Merge branch 'split-plugins'

Conflicts:
	debian/changelog

15 files changed, 281 insertions, 86 deletions

diff --git a/debian/NEWS b/debian/NEWS
index f6fd43e8c..af017f769 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,20 @@
+strongswan (5.1.1-2+splitplugins) experimental; urgency=medium
+
+  In 5.1.1-2 package, few plugins have been split from the main libstrongswan
+  package. The plugins are now in following packages:
+    - libstrongswan: main/default plugins, as defined by the strongSwan
+    project
+    - libstrongswan-standard-plugins: non default but useful plugins (agent,
+    gcm and openssl)
+    - libstrongswan-extra-plugins: more scarcely used plugins
+    - libcharon-extra-plugins: more scarecely used plugins for the charon
+    daemon
+
+  WARNING: this is an experimental release of the packaging, use at your own
+  risk.
+
+ -- Yves-Alexis Perez <corsac@debian.org>  Sun, 02 Feb 2014 20:05:15 +0100
+
 strongswan (5.1.0-1) unstable; urgency=low
 
   Starting with strongSwan 5, the IKEv1 daemon (pluto) is gone, and the charon
diff --git a/debian/changelog b/debian/changelog
index 0e314dd0e..1a434cf0e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,20 @@
+strongswan (5.1.1-2+splitplugins) experimental; urgency=medium
+
+  * debian/control:
+    - drop dependency on host, inherited from openSwan.         closes: #736661
+    - split charon-cmd to a standalone package.
+    - add new plugins packages: libstrongswan-standard-plugins,
+    libstrongswan-extra-plugins and libcharon-extra-plugins.
+    - split strongswan-ike package to strongswan-libcharon (libcharon and
+    default libcharon plugins) and strongswan-charon (charon daemon), keep
+    strongswan-ike as transitional package for now.
+  * debian/po:
+    - sv.po updated, thanks Martin Bagge.                       closes: #725667
+  * debian/charon-cmd.lintian-overrides: override lintian error about
+    charon-cmd rpath.
+
+ -- Yves-Alexis Perez <corsac@debian.org>  Mon, 24 Feb 2014 10:42:49 +0100
+
 strongswan (5.1.1-2) unstable; urgency=medium
 
   * debian/control:
diff --git a/debian/charon-cmd.install b/debian/charon-cmd.install
new file mode 100644
index 000000000..1db15271f
--- /dev/null
+++ b/debian/charon-cmd.install
@@ -0,0 +1,2 @@
+usr/sbin/charon-cmd
+usr/share/man/man8/charon-cmd.8
diff --git a/debian/charon-cmd.lintian-overrides b/debian/charon-cmd.lintian-overrides
new file mode 100644
index 000000000..26be392ba
--- /dev/null
+++ b/debian/charon-cmd.lintian-overrides
@@ -0,0 +1,3 @@
+# strongswan libraries are installed in /usr/lib/ipsec because they are private
+# to the strongSwan project. We still want to split multiple binaries from the lib
+charon-cmd: binary-or-shlib-defines-rpath usr/sbin/charon-cmd /usr/lib/ipsec
diff --git a/debian/control b/debian/control
index af9b60ca8..61482e928 100644
--- a/debian/control
+++ b/debian/control
@@ -18,8 +18,7 @@ Homepage: http://www.strongswan.org
 
 Package: strongswan
 Architecture: all
-Depends: ${misc:Depends}, strongswan-ike
-Suggests: network-manager-strongswan
+Depends: ${misc:Depends}, strongswan-charon, strongswan-starter, iproute [linux-any]
 Description: IPsec VPN solution metapackage
  The strongSwan VPN suite uses the native IPsec stack in the standard Linux
  kernel. It supports both the IKEv1 and IKEv2 protocols.
@@ -29,23 +28,143 @@ Description: IPsec VPN solution metapackage
 
 Package: libstrongswan
 Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}, openssl
+Depends: ${shlibs:Depends}, ${misc:Depends}
 Conflicts: strongswan (<< 4.2.12-1)
 Breaks: strongswan-ikev2 (<< 4.6.4)
 Replaces: strongswan-ikev2 (<< 4.6.4)
+Recommends: libstrongswan-standard-plugins
+Suggests: libstrongswan-extra-plugins
 Description: strongSwan utility and crypto library
  The strongSwan VPN suite uses the native IPsec stack in the standard
  Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
  .
- This package provides the underlying library of charon and other strongSwan
+ This package provides the underlying libraries of charon and other strongSwan
  components. It is built in a modular way and is extendable through various
  plugins.
+ .
+ Some default (as specified by the strongSwan projet) plugins are included.
+ For libstrongswan (cryptographic backends, URI fetchers and database layers):
+  - aes (AES-128/192/256 cipher software implementation)
+  - constraints (X.509 certificate advanced constraint checking)
+  - dnskey (Parse RFC 4034 public keys)
+  - fips-prf (PRF specified by FIPS, used by EAP-SIM/AKA algorithms)
+  - gmp (RSA/DH crypto backend based on libgmp)
+  - hmac (HMAC wrapper using various hashers)
+  - md5 (MD5 hasher software implementation)
+  - nonce (Default nonce generation plugin)
+  - pem (PEM encoding/decoding routines)
+  - pgp (PGP encoding/decoding routines)
+  - pkcs1 (PKCS#1 encoding/decoding routines)
+  - pkcs8 (PKCS#8 decoding routines)
+  - pkcs12 (PKCS#12 decoding routines)
+  - pubkey (Wrapper to handle raw public keys as trusted certificates)
+  - random (RNG reading from /dev/[u]random)
+  - rc2 (RC2 cipher software implementation)
+  - revocation (X.509 CRL/OCSP revocation checking)
+  - sha1 (SHA1 hasher software implementation)
+  - sha2 (SHA256/SHA384/SHA512 hasher software implementation)
+  - sshkey (SSH key decoding routines)
+  - x509 (Advanced X.509 plugin for parsing/generating X.509 certificates/CRLs
+    and OCSP messages)
+  - xcbc (XCBC wrapper using various ciphers)
+ For libhydra (IKE daemon plugins):
+  - attr (Provides IKE attributes configured in strongswan.conf)
+  - kernel-netlink [linux] (IPsec/Networking kernel interface using Linux
+    Netlink)
+  - kernel-pfkey [kfreebsd] (IPsec kernel interface using PF_KEY)
+  - kernel-pfroute [kfreebsd] (Networking kernel interface using PF_ROUTE)
+  - resolve (Writes name servers received via IKE to a resolv.conf file or
+    installs them via resolvconf(8))
+
+Package: libstrongswan-standard-plugins
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan (= ${binary:Version})
+Breaks: libstrongswan (<= 5.1.1-1), strongswan-ike (<= 5.1.1-1)
+Replaces: libstrongswan (<= 5.1.1-1),strongswan-ike (<= 5.1.1-1)
+Description: strongSwan utility and crypto library (standard plugins)
+ The strongSwan VPN suite uses the native IPsec stack in the standard
+ Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
+ .
+ This package provides some common plugins for the strongSwan utility and
+ cryptograhic library.
+ .
+ Included plugins are:
+  - agent (RSA/ECDSA private key backend connecting to SSH-Agent)
+  - gcm (GCM cipher mode wrapper)
+  - openssl (Crypto backend based on OpenSSL, provides
+    RSA/ECDSA/DH/ECDH/ciphers/hashers/HMAC/X.509/CRL/RNG)
+
+Package: libstrongswan-extra-plugins
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan (= ${binary:Version})
+Breaks: libstrongswan (<= 5.1.1-1), strongswan-ike (<= 5.1.1-1)
+Replaces: libstrongswan (<= 5.1.1-1),strongswan-ike (<= 5.1.1-1)
+Description: strongSwan utility and crypto library (extra plugins)
+ The strongSwan VPN suite uses the native IPsec stack in the standard
+ Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
+ .
+ This package provides extra plugins for the strongSwan utility and
+ cryptograhic library.
+ .
+ Included plugins are:
+  - af-alg [linux] (AF_ALG Linux crypto API interface, provides
+    ciphers/hashers/hmac/xcbc)
+  - ccm (CCM cipher mode wrapper)
+  - cmac (CMAC cipher mode wrapper)
+  - ctr (CTR cipher mode wrapper)
+  - curl (libcurl based HTTP/FTP fetcher)
+  - gcrypt (Crypto backend based on libgcrypt, provides
+    RSA/DH/ciphers/hashers/rng)
+  - ldap (LDAP fetching plugin based on libldap)
+  - padlock (VIA padlock crypto backend, provides AES128/SHA1)
+  - pkcs11 (PKCS#11 smartcard backend)
+  - rdrand (High quality / high performance random source using the Intel
+    rdrand instruction found on Ivy Bridge processors)
+  - test-vectors (Set of test vectors for various algorithms)
+
+Package: libcharon-extra-plugins
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan (= ${binary:Version})
+Breaks: libstrongswan (<= 5.1.1-1), strongswan-ike (<= 5.1.1-1)
+Replaces: libstrongswan (<= 5.1.1-1),strongswan-ike (<= 5.1.1-1)
+Description: strongSwan charon library (extra plugins)
+ The strongSwan VPN suite uses the native IPsec stack in the standard
+ Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
+ .
+ This package provides extra plugins for the charon library:
+  - addrblock (Narrow traffic selectors to RFC 3779 address blocks in X.509
+    certificates)
+  - certexpire (Export expiration dates of used certificates)
+  - eap-aka (Generic EAP-AKA protocol handler using different backends)
+  - eap-gtc (EAP-GTC protocol handler authenticating with XAuth backends)
+  - eap-identity (EAP-Identity identity exchange algorithm, to use with other
+    EAP protocols)
+  - eap-md5 (EAP-MD5 protocol handler using passwords)
+  - eap-mschapv2 (EAP-MSCHAPv2 protocol handler using passwords/NT hashes)
+  - eap-radius (EAP server proxy plugin forwarding EAP conversations to a
+    RADIUS server)
+  - eap-tls (EAP-TLS protocol handler, to authenticate with certificates in
+    EAP)
+  - eap-tnc (EAP-TNC protocol handler, Trusted Network Connect in a TLS tunnel)
+  - eap-ttls (EAP-TTLS protocol handler, wraps other EAP methods securely)
+  - error-notify (Notification about errors via UNIX socket)
+  - ha (High-Availability clustering)
+  - led (Let Linux LED subsystem LEDs blink on IKE activity)
+  - lookip (Virtual IP lookup facility using a UNIX socket)
+  - medcli (Web interface based mediation client interface)
+  - medsrv (Web interface based mediation server interface)
+  - tnc (Trusted Network Connect)
+  - unity (Cisco Unity extensions for IKEv1)
+  - xauth-eap (XAuth backend that uses EAP methods to verify passwords)
+  - xauth-generic (Generic XAuth backend that provides passwords from
+    ipsec.secrets and other credential sets)
+  - xauth-pam (XAuth backend that uses PAM modules to verify passwords)
 
 Package: strongswan-dbg
 Architecture: any
 Section: debug
 Priority: extra
-Depends: ${misc:Depends}, strongswan, libstrongswan
+Depends: ${misc:Depends}, strongswan, libstrongswan (= ${binary:Version})
 Description: strongSwan library and binaries - debugging symbols
  The strongSwan VPN suite uses the native IPsec stack in the standard
  Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
@@ -54,9 +173,9 @@ Description: strongSwan library and binaries - debugging symbols
 
 Package: strongswan-starter
 Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}, 
-  libstrongswan (= ${binary:Version}), strongswan-ike,
-  adduser
+Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan (=
+ ${binary:Version}), adduser
+Recommends: strongswan-charon
 Conflicts: strongswan (<< 4.2.12-1)
 Description: strongSwan daemon starter and configuration file parser
  The strongSwan VPN suite uses the native IPsec stack in the standard
@@ -66,27 +185,51 @@ Description: strongSwan daemon starter and configuration file parser
  the command line. It parses ipsec.conf and loads the configurations to the
  daemon.
 
-Package: strongswan-ike
+Package: strongswan-libcharon
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan (= ${binary:Version})
+Suggests: libcharon-extra-plugins
+Breaks: libstrongswan (<= 5.1.1-1)
+Replaces: strongswan-ike, libstrongswan (<= 5.1.1-1)
+Description: strongSwan charon library
+ The strongSwan VPN suite uses the native IPsec stack in the standard
+ Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
+ .
+ This package contains the charon library, used by IKE client like
+ strongswan-charon, strongswan-charon-cmd or strongswan-nm
+
+Package: strongswan-charon
 Architecture: any
 Pre-Depends: debconf | debconf-2.0
-Depends: ${shlibs:Depends}, ${misc:Depends}, 
-  libstrongswan (= ${binary:Version}), strongswan-starter | strongswan-nm,
-  bsdmainutils, debianutils (>=1.7), ipsec-tools, iproute [linux-any]
-Suggests: curl
+Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan (= ${binary:Version}),
+ strongswan-starter
 Provides: ike-server
-Conflicts: freeswan (<< 2.04-12), openswan, strongswan (<< 4.2.12-1)
-Replaces: strongswan-ikev1, strongswan-ikev2
-Description: strongSwan Internet Key Exchange (v2) daemon
+Breaks: libstrongswan (<= 5.1.1-1), strongswan-ike (<= 5.1.1-1)
+Replaces: strongswan-ikev1, strongswan-ikev2, libstrongswan (<= 5.1.1-1), strongswan-ike (<= 5.1.1-1)
+Description: strongSwan Internet Key Exchange daemon
  The strongSwan VPN suite uses the native IPsec stack in the standard
  Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
  .
- charon is an IPsec IKEv2 daemon. It is written from scratch using a fully
- multi-threaded design and a modular architecture. Various plugins provide
- additional functionality.
+ charon is an IPsec IKEv2 daemon which can act as an initiator or a responder.
+ It is written from scratch using a fully multi-threaded design and a modular
+ architecture. Various plugins can provide additional functionality.
+
+Package: strongswan-ike
+Architecture: all
+Section: oldlibs
+Priority: extra
+Depends: ${shlibs:Depends}, ${misc:Depends}, strongswan-charon
+Description: strongSwan Internet Key Exchange daemon (transitional package)
+ The strongSwan VPN suite uses the native IPsec stack in the standard
+ Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
+ .
+ This package used to install version 5 of the charon daemon and has been
+ replaced by the strongswan-charon package. This package can be safely removed
+ once it's installed.
 
 Package: strongswan-nm
 Architecture: linux-any
-Depends: ${shlibs:Depends}, ${misc:Depends}, strongswan-ike
+Depends: ${shlibs:Depends}, ${misc:Depends}
 Recommends: network-manager-strongswan
 Description: strongSwan plugin to interact with NetworkManager
  The strongSwan VPN suite uses the native IPsec stack in the standard
@@ -122,3 +265,15 @@ Description: strongSwan IKEv2 daemon, transitional package
  This package used to install the charon daemon, implementing the IKEv2
  protocol. It has been replaced the strongswan-ike package, so it can be safely
  removed.
+
+Package: charon-cmd
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan (= ${binary:Version})
+Breaks: strongswan-ike (<= 5.1.1-1)
+Replaces: strongswan-ike (<= 5.1.1-1)
+Description: standalone IPsec client
+ The strongSwan VPN suite uses the native IPsec stack in the standard
+ Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
+ .
+ This package contains the charon-cmd command, which can be used as a client to
+ connect to a remote IKE daemon.
diff --git a/debian/libcharon-extra-plugins.install b/debian/libcharon-extra-plugins.install
new file mode 100644
index 000000000..8a7080f00
--- /dev/null
+++ b/debian/libcharon-extra-plugins.install
@@ -0,0 +1,26 @@
+# libcharon plugins
+usr/lib/ipsec/plugins/libstrongswan-addrblock.so
+usr/lib/ipsec/plugins/libstrongswan-certexpire.so
+usr/lib/ipsec/plugins/libstrongswan-eap*.so
+usr/lib/ipsec/plugins/libstrongswan-error-notify.so
+usr/lib/ipsec/plugins/libstrongswan-ha.so
+usr/lib/ipsec/plugins/libstrongswan-led.so
+usr/lib/ipsec/plugins/libstrongswan-lookip.so
+usr/lib/ipsec/plugins/libstrongswan-medsrv.so
+usr/lib/ipsec/plugins/libstrongswan-medcli.so
+usr/lib/ipsec/plugins/libstrongswan-tnc-tnccs.so
+usr/lib/ipsec/plugins/libstrongswan-unity.so
+usr/lib/ipsec/plugins/libstrongswan-xauth-eap.so
+usr/lib/ipsec/plugins/libstrongswan-xauth-generic.so
+usr/lib/ipsec/plugins/libstrongswan-xauth-pam.so
+# support libs
+usr/lib/ipsec/libfast.so*
+usr/lib/ipsec/libpttls.so*
+usr/lib/ipsec/libradius.so*
+usr/lib/ipsec/libsimaka.so*
+usr/lib/ipsec/libtnccs.so*
+usr/lib/ipsec/libtls.so*
+# binaries
+usr/lib/ipsec/error-notify
+usr/lib/ipsec/lookip
+usr/lib/ipsec/pt-tls-client
diff --git a/debian/libstrongswan-extra-plugins.install b/debian/libstrongswan-extra-plugins.install
new file mode 100644
index 000000000..db196e3a0
--- /dev/null
+++ b/debian/libstrongswan-extra-plugins.install
@@ -0,0 +1,9 @@
+# libstrongswan
+usr/lib/ipsec/plugins/libstrongswan-ccm.so
+usr/lib/ipsec/plugins/libstrongswan-cmac.so
+usr/lib/ipsec/plugins/libstrongswan-ctr.so
+usr/lib/ipsec/plugins/libstrongswan-curl.so
+usr/lib/ipsec/plugins/libstrongswan-gcrypt.so
+usr/lib/ipsec/plugins/libstrongswan-ldap.so
+usr/lib/ipsec/plugins/libstrongswan-pkcs11.so
+usr/lib/ipsec/plugins/libstrongswan-test-vectors.so
diff --git a/debian/libstrongswan-standard-plugins.install b/debian/libstrongswan-standard-plugins.install
new file mode 100644
index 000000000..e1c3e313f
--- /dev/null
+++ b/debian/libstrongswan-standard-plugins.install
@@ -0,0 +1,4 @@
+# libstrongswan
+usr/lib/ipsec/plugins/libstrongswan-agent.so
+usr/lib/ipsec/plugins/libstrongswan-gcm.so
+usr/lib/ipsec/plugins/libstrongswan-openssl.so
diff --git a/debian/libstrongswan.install b/debian/libstrongswan.install
index c25c099b9..69a1c7245 100644
--- a/debian/libstrongswan.install
+++ b/debian/libstrongswan.install
@@ -1,52 +1,30 @@
+# libstrongswan
 usr/lib/ipsec/libstrongswan.so*
-usr/lib/ipsec/libhydra.so*
-usr/lib/ipsec/libfast.so*
-usr/lib/ipsec/libsimaka.so*
-usr/lib/ipsec/libtnccs.so*
-usr/lib/ipsec/libradius.so*
-usr/lib/ipsec/libtls.so*
-usr/lib/ipsec/libpttls.so*
+usr/lib/ipsec/plugins/libstrongswan-aes.so
+usr/lib/ipsec/plugins/libstrongswan-constraints.so
+usr/lib/ipsec/plugins/libstrongswan-dnskey.so
+usr/lib/ipsec/plugins/libstrongswan-fips-prf.so
 usr/lib/ipsec/plugins/libstrongswan-gmp.so
-usr/lib/ipsec/plugins/libstrongswan-openssl.so
-usr/lib/ipsec/plugins/libstrongswan-x509.so
-usr/lib/ipsec/plugins/libstrongswan-pkcs7.so
-usr/lib/ipsec/plugins/libstrongswan-pkcs11.so
+usr/lib/ipsec/plugins/libstrongswan-hmac.so
+usr/lib/ipsec/plugins/libstrongswan-md5.so
+usr/lib/ipsec/plugins/libstrongswan-nonce.so
 usr/lib/ipsec/plugins/libstrongswan-pgp.so
 usr/lib/ipsec/plugins/libstrongswan-pem.so
 usr/lib/ipsec/plugins/libstrongswan-pkcs1.so
+usr/lib/ipsec/plugins/libstrongswan-pkcs7.so
+usr/lib/ipsec/plugins/libstrongswan-pkcs8.so
+usr/lib/ipsec/plugins/libstrongswan-pkcs12.so
 usr/lib/ipsec/plugins/libstrongswan-pubkey.so
-usr/lib/ipsec/plugins/libstrongswan-hmac.so
-usr/lib/ipsec/plugins/libstrongswan-xcbc.so
 usr/lib/ipsec/plugins/libstrongswan-random.so
-usr/lib/ipsec/plugins/libstrongswan-aes.so
-usr/lib/ipsec/plugins/libstrongswan-xcbc.so
-usr/lib/ipsec/plugins/libstrongswan-ctr.so
-usr/lib/ipsec/plugins/libstrongswan-ccm.so
-usr/lib/ipsec/plugins/libstrongswan-gcm.so
-usr/lib/ipsec/plugins/libstrongswan-led.so
-usr/lib/ipsec/plugins/libstrongswan-addrblock.so
-usr/lib/ipsec/plugins/libstrongswan-md5.so
+usr/lib/ipsec/plugins/libstrongswan-rc2.so
+usr/lib/ipsec/plugins/libstrongswan-revocation.so
 usr/lib/ipsec/plugins/libstrongswan-sha1.so
 usr/lib/ipsec/plugins/libstrongswan-sha2.so
-usr/lib/ipsec/plugins/libstrongswan-dnskey.so
-usr/lib/ipsec/plugins/libstrongswan-fips-prf.so
-usr/lib/ipsec/plugins/libstrongswan-resolve.so
-usr/lib/ipsec/plugins/libstrongswan-ha.so
-usr/lib/ipsec/plugins/libstrongswan-revocation.so
-usr/lib/ipsec/plugins/libstrongswan-constraints.so
-usr/lib/ipsec/plugins/libstrongswan-test-vectors.so
-usr/lib/ipsec/plugins/libstrongswan-tnc-tnccs.so
-usr/lib/ipsec/plugins/libstrongswan-pkcs8.so
-usr/lib/ipsec/plugins/libstrongswan-cmac.so
-usr/lib/ipsec/plugins/libstrongswan-ldap.so
-usr/lib/ipsec/plugins/libstrongswan-attr*.so
-usr/lib/ipsec/plugins/libstrongswan-curl.so
-usr/lib/ipsec/plugins/libstrongswan-gcrypt.so
-usr/lib/ipsec/plugins/libstrongswan-nonce.so
-usr/lib/ipsec/plugins/libstrongswan-xauth-eap.so
-usr/lib/ipsec/plugins/libstrongswan-xauth-generic.so
-usr/lib/ipsec/plugins/libstrongswan-xauth-pam.so
-usr/lib/ipsec/plugins/libstrongswan-rc2.so
-usr/lib/ipsec/plugins/libstrongswan-pkcs12.so
 usr/lib/ipsec/plugins/libstrongswan-sshkey.so
+usr/lib/ipsec/plugins/libstrongswan-x509.so
+usr/lib/ipsec/plugins/libstrongswan-xcbc.so
+# libhydra
+usr/lib/ipsec/libhydra.so*
+usr/lib/ipsec/plugins/libstrongswan-attr.so
+usr/lib/ipsec/plugins/libstrongswan-resolve.so
 etc/strongswan.conf
diff --git a/debian/rules b/debian/rules
index 85b75aabb..d7ad51ad3 100755
--- a/debian/rules
+++ b/debian/rules
@@ -84,10 +84,10 @@ override_dh_install:
 	# first special cases
 ifeq ($(DEB_BUILD_ARCH_OS),linux)
 	# handle Linux-only plugins
-	dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-dhcp.so
-	dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-farp.so
+	dh_install -p libcharon-extra-plugins usr/lib/ipsec/plugins/libstrongswan-dhcp.so
+	dh_install -p libcharon-extra-plugins usr/lib/ipsec/plugins/libstrongswan-farp.so
 	dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-kernel-netlink.so
-	dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-af-alg.so
+	dh_install -p libstrongswan-extras-plugins usr/lib/ipsec/plugins/libstrongswan-af-alg.so
 endif
 
 ifeq ($(DEB_BUILD_ARCH_OS),kfreebsd)
@@ -98,12 +98,12 @@ endif
 
 ifeq ($(DEB_BUILD_ARCH_CPU),i386)
 	# special handling for padlock, as it is only built on i386
-	dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-padlock.so
-	dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-rdrand.so
+	dh_install -p libstrongswan-extras-plugins usr/lib/ipsec/plugins/libstrongswan-padlock.so
+	dh_install -p libstrongswan-extras-plugins usr/lib/ipsec/plugins/libstrongswan-rdrand.so
 endif
 
 ifeq ($(DEB_BUILD_ARCH_CPU), amd64)
-	dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-rdrand.so
+	dh_install -p libstrongswan-extras-plugins usr/lib/ipsec/plugins/libstrongswan-rdrand.so
 endif
 
 	# then install the rest, ignoring the above
diff --git a/debian/strongswan-charon.install b/debian/strongswan-charon.install
new file mode 100644
index 000000000..761aea544
--- /dev/null
+++ b/debian/strongswan-charon.install
@@ -0,0 +1 @@
+usr/lib/ipsec/charon
diff --git a/debian/strongswan-ike.install b/debian/strongswan-ike.install
deleted file mode 100644
index 2b94a3c18..000000000
--- a/debian/strongswan-ike.install
+++ /dev/null
@@ -1,15 +0,0 @@
-usr/sbin/charon-cmd
-usr/share/man/man8/charon-cmd.8
-usr/lib/ipsec/libcharon.so*
-usr/lib/ipsec/charon
-usr/lib/ipsec/lookip
-usr/lib/ipsec/error-notify
-usr/lib/ipsec/plugins/libstrongswan-socket*.so
-usr/lib/ipsec/plugins/libstrongswan-eap*.so
-usr/lib/ipsec/plugins/libstrongswan-agent.so
-usr/lib/ipsec/plugins/libstrongswan-medsrv.so
-usr/lib/ipsec/plugins/libstrongswan-medcli.so
-usr/lib/ipsec/plugins/libstrongswan-certexpire.so
-usr/lib/ipsec/plugins/libstrongswan-lookip.so
-usr/lib/ipsec/plugins/libstrongswan-error-notify.so
-usr/lib/ipsec/plugins/libstrongswan-unity.so
diff --git a/debian/strongswan-ike.lintian-overrides b/debian/strongswan-ike.lintian-overrides
deleted file mode 100644
index 90f644f8f..000000000
--- a/debian/strongswan-ike.lintian-overrides
+++ /dev/null
@@ -1,3 +0,0 @@
-# we do pass hardening flags
-strongswan-ike: hardening-no-fortify-functions usr/lib/ipsec/plugins/libstrongswan-agent.so
-strongswan-ike: hardening-no-fortify-functions usr/lib/ipsec/plugins/libstrongswan-socket-raw.so
diff --git a/debian/strongswan-libcharon.install b/debian/strongswan-libcharon.install
new file mode 100644
index 000000000..084db38eb
--- /dev/null
+++ b/debian/strongswan-libcharon.install
@@ -0,0 +1,2 @@
+usr/lib/ipsec/libcharon*
+usr/lib/ipsec/plugins/libstrongswan-socket-default.so
diff --git a/debian/strongswan-starter.install b/debian/strongswan-starter.install
index dff09e33a..feb578bc6 100644
--- a/debian/strongswan-starter.install
+++ b/debian/strongswan-starter.install
@@ -18,7 +18,6 @@ usr/share/man/man8/_updown_espmark.8
 usr/bin/pki
 usr/lib/ipsec/scepclient
 usr/lib/ipsec/openac
-usr/lib/ipsec/pt-tls-client
 usr/share/man/man8/scepclient.8
 usr/share/man/man8/openac.8
 usr/share/man/man1/pki---gen.1