Imported Upstream version 5.4.0

2 files changed, 15 insertions, 8 deletions

diff --git a/man/Makefile.in b/man/Makefile.in
index 501361003..5f621c201 100644
--- a/man/Makefile.in
+++ b/man/Makefile.in
@@ -365,6 +365,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index 61804c8b3..54440c0c7 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -402,7 +402,7 @@ or
 keyword may be used, AH+ESP bundles are not supported.
 
 Defaults to
-.BR aes128-sha1,3des-sha1 .
+.BR aes128-sha256 .
 The daemon adds its extensive default proposal to this default
 or the configured value.  To restrict it to the configured proposal an
 exclamation mark
@@ -453,7 +453,7 @@ if required.
 .BR ike " = <cipher suites>"
 comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms
 to be used, e.g.
-.BR aes128-sha1-modp2048 .
+.BR aes128-sha256-modp3072 .
 The notation is
 .BR encryption-integrity[-prf]-dhgroup .
 If no PRF is given, the algorithms defined for integrity are used for the PRF.
@@ -466,10 +466,10 @@ or
 .BR prfaesxcbc ).
 .br
 In IKEv2, multiple algorithms and proposals may be included, such as
-.BR aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024 .
+.BR aes128-aes256-sha1-modp3072-modp2048,3des-sha1-md5-modp1024 .
 
 Defaults to
-.BR aes128-sha1-modp2048,3des-sha1-modp1536 .
+.BR aes128-sha256-modp3072 .
 The daemon adds its extensive default proposal to this
 default or the configured value.  To restrict it to the configured proposal an
 exclamation mark
@@ -587,18 +587,23 @@ or a key strength definition (for example
 or
 .BR rsa-2048-ecdsa-256-sha256-sha384-sha512 ).
 Unless disabled in
-.BR strongswan.conf (5)
-such key types and hash algorithms are also applied as constraints against IKEv2
+.BR strongswan.conf (5),
+or explicit IKEv2 signature constraints are configured (see below), such key
+types and hash algorithms are also applied as constraints against IKEv2
 signature authentication schemes used by the remote side.
 
 If both peers support RFC 7427 ("Signature Authentication in IKEv2") specific
 hash algorithms to be used during IKEv2 authentication may be configured.
-The syntax is the same as above. For example, with
-.B pubkey-sha384-sha256
+The syntax is the same as above, but with ike: prefix. For example, with
+.B ike:pubkey-sha384-sha256
 a public key signature scheme with either SHA-384 or SHA-256 would get used for
 authentication, in that order and depending on the hash algorithms supported by
 the peer.  If no specific hash algorithms are configured, the default is to
 prefer an algorithm that matches or exceeds the strength of the signature key.
+If no constraints with ike: prefix are configured any signature scheme
+constraint (without ike: prefix) will also apply to IKEv2 authentication, unless
+this is disabled in
+.BR strongswan.conf (5).
 
 For
 .BR eap ,