Overview Repositories Revisions Requests Users Attributes Meta

OpenSource IPsec-based VPN Solution

Edit Package strongswan

StrongSwan is an OpenSource IPsec-based VPN Solution for Linux

* runs both on Linux 2.4 (KLIPS IPsec) and Linux 2.6 (NETKEY IPsec) kernels
* implements both the IKEv1 and IKEv2 (RFC 4306) key exchange protocols
* Fully tested support of IPv6 IPsec tunnel and transport connections
* Dynamical IP address and interface update with IKEv2 MOBIKE (RFC 4555)
* Automatic insertion and deletion of IPsec-policy-based firewall rules
* Strong 128/192/256 bit AES or Camellia encryption, 3DES support
* NAT-Traversal via UDP encapsulation and port floating (RFC 3947)
* Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels
* Static virtual IPs and IKEv1 ModeConfig pull and push modes
* XAUTH server and client functionality on top of IKEv1 Main Mode authentication
* Virtual IP address pool managed by IKE daemon or SQL database
* Secure IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-MSCHAPv2, etc.)
* Optional relaying of EAP messages to AAA server via EAP-RADIUS plugin
* Support of IKEv2 Multiple Authentication Exchanges (RFC 4739)
* Authentication based on X.509 certificates or preshared keys
* Generation of a default self-signed certificate during first strongSwan startup
* Retrieval and local caching of Certificate Revocation Lists via HTTP or LDAP
* Full support of the Online Certificate Status Protocol (OCSP, RCF 2560).
* CA management (OCSP and CRL URIs, default LDAP server)
* Powerful IPsec policies based on wildcards or intermediate CAs
* Group policies based on X.509 attribute certificates (RFC 3281)
* Storage of RSA private keys and certificates on a smartcard (PKCS #11 interface)
* Modular plugins for crypto algorithms and relational database interfaces
* Support of elliptic curve DH groups and ECDSA certificates (Suite B, RFC 4869)
* Optional built-in integrity and crypto tests for plugins and libraries
* Smooth Linux desktop integration via the strongSwan NetworkManager applet

This package triggers the installation of both, IKEv1 and IKEv2 daemons.

  • Developed at network:vpn
  • Sources inherited from project openSUSE:Factory
  • 5 derived packages
  • Download package
  • osc -A https://api.opensuse.org checkout openSUSE:Backports:SLE-15-SP4:FactoryCandidates/strongswan && cd $_
  • Create Badge
Refresh
Refresh
Source Files
Filename Size Changed
README.SUSE 0000001228 1.2 KB
strongswan-5.0.4-rpmlintrc 0000000428 428 Bytes
strongswan-5.0.4.tar.bz2 0003412930 3.25 MB
strongswan-5.0.4.tar.bz2.sig 0000000665 665 Bytes
strongswan.changes 0000052019 50.8 KB
strongswan.init.in 0000008747 8.54 KB
strongswan.keyring 0000003085 3.01 KB
strongswan.spec 0000018569 18.1 KB
strongswan_ipsec_service.patch 0000000198 198 Bytes
strongswan_modprobe_syslog.patch 0000001869 1.83 KB
Revision 50 (latest revision is 96)
Stephan Kulow's avatar Stephan Kulow (coolo) accepted request 173989 from Marius Tomaschewski's avatar Marius Tomaschewski (mtomaschewski) (revision 50) 
- Updated to strongSwan 5.0.4 release (bnc#815236, CVE-2013-2944):
  - Fixed a security vulnerability in the openssl plugin which was
    reported by Kevin Wojtysiak.  The vulnerability has been registered
    as CVE-2013-2944. Before the fix, if the openssl plugin's ECDSA
    signature verification was used, due to a misinterpretation of the
    error code returned by the OpenSSL ECDSA_verify() function, an empty
    or zeroed signature was accepted as a legitimate one. Refer to our
    blog for details.
  - The handling of a couple of other non-security relevant OpenSSL
    return codes was fixed as well.
  - The tnc_ifmap plugin now publishes virtual IPv4 and IPv6 addresses
    via its TCG TNC IF-MAP 2.1 interface.
  - The charon.initiator_only strongswan.conf option causes charon to
    ignore IKE initiation requests.
  - The openssl plugin can now use the openssl-fips library.
  The version 5.0.3 provides new ipseckey plugin, enabling authentication
  based on trustworthy public keys stored as IPSECKEY resource records in
  the DNS and protected by DNSSEC and new openssl plugin using the AES-NI
  accelerated version of AES-GCM if the hardware supports it.
  See http://wiki.strongswan.org/projects/strongswan/wiki/Changelog50
  for a list of all changes since the 5.0.1 release.
Comments 0
openSUSE Build Service is sponsored by
Places