ 
+ 	DBG2(DBG_APP, "found netkey IPsec stack");
diff --git a/net/strongswan/patches/203-uci.patch b/net/strongswan/patches/203-uci.patch
new file mode 100644
index 000000000..274ea8694
--- /dev/null
+++ b/net/strongswan/patches/203-uci.patch
@@ -0,0 +1,20 @@
+--- a/src/libcharon/plugins/uci/uci_parser.c
++++ b/src/libcharon/plugins/uci/uci_parser.c
+@@ -78,7 +78,7 @@ METHOD(enumerator_t, section_enumerator_
+ 		if (uci_lookup(this->ctx, &element, this->package,
+ 					   this->current->name, "name") == UCI_OK)
+ 		{	/* use "name" attribute as config name if available ... */
+-			*value = uci_to_option(element)->value;
++			*value = uci_to_option(element)->v.string;
+ 		}
+ 		else
+ 		{	/* ... or the section name becomes config name */
+@@ -93,7 +93,7 @@ METHOD(enumerator_t, section_enumerator_
+ 		if (value && uci_lookup(this->ctx, &element, this->package,
+ 						  this->current->name, this->keywords[i]) == UCI_OK)
+ 		{
+-			*value = uci_to_option(element)->value;
++			*value = uci_to_option(element)->v.string;
+ 		}
+ 	}
+ 	va_end(args);
diff --git a/net/strongswan/patches/300-include-ipsec-user-script.patch b/net/strongswan/patches/300-include-ipsec-user-script.patch
new file mode 100644
index 000000000..d96e84492
--- /dev/null
+++ b/net/strongswan/patches/300-include-ipsec-user-script.patch
@@ -0,0 +1,17 @@
+--- a/src/_updown/_updown.in
++++ b/src/_updown/_updown.in
+@@ -16,11 +16,9 @@
+ # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ # for more details.
+ 
+-# CAUTION:  Installing a new version of strongSwan will install a new
+-# copy of this script, wiping out any custom changes you make.  If
+-# you need changes, make a copy of this under another name, and customize
+-# that, and use the (left/right)updown parameters in ipsec.conf to make
+-# strongSwan use yours instead of this default one.
++# Add your custom ip rules to the /etc/ipsec.user file if you need that functionality.
++
++[ -e /etc/ipsec.user ] && . /etc/ipsec.user "$1"
+ 
+ # things that this script gets (from ipsec_pluto(8) man page)
+ #