summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--debian/changelog10
-rw-r--r--debian/control34
-rwxr-xr-xdebian/rules45
-rw-r--r--debian/strongswan.config50
-rw-r--r--debian/strongswan.postinst108
-rw-r--r--debian/strongswan.templates81
6 files changed, 130 insertions, 198 deletions
diff --git a/debian/changelog b/debian/changelog
index b2515cc6f..098436a8b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,11 +1,11 @@
strongswan (4.2.12-1) unstable; urgency=low
- * New upstream release
+ * New upstream release. Starting with this version, the strongswan
+ packages is modularized and includes support for plugins like the
+ NetworkManager plugin.
+ * Dropping support for raw RSA public/private keypairs, as charon does
+ not support it.
* Explicitly remove directories /etc/ipsec.d and /var/run/pluto on purge.
- * No longer mark ipsec.conf and ipsec.secrets as conffiles, as they
- are modified by postinst. Although I don't particularly like this
- method of patching DEBIAN/conffiles, I don't have a better solution
- right now. Thus take patch from Mathieu Parent.
-- Rene Mayrhofer <rmayr@debian.org> Sun, 01 Mar 2009 10:46:08 +0000
diff --git a/debian/control b/debian/control
index 90379e87e..956e19e96 100644
--- a/debian/control
+++ b/debian/control
@@ -3,7 +3,8 @@ Section: net
Priority: optional
Maintainer: Rene Mayrhofer <rmayr@debian.org>
Standards-Version: 3.8.0
-Build-Depends: debhelper (>= 4.1.16), libtool, libgmp3-dev, libssl-dev (>= 0.9.8-1), libcurl3-dev | libcurl2-dev, libopensc2-dev | libopensc1-dev | libopensc0-dev, libldap2-dev, libpam0g-dev, libkrb5-dev, bison, flex, dpatch, bzip2, po-debconf, hardening-wrapper, network-manager-dev, libfcgi-dev, clearsilver-dev, libxml2-dev, libsqlite3-dev
+Build-Depends: debhelper (>= 7.0.0), libtool, libgmp3-dev, libssl-dev (>= 0.9.8), libcurl4-openssl-dev | libcurl3-dev | libcurl2-dev, libopensc2-dev | libopensc1-dev | libopensc0-dev, libldap2-dev, libpam0g-dev, libkrb5-dev, bison, flex, dpatch, bzip2, po-debconf, hardening-wrapper, network-manager-dev, libfcgi-dev, clearsilver-dev, libxml2-dev, libsqlite3-dev, network-manager-dev (>= 0.7), libnm-glib-dev (>= 0.7)
+Homepage: http://www.strongswan.org
Package: strongswan
Architecture: any
@@ -14,28 +15,27 @@ Provides: ike-server
Conflicts: freeswan (<< 2.04-12), openswan
Replaces: openswan
Description: IPSec utilities for strongSwan
- IPSec is Internet Protocol SECurity. It uses strong cryptography to provide
- both authentication and encryption services. Authentication ensures that
- packets are from the right sender and have not been altered in transit.
- Encryption prevents unauthorised reading of packet contents.
- .
- This version of strongSwan supports Opportunistic Encryption (OE) out of the
- box. OE enables you to set up IPSec tunnels to a site without
- co-ordinating with the site administrator, and without hand
- configuring each tunnel. If enough sites support OE, a "FAX effect"
- occurs, and many of us can communicate without eavesdroppers.
+ strongSwan is an open source IPsec implementation for the Linux
+ operating system. It is one of the two remaining forks of the
+ original FreeS/WAN projects and focuses on IKEv2 support, X.509
+ authentication and complete PKI support. For a focus on
+ Opportunistic Encryption (OE) and interoperability with non-standard
+ IPsec features, see Openswan.
.
In addition to OE, you may manually configure secure tunnels through
untrusted networks. Everything passing through the untrusted net is
- encrypted by the IPSec gateway machine and decrypted by the gateway
+ encrypted by the IPsec gateway machine and decrypted by the gateway
at the other end. The result is Virtual Private Network or VPN. This
is a network which is effectively private even though it includes
machines at several different sites connected by the insecure Internet.
.
Please note that you will need a recent kernel (>=2.4.24 or 2.6.x)
- for using this package. The standard Debian kernel includes both IPSec
+ for using this package. The standard Debian kernel includes both IPsec
and crypto support, patching the kernel is no longer necessary!
- .
- If you want to use the KLIPS IPSec code for kernel modules instead of the
- native ones, you will need to install either openswan-modules-source or
- linux-patch-openswan and build the respective modules for your kernel.
+
+Package: network-manager-strongswan
+Architecture: any
+Depends: ${shlibs:Depends}, strongswan, network-manager (>= 0.7)
+Description: strongSwan plugin to interact with NetworkManager
+ This plugin for NetworkManager allows to configure strongSwan
+ and control the IKEv2 daemon directly through DBUS.
diff --git a/debian/rules b/debian/rules
index 618717875..5e0321a58 100755
--- a/debian/rules
+++ b/debian/rules
@@ -20,7 +20,8 @@ CONFIGUREARGS := --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
--enable-openssl --enable-agent \
--enable-kernel-klips \
--disable-aes --disable-des --disable-fips-prf --disable-gmp \
- --disable-md5 --disable-sha1 --disable-sha2
+ --disable-md5 --disable-sha1 --disable-sha2 \
+ --enable-nm
# Could enable --enable-nat-transport, but this is actually insecure,
# so don't!
# And for --enable-eap-sim we would need the library, which we don't
@@ -28,20 +29,18 @@ CONFIGUREARGS := --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
DEB_BUILD_ARCH_CPU ?=$(shell dpkg-architecture -qDEB_BUILD_ARCH_CPU)
+ifeq (,$(filter noopt,$(DEB_BUILD_OPTIONS)))
+ CFLAGS += -O2
+endif
+ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
+ NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
+ MAKEFLAGS += -j$(NUMJOBS)
+endif
# the padlock plugin only makes sense on i386
-# but it actually doesn't do much, so no need to enable it
-#ifeq ($(DEB_BUILD_ARCH_CPU),i386)
-# CONFIGUREARGS += --enable-padlock
-#endif
-
-
-configure: configure-stamp
-configure-stamp: patch
- dh_testdir
- # Add here commands to configure the package.
- ./configure $(CONFIGUREARGS)
-
- touch configure-stamp
+# but it actually doesn't do much, so maybe we don't need it
+ifeq ($(DEB_BUILD_ARCH_CPU),i386)
+ CONFIGURE_ARGS += --enable-padlock
+endif
patch:
dh_testdir
@@ -51,17 +50,17 @@ unpatch:
dpatch deapply-all
build: build-stamp
-build-stamp: configure-stamp
- $(MAKE)
-
- touch build-stamp
+build-stamp: patch
+ dh_testdir
+ ./configure $(CONFIGUREARGS)
+ $(MAKE) CC="$(CC)" CFLAGS="$(CFLAGS)"
clean: unpatch
dh_testdir
dh_testroot
- rm -f build-stamp configure-stamp
+ rm -f build-stamp
- -$(MAKE) clean
+ [ ! -f Makefile ] || $(MAKE) clean
#-$(MAKE) -C programs/fswcert/ clean
# after a make clean, no binaries _should_ be left, but ....
-find $(CURDIR) -name "*.o" | xargs --no-run-if-empty rm
@@ -140,17 +139,13 @@ binary-common:
dh_installinit --name=ipsec
dh_installdebconf
dh_installchangelogs NEWS
+ dh_installdocs README
dh_link
dh_strip
dh_compress
dh_fixperms -X etc/ipsec.secrets -X etc/ipsec.d
dh_makeshlibs
dh_installdeb
-ifeq ($(DH_OPTIONS), -a)
- # /etc/ipsec.{conf,secrets} are not conffiles (#515095)
- egrep -v '^/etc/ipsec.(conf|secrets)' debian/openswan/DEBIAN/conffiles > debian/openswan/DEBIAN/conffiles.new
- mv debian/openswan/DEBIAN/conffiles.new debian/openswan/DEBIAN/conffiles
-endif
dh_shlibdeps
dh_gencontrol
dh_md5sums
diff --git a/debian/strongswan.config b/debian/strongswan.config
index 673c2dcda..eb5f2c2dd 100644
--- a/debian/strongswan.config
+++ b/debian/strongswan.config
@@ -17,39 +17,25 @@ db_go || true
db_get strongswan/create_rsa_key
if [ "$RET" = "true" ]; then
- db_input high strongswan/rsa_key_type || true
+ # create a new certificate
+ db_input medium strongswan/rsa_key_length || true
+ db_input high strongswan/x509_self_signed || true
+ # we can't allow the country code to be empty - openssl will
+ # refuse to create a certificate this way
+ countrycode=""
+ while [ -z "$countrycode" ]; do
+ db_input medium strongswan/x509_country_code || true
+ db_go || true
+ db_get strongswan/x509_country_code
+ countrycode="$RET"
+ done
+ db_input medium strongswan/x509_state_name || true
+ db_input medium strongswan/x509_locality_name || true
+ db_input medium strongswan/x509_organization_name || true
+ db_input medium strongswan/x509_organizational_unit || true
+ db_input medium strongswan/x509_common_name || true
+ db_input medium strongswan/x509_email_address || true
db_go || true
-
- db_get strongswan/rsa_key_type
- if [ "$RET" = "plain" ]; then
- # create just a plain RSA keypair
- db_input medium strongswan/rsa_key_length || true
- db_go || true
- else
- # extract the RSA keypair from a x509 certificate
- db_input high strongswan/existing_x509_certificate || true
- db_go || true
-
- # create a new certificate
- db_input medium strongswan/rsa_key_length || true
- db_input high strongswan/x509_self_signed || true
- # we can't allow the country code to be empty - openssl will
- # refuse to create a certificate this way
- countrycode=""
- while [ -z "$countrycode" ]; do
- db_input medium strongswan/x509_country_code || true
- db_go || true
- db_get strongswan/x509_country_code
- countrycode="$RET"
- done
- db_input medium strongswan/x509_state_name || true
- db_input medium strongswan/x509_locality_name || true
- db_input medium strongswan/x509_organization_name || true
- db_input medium strongswan/x509_organizational_unit || true
- db_input medium strongswan/x509_common_name || true
- db_input medium strongswan/x509_email_address || true
- db_go || true
- fi
else
db_get strongswan/existing_x509_certificate
if [ "$RET" = "true" ]; then
diff --git a/debian/strongswan.postinst b/debian/strongswan.postinst
index 7d670dd36..c63273dc2 100644
--- a/debian/strongswan.postinst
+++ b/debian/strongswan.postinst
@@ -32,14 +32,6 @@ set -e
CONF_FILE=/var/lib/strongswan/ipsec.conf.inc
SECRETS_FILE=/var/lib/strongswan/ipsec.secrets.inc
-insert_private_key() {
- cat <<EOF >> $SECRETS_FILE
-: RSA {
-$1
- }
-EOF
-}
-
insert_private_key_filename() {
if [ ! -e $SECRETS_FILE ] || ! grep -q ": RSA $1" $SECRETS_FILE; then
echo ": RSA $1" >> $SECRETS_FILE
@@ -154,67 +146,45 @@ case "$1" in
if [ "$RET" = "true" ]; then
repair_legacy_secrets
# OK, ipsec.secrets should now be correct
- db_get strongswan/rsa_key_type
- if [ "$RET" = "plain" ]; then
- # a RSA keypair should be created - check if there is one already
- if [ -e /etc/ipsec.secrets ] && egrep -q ": RSA[:space:]*" /etc/ipsec.secrets; then
- echo "Warning: there is already a RSA key in /etc/ipsec.secrets."
- echo "Creating an additional one."
- fi
- if [ -e $SECRETS_FILE ] && egrep -q ": RSA[:space:]*" $SECRETS_FILE; then
- echo "Warning: there is already a RSA key in $SECRETS_FILE."
- echo "Creating an additional one."
- fi
- # create a plain strongswan keypair
- db_get strongswan/rsa_key_length
- umask 077
- keylength=$RET
- privkey=`mktemp /tmp/ipsec-postinst.XXXXXX`
- /usr/lib/ipsec/rsasigkey $keylength > $privkey
- insert_private_key "`cat $privkey`"
- rm $privkey
- echo "Successfully created a plain strongSwan RSA keypair."
- else
- # extract the key from a (newly created) x509 certificate
- host=`hostname`
- newkeyfile="/etc/ipsec.d/private/${host}Key.pem"
- newcertfile="/etc/ipsec.d/certs/${host}Cert.pem"
- if [ -e $newcertfile -o -e $newkeyfile ]; then
- echo "Error: $newcertfile or $newkeyfile already exists."
- echo "Please remove them first an re-run dpkg-reconfigure to create a new keypair."
- else
- # create a new certificate
- db_get strongswan/rsa_key_length
- keylength=$RET
- db_get strongswan/x509_self_signed
- selfsigned=$RET
- db_get strongswan/x509_country_code
- countrycode=$RET
- if [ -z "$countrycode" ]; then countrycode="."; fi
- db_get strongswan/x509_state_name
- statename=$RET
- if [ -z "$statename" ]; then statename="."; fi
- db_get strongswan/x509_locality_name
- localityname=$RET
- if [ -z "$localityname" ]; then localityname="."; fi
- db_get strongswan/x509_organization_name
- orgname=$RET
- if [ -z "$orgname" ]; then orgname="."; fi
- db_get strongswan/x509_organizational_unit
- orgunit=$RET
- if [ -z "$orgunit" ]; then orgunit="."; fi
- db_get strongswan/x509_common_name
- commonname=$RET
- if [ -z "$commonname" ]; then commonname="."; fi
- db_get strongswan/x509_email_address
- email=$RET
- if [ -z "$email" ]; then email="."; fi
- make_x509_cert $keylength 1500 "$newkeyfile" "$newcertfile" "$selfsigned" "$countrycode" "$statename" "$localityname" "$orgname" "$orgunit" "$commonname" "$email"
- chmod 0600 "$newkeyfile"
- umask 077
- insert_private_key_filename "$newkeyfile"
- echo "Successfully created x509 certificate."
- fi
+ # create a new keypair
+ host=`hostname`
+ newkeyfile="/etc/ipsec.d/private/${host}Key.pem"
+ newcertfile="/etc/ipsec.d/certs/${host}Cert.pem"
+ if [ -e $newcertfile -o -e $newkeyfile ]; then
+ echo "Error: $newcertfile or $newkeyfile already exists."
+ echo "Please remove them first an re-run dpkg-reconfigure to create a new keypair."
+ else
+ # create a new certificate
+ db_get strongswan/rsa_key_length
+ keylength=$RET
+ db_get strongswan/x509_self_signed
+ selfsigned=$RET
+ db_get strongswan/x509_country_code
+ countrycode=$RET
+ if [ -z "$countrycode" ]; then countrycode="."; fi
+ db_get strongswan/x509_state_name
+ statename=$RET
+ if [ -z "$statename" ]; then statename="."; fi
+ db_get strongswan/x509_locality_name
+ localityname=$RET
+ if [ -z "$localityname" ]; then localityname="."; fi
+ db_get strongswan/x509_organization_name
+ orgname=$RET
+ if [ -z "$orgname" ]; then orgname="."; fi
+ db_get strongswan/x509_organizational_unit
+ orgunit=$RET
+ if [ -z "$orgunit" ]; then orgunit="."; fi
+ db_get strongswan/x509_common_name
+ commonname=$RET
+ if [ -z "$commonname" ]; then commonname="."; fi
+ db_get strongswan/x509_email_address
+ email=$RET
+ if [ -z "$email" ]; then email="."; fi
+ make_x509_cert $keylength 1500 "$newkeyfile" "$newcertfile" "$selfsigned" "$countrycode" "$statename" "$localityname" "$orgname" "$orgunit" "$commonname" "$email"
+ chmod 0600 "$newkeyfile"
+ umask 077
+ insert_private_key_filename "$newkeyfile"
+ echo "Successfully created x509 certificate."
fi
else
db_get strongswan/existing_x509_certificate
diff --git a/debian/strongswan.templates b/debian/strongswan.templates
index 3fac9039e..781773ac5 100644
--- a/debian/strongswan.templates
+++ b/debian/strongswan.templates
@@ -54,59 +54,41 @@ Template: strongswan/create_rsa_key
Type: boolean
Default: true
_Description: Do you want to create a RSA public/private keypair for this host?
- This installer can automatically create a RSA public/private keypair for
- this host. This keypair can be used to authenticate IPSec connections to
- other hosts and is the preferred way for building up secure IPSec
- connections. The other possibility would be to use shared secrets
- (passwords that are the same on both sides of the tunnel) for
+ This installer can automatically create a RSA public/private keypair
+ with an X.509 certificate for this host. This can be used to authenticate
+ IPSec connections to other hosts and is the preferred way for building up
+ secure IPSec connections. The other possibility would be to use pre-shared
+ secrets (PSKs, passwords that are the same on both sides of the tunnel) for
authenticating an connection, but for a larger number of connections RSA
- authentication is easier to administer and more secure.
+ authentication is easier to administer and more secure. Note that
+ having a keypair allows to use both X.509 and PSK authentication for IPsec
+ tunnels.
.
If you do not want to create a new public/private keypair, you can choose to
- use an existing one.
-
-Template: strongswan/rsa_key_type
-Type: select
-_Choices: x509, plain
-Default: x509
-_Description: The type of RSA keypair to create:
- It is possible to create a plain RSA public/private keypair for use
- with strongSwan or to create a X509 certificate file which contains the RSA
- public key and additionally stores the corresponding private key.
- .
- If you only want to build up IPSec connections to hosts also running
- strongSwan, it might be a bit easier using plain RSA keypairs. But if you
- want to connect to other IPSec implementations, you will need a X509
- certificate. It is also possible to create a X509 certificate here and
- extract the RSA public key in plain format if the other side runs
- strongSwan without X509 certificate support.
- .
- Therefore a X509 certificate is recommended since it is more flexible and
- this installer should be able to hide the complex creation of the X509
- certificate and its use in strongSwan anyway.
+ use an existing one in the next step.
Template: strongswan/existing_x509_certificate
Type: boolean
Default: false
-_Description: Do you have an existing X509 certificate file for strongSwan?
+_Description: Do you have an existing X.509 certificate file for strongSwan?
This installer can automatically extract the needed information from an
- existing X509 certificate with a matching RSA private key. Both parts can
+ existing X.509 certificate with a matching RSA private key. Both parts can
be in one file, if it is in PEM format. If you have such an existing
certificate and key file and want to use it for authenticating IPSec
connections, then please answer yes.
Template: strongswan/existing_x509_certificate_filename
Type: string
-_Description: File name of your X509 certificate in PEM format:
- Please enter the full location of the file containing your X509
+_Description: File name of your X.509 certificate in PEM format:
+ Please enter the full location of the file containing your X.509
certificate in PEM format.
Template: strongswan/existing_x509_key_filename
Type: string
-_Description: File name of your X509 private key in PEM format:
+_Description: File name of your X.509 private key in PEM format:
Please enter the full location of the file containing the private RSA key
- matching your X509 certificate in PEM format. This can be the same file
- that contains the X509 certificate.
+ matching your X.509 certificate in PEM format. This can be the same file
+ that contains the X.509 certificate.
Template: strongswan/rsa_key_length
Type: string
@@ -120,14 +102,14 @@ _Description: The length of the created RSA key (in bits):
Template: strongswan/x509_self_signed
Type: boolean
Default: true
-_Description: Do you want to create a self-signed X509 certificate?
- This installer can only create self-signed X509 certificates
+_Description: Do you want to create a self-signed X.509 certificate?
+ This installer can only create self-signed X.509 certificates
automatically, because otherwise a certificate authority is needed to sign
the certificate request. If you want to create a self-signed certificate,
you can use it immediately to connect to other IPSec hosts that support
- X509 certificate for authentication of IPSec connections. However, if you
+ X.509 certificate for authentication of IPSec connections. However, if you
want to use the new PKI features of strongSwan >= 1.91, you will need to
- have all X509 certificates signed by a single certificate authority to
+ have all X.509 certificates signed by a single certificate authority to
create a trust path.
.
If you do not want to create a self-signed certificate, then this
@@ -138,7 +120,7 @@ _Description: Do you want to create a self-signed X509 certificate?
Template: strongswan/x509_country_code
Type: string
Default: AT
-_Description: Country code for the X509 certificate request:
+_Description: Country code for the X.509 certificate request:
Please enter the 2 letter country code for your country. This code will be
placed in the certificate request.
.
@@ -151,7 +133,7 @@ _Description: Country code for the X509 certificate request:
Template: strongswan/x509_state_name
Type: string
Default:
-_Description: State or province name for the X509 certificate request:
+_Description: State or province name for the X.509 certificate request:
Please enter the full name of the state or province you live in. This name
will be placed in the certificate request.
.
@@ -160,7 +142,7 @@ _Description: State or province name for the X509 certificate request:
Template: strongswan/x509_locality_name
Type: string
Default:
-_Description: Locality name for the X509 certificate request:
+_Description: Locality name for the X.509 certificate request:
Please enter the locality (e.g. city) where you live. This name will be
placed in the certificate request.
.
@@ -169,8 +151,8 @@ _Description: Locality name for the X509 certificate request:
Template: strongswan/x509_organization_name
Type: string
Default:
-_Description: Organization name for the X509 certificate request:
- Please enter the organization (e.g. company) that the X509 certificate
+_Description: Organization name for the X.509 certificate request:
+ Please enter the organization (e.g. company) that the X.509 certificate
should be created for. This name will be placed in the certificate
request.
.
@@ -179,8 +161,8 @@ _Description: Organization name for the X509 certificate request:
Template: strongswan/x509_organizational_unit
Type: string
Default:
-_Description: Organizational unit for the X509 certificate request:
- Please enter the organizational unit (e.g. section) that the X509
+_Description: Organizational unit for the X.509 certificate request:
+ Please enter the organizational unit (e.g. section) that the X.509
certificate should be created for. This name will be placed in the
certificate request.
.
@@ -189,9 +171,9 @@ _Description: Organizational unit for the X509 certificate request:
Template: strongswan/x509_common_name
Type: string
Default:
-_Description: Common name for the X509 certificate request:
+_Description: Common name for the X.509 certificate request:
Please enter the common name (e.g. the host name of this machine) for
- which the X509 certificate should be created for. This name will be placed
+ which the X.509 certificate should be created for. This name will be placed
in the certificate request.
.
Example: gateway.debian.org
@@ -199,9 +181,9 @@ _Description: Common name for the X509 certificate request:
Template: strongswan/x509_email_address
Type: string
Default:
-_Description: Email address for the X509 certificate request:
+_Description: Email address for the X.509 certificate request:
Please enter the email address of the person or organization who is
- responsible for the X509 certificate, This address will be placed in the
+ responsible for the X.509 certificate. This address will be placed in the
certificate request.
Template: strongswan/enable-oe
@@ -218,4 +200,3 @@ _Description: Do you wish to enable opportunistic encryption in strongSwan?
.
Please choose whether you want to enable support for OE. If unsure, do not
enable it.
-