aboutsummaryrefslogtreecommitdiff
path: root/net/strongswan
Commit message (Collapse)AuthorAge
* strongswan: start charon directly from swanctlPhilip Prindeville2021-06-02
| | | | | | | | | | | ipsec uses starter, and reads /etc/ipsec.conf (which then includes /var/ipsec/ipsec.conf, etc). This is overly complicated, and can be problematic if you're using both swanctl and ipsec for migration. Running charon directly from procd via the init.d script avoid all of this. Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* Merge pull request #15601 from pprindeville/strongswan-make-swanctl-defaultPhilip Prindeville2021-05-14
|\ | | | | strongswan: make default bundle use swanctl
| * strongswan: make default bundle use swanctlPhilip Prindeville2021-05-10
| | | | | | | | Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* | strongswan: swanctl init script doesn't load connectionsPhilip Prindeville2021-05-05
|/ | | | | | Fixes issue #15446 Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* strongswan: change name of config base directoryPhilip Prindeville2021-04-15
| | | | Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* strongswan: add certificate generation utilityPhilip Prindeville2021-04-15
| | | | Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* strongswan: add deprecation warning to ipsec scriptPhilip Prindeville2021-04-14
| | | | Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* strongswan: handle chacha20poly1305 as AEADPhilip Prindeville2021-04-13
| | | | | | | | | chacha20policy1305 is also an AEAD cipher, and hence does not permit a hash algorithm. Fixes issue #15397. Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* strongswan: fail on serious configuration errorsPhilip Prindeville2021-04-13
| | | | Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* strongswan: drop subshell when possiblePhilip Prindeville2021-04-13
| | | | | | | A subshell caused by $(...) can't persistently modify globals as a side-effect. Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* strongswan: libnttft must not select strongswanEneas U de Queiroz2021-04-09
| | | | | | | | The strongswan-libnttfft package should not select the strongswan package, but should depend on it instead. Otherwise a circular dependency is created. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* Merge pull request #6924 from derekyerger/strongswan-lattice-sha3Philip Prindeville2021-04-08
|\ | | | | strongswan: add more crypto plugins
| * strongswan: add more crypto pluginsDerek Yerger2021-04-05
| | | | | | | | | | | | | | | | | | Adds modules for BLISS signature scheme, NTRU and New Hope key exchange algorithms, and dependencies ChaCha20-Poly1305 AEAD, ChaCha20 XOF, MGF1 mask generation function, SHA3 hasher SHAKE XOF, and the Number Theoretic Transform library. Signed-off-by: Derek Yerger <derek@altdevs.net>
* | strongswan: bump to 5.9.2Philip Prindeville2021-04-05
| | | | | | | | | | | | Retire weak algorithms like MD5 and 3DES. Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* | strongswan: force PIC on all buildsPhilip Prindeville2021-04-05
| | | | | | | | Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* | strongswan: migrate to swanctl configsPhilip Prindeville2021-04-04
| | | | | | | | | | | | | | | | | | | | | | | | | | Derived from the ipsec initd script, with the following changes: (1) various code improvements, corrections (get rid of left/right updown scripts, since there's only one), etc; (2) add reauth and fragmentation parameters; (3) add x.509 certificate-based authentication; and other minor changes. Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* | strongswan: remove synthesized ipsec conf filesPhilip Prindeville2021-04-01
| | | | | | | | | | | | | | | | | | | | If you shutdown ipsec service, and it doesn't clean up /var/ipsec/ipsec.conf, then when you start swanctl service it might see an incompatible file on startup. Remedy is to remove unneeded files when shutting down the service. They can always be regenerated when the service starts again. Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* | strongswan: move ipsec conf files to subpackagePhilip Prindeville2021-03-31
|/ | | | | | | These config files are only used by the ipsec interface to charon, and shouldn't be part of the base package. Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* strongswan: make the include's in the .conf files persistentPhilip Prindeville2021-03-26
| | | | | | | | | | | | | | | | | | Having scripts diddle user written config files seems potentially dangerous. Plus there's really no downside to including some empty files. Best to just make the includes be permanent. Additional feature suggested by Luiz: if a -opkg version of the config file was created unnecessarily, remove it as part of the upgrade process since changes won't be happening to that file as an artifact of the service starting. The include lines are now permanent, which means that (1) additional configuration synthesized by UCI won't be anywhere that opkg (or sysupgrade, for that matter) cares about since it won't be persistent, and (2) if changes are being made, then they're being done by a person with an editor and they really should be distinguished. Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* strongswan: change maintainersPhilip Prindeville2021-03-25
| | | | Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* strongswan: fix local_gateway discoveryPhilip Prindeville2021-02-16
| | | | | | | | | | | | | | | This has been observed by myself and @luizluca: ip route get is appending uid0 to the output, as seen from: root@OpenWrt2:~# ip route get 1.1.1.1 1.1.1.1 via 174.27.160.1 dev eth3 src 174.27.182.184 uid 0 cache root@OpenWrt2:~# so the fix is an anchored match, discarding all else. Also, using ip -o means never having to do multiline matches... Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* Merge pull request #14668 from pprindeville/strongswan-create-swanctl.d-dirPhilip Prindeville2021-02-09
|\ | | | | strongswan: create /etc/swanctl/conf.d directory
| * strongswan: include /etc/swanctl/conf.d/ directoryPhilip Prindeville2021-02-08
| | | | | | | | Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* | strongswan: avoid duplicate loggingPhilip Prindeville2021-02-05
|/ | | | Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* strongswan: bump to 5.9.1Stijn Tintel2020-11-30
| | | | Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* strongswan: bump to 5.9.0Stijn Tintel2020-09-02
| | | | Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* strongswan: add left and mark configuration to UCIMichael C. Bazarewsky2020-08-27
| | | | | | | | This commit allows for UCI configuration of the "left=" and the "mark=" values in a StrongSwan IPSec connection. This improves VTI support and allows certain stricter connection scenarios. Signed-off-by: Michael C. Bazarewsky <github@bazstuff.com>
* strongswan: bump to 5.8.4Stijn Tintel2020-05-08
| | | | Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* strongswan: move ipsec.* to strongswan-ipsecStijn Tintel2020-03-30
| | | | | | | | | | | When building with strongswan-ipsec disabled, strongswan fails to build because the ipsec.conf file does not exist. Fix this by moving the ipsec.* files and directories to the strongswan-ipsec package. Closes #10879 while keeping ipsec.conf to avoid breaking existing setups, as opposed to #11709. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* strongswan: add conffiles for swanctl utilSven Roederer2020-03-25
| | | | | Add a conffiles-section for the /etc/swanctl folder, which is used by the swanctl util. This will keep the configfiles during an sysupgrade. Signed-off-by: Sven Roederer <S.Roederer@colvistec.de>
* strongswan: quote 'comment' parameter in Config.inEneas U de Queiroz2020-03-18
| | | | | | | Newer versions of the kconfig generator require quotes. Prepare the package for an eventual update. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* strongswan: bump to 5.8.2Stijn Tintel2020-01-17
| | | | Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* strongswan: allow to specify per-connection reqid with UCIPaul Fertser2019-11-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is useful to assign all traffic to a fw3 zone, e.g.: /etc/config/ipsec: config remote 'test' list tunnel 'dev' ... config 'tunnel' 'dev' option reqid '33' ... /etc/config/firewall: config zone option name wan option extra_src "-m policy --pol none --dir in" option extra_dest "-m policy --pol none --dir out" ... config zone option name vpn # subnet needed for firewall3 before 22 Nov 2019, 8174814a list subnet '0.0.0.0/0' option extra_src "-m policy --pol ipsec --dir in --reqid 33" option extra_dest "-m policy --pol ipsec --dir out --reqid 33" ... Signed-off-by: Paul Fertser <fercerpav@gmail.com>
* treewide: add PKG_CPE_ID for better cvescanner coverageJan Pavlinec2019-09-17
| | | | Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
* strongswan: bump to 5.8.1Stijn Tintel2019-09-16
| | | | Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* treewide: Change .*GPL.*+ licenses to SPDX compatible identifierSven Eckelmann2019-09-10
| | | | | | | | The CONTRIBUTING.md requests an (or multiple) SPDX identifier for GPL licenses. But a lot of packages did use a different, non-SPDX style with a "+" at the end instead of "-or-later". Signed-off-by: Sven Eckelmann <sven@narfation.org>
* strongswan: update to 5.8.0Lucian Cristian2019-05-23
| | | | Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
* strongswan: collapse menu itemsMoritz Warning2019-03-27
| | | | Signed-off-by: Moritz Warning <moritzwarning@web.de>
* strongswan: bump to 5.7.2Stijn Tintel2019-01-02
| | | | Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* strongswan: bump to 5.7.1Stijn Tintel2018-10-19
| | | | Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* strongswan: bump to 5.7.0Stijn Tintel2018-10-07
| | | | Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* strongswan: backport upstream fixes for CVEs in gmp pluginMagnus Kroken2018-10-06
| | | | | | | | | | | | | This fixes: * CVE-2018-16151 * CVE-2018-16152 * CVE-2018-17540 Details: https://strongswan.org/blog/2018/09/24/strongswan-vulnerability-(cve-2018-16151,-cve-2018-16152).html https://strongswan.org/blog/2018/10/01/strongswan-vulnerability-(cve-2018-17540).html Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* strongswan: refresh patchesHans Dedecker2018-09-13
| | | | Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* strongswan: fix OpenWrt hotplug script handlingHans Dedecker2018-09-13
| | | | | | | | | | | | Commit 6cd8fcabe added ipsec hotplug script support by calling "exec /sbin/hotplug-call ipsec". Using the exec call breaks the insertion of iptables rules by the _updown.in script as hotplug-call just replaces the current shell meaning the commands following exec do not run since the shell is replaced and as a result lead to connectivity issues. Fix this by removing the exec command in front of /sbin/hotplug-call. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* Merge pull request #6423 from micmac1/strongswan-uclibc-iconvStijn Tintel2018-08-02
|\ | | | | strongswan: fix uclibc build issue
| * strongswan: include nls.mk for mysql pluginSebastian Kemper2018-07-13
| | | | | | | | | | | | ibmariadb 10.2 needs to be linked in together with iconv. Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
* | strongswan: add openwrt hotplug script handlingFlorian Eckert2018-07-16
|/ | | | | | | | Ipsec user script (/etc/ipsec.user) now get called indirectly by openwrt "/sbin/hotplug-call". So other packages could also install their scripts in "/etc/hotplug.d/ipsec". Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* strongswan: bump to 5.6.3Stijn Tintel2018-05-28
| | | | | | | | Fixes the following CVEs: - CVE-2018-5388 - CVE-2018-10811 Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* strongswan: bump to 5.6.2Stijn Tintel2018-02-27
| | | | Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* strongswan: add interface uci listHans Dedecker2017-12-13
| | | | | | | | | | | | | The interface config option allows users to configure logical OpenWRT interface names in the ipsec section; it allows StrongSwan to listen and send traffic on specified interface(s). It translates to interfaces_use StrongSwan option which is a comma sepearted list of network devices that should be used by charon. Since StrongSwan can only be started when one of the specified logical OpenWRT interface is up procd interface triggers are installed to trigger the reload script. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>