Overview Repositories Revisions Requests Users Attributes Meta

OpenSource IPsec-based VPN Solution

Edit Package strongswan

StrongSwan is an OpenSource IPsec-based VPN Solution for Linux

* runs both on Linux 2.4 (KLIPS IPsec) and Linux 2.6 (NETKEY IPsec) kernels
* implements both the IKEv1 and IKEv2 (RFC 4306) key exchange protocols
* Fully tested support of IPv6 IPsec tunnel and transport connections
* Dynamical IP address and interface update with IKEv2 MOBIKE (RFC 4555)
* Automatic insertion and deletion of IPsec-policy-based firewall rules
* Strong 128/192/256 bit AES or Camellia encryption, 3DES support
* NAT-Traversal via UDP encapsulation and port floating (RFC 3947)
* Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels
* Static virtual IPs and IKEv1 ModeConfig pull and push modes
* XAUTH server and client functionality on top of IKEv1 Main Mode authentication
* Virtual IP address pool managed by IKE daemon or SQL database
* Secure IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-MSCHAPv2, etc.)
* Optional relaying of EAP messages to AAA server via EAP-RADIUS plugin
* Support of IKEv2 Multiple Authentication Exchanges (RFC 4739)
* Authentication based on X.509 certificates or preshared keys
* Generation of a default self-signed certificate during first strongSwan startup
* Retrieval and local caching of Certificate Revocation Lists via HTTP or LDAP
* Full support of the Online Certificate Status Protocol (OCSP, RCF 2560).
* CA management (OCSP and CRL URIs, default LDAP server)
* Powerful IPsec policies based on wildcards or intermediate CAs
* Group policies based on X.509 attribute certificates (RFC 3281)
* Storage of RSA private keys and certificates on a smartcard (PKCS #11 interface)
* Modular plugins for crypto algorithms and relational database interfaces
* Support of elliptic curve DH groups and ECDSA certificates (Suite B, RFC 4869)
* Optional built-in integrity and crypto tests for plugins and libraries
* Smooth Linux desktop integration via the strongSwan NetworkManager applet

This package triggers the installation of both, IKEv1 and IKEv2 daemons.

  • Developed at network:vpn
  • Sources inherited from project openSUSE:Factory
  • 5 derived packages
  • Download package
  • osc -A https://api.opensuse.org checkout openSUSE:Backports:SLE-15-SP4:FactoryCandidates/strongswan && cd $_
  • Create Badge
Refresh
Refresh
Source Files
Filename Size Changed
README.SUSE 0000001228 1.2 KB
strongswan-5.1.1-rpmlintrc 0000000428 428 Bytes
strongswan-5.1.1.tar.bz2 0003673200 3.5 MB
strongswan-5.1.1.tar.bz2.sig 0000000665 665 Bytes
strongswan.changes 0000060271 58.9 KB
strongswan.init.in 0000008747 8.54 KB
strongswan.keyring 0000003085 3.01 KB
strongswan.spec 0000018826 18.4 KB
strongswan_ipsec_service.patch 0000000198 198 Bytes
strongswan_modprobe_syslog.patch 0000001869 1.83 KB
Revision 53 (latest revision is 96)
Tomáš Chvátal's avatar Tomáš Chvátal (scarabeus_factory) accepted request 205541 from Marius Tomaschewski's avatar Marius Tomaschewski (mtomaschewski) (revision 53) 
- Updated to strongSwan 5.1.1 minor release addressing two security
  fixes (bnc#847506,CVE-2013-6075, bnc#847509,CVE-2013-6076):
  - Fixed a denial-of-service vulnerability and potential authorization
    bypass triggered by a crafted ID_DER_ASN1_DN ID payload. The cause
    is an insufficient length check when comparing such identities. The
    vulnerability has been registered as CVE-2013-6075.
  - Fixed a denial-of-service vulnerability triggered by a crafted IKEv1
    fragmentation payload. The cause is a NULL pointer dereference. The
    vulnerability has been registered as CVE-2013-6076.
  - The lean stand-alone pt-tls-client can set up a RFC 6876 PT-TLS
    session with a strongSwan policy enforcement point which uses the
    tnc-pdp charon plugin.
  - The new TCG TNC SWID IMC/IMV pair supports targeted SWID requests
    for either full SWID Tag or concise SWID Tag ID inventories.
  - The XAuth backend in eap-radius now supports multiple XAuth
    exchanges for different credential types and display messages.
    All user input gets concatenated and verified with a single
    User-Password RADIUS attribute on the AAA. With an AAA supporting
    it, one for example can implement Password+Token authentication with
    proper dialogs on iOS and OS X clients.  - charon supports IKEv1 Mode
    Config exchange in push mode. The ipsec.conf modeconfig=push option
    enables it for both client and server, the same way as pluto used it.
  - Using the "ah" ipsec.conf keyword on both IKEv1 and IKEv2
    connections, charon can negotiate and install Security Associations
    integrity-protected by the Authentication Header protocol. Supported
    are plain AH(+IPComp) SAs only, but not the deprecated RFC2401 style
    ESP+AH bundles.
  [...]
- Adjusted file lists: this version installs the pki utility and manuals
  in common /usr directories and additional ipsec/pt-tls-client helper.
Comments 0
openSUSE Build Service is sponsored by
Places