Overview Repositories Revisions Requests Users Attributes Meta

OpenSource IPsec-based VPN Solution

Edit Package strongswan

StrongSwan is an OpenSource IPsec-based VPN Solution for Linux

* runs both on Linux 2.4 (KLIPS IPsec) and Linux 2.6 (NETKEY IPsec) kernels
* implements both the IKEv1 and IKEv2 (RFC 4306) key exchange protocols
* Fully tested support of IPv6 IPsec tunnel and transport connections
* Dynamical IP address and interface update with IKEv2 MOBIKE (RFC 4555)
* Automatic insertion and deletion of IPsec-policy-based firewall rules
* Strong 128/192/256 bit AES or Camellia encryption, 3DES support
* NAT-Traversal via UDP encapsulation and port floating (RFC 3947)
* Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels
* Static virtual IPs and IKEv1 ModeConfig pull and push modes
* XAUTH server and client functionality on top of IKEv1 Main Mode authentication
* Virtual IP address pool managed by IKE daemon or SQL database
* Secure IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-MSCHAPv2, etc.)
* Optional relaying of EAP messages to AAA server via EAP-RADIUS plugin
* Support of IKEv2 Multiple Authentication Exchanges (RFC 4739)
* Authentication based on X.509 certificates or preshared keys
* Generation of a default self-signed certificate during first strongSwan startup
* Retrieval and local caching of Certificate Revocation Lists via HTTP or LDAP
* Full support of the Online Certificate Status Protocol (OCSP, RCF 2560).
* CA management (OCSP and CRL URIs, default LDAP server)
* Powerful IPsec policies based on wildcards or intermediate CAs
* Group policies based on X.509 attribute certificates (RFC 3281)
* Storage of RSA private keys and certificates on a smartcard (PKCS #11 interface)
* Modular plugins for crypto algorithms and relational database interfaces
* Support of elliptic curve DH groups and ECDSA certificates (Suite B, RFC 4869)
* Optional built-in integrity and crypto tests for plugins and libraries
* Smooth Linux desktop integration via the strongSwan NetworkManager applet

This package triggers the installation of both, IKEv1 and IKEv2 daemons.

  • Developed at network:vpn
  • Sources inherited from project openSUSE:Factory
  • 5 derived packages
  • Download package
  • osc -A https://api.opensuse.org checkout openSUSE:Backports:SLE-15-SP4:FactoryCandidates/strongswan && cd $_
  • Create Badge
Refresh
Refresh
Source Files
Filename Size Changed
0001-restore-registration-algorithm-order.bug897512.patch 0000011815 11.5 KB
README.SUSE 0000002342 2.29 KB
fips-enforce.conf 0000000742 742 Bytes
fipscheck.sh.in 0000001934 1.89 KB
strongswan-5.1.3-rpmlintrc 0000000428 428 Bytes
strongswan-5.1.3.tar.bz2 0003807212 3.63 MB
strongswan-5.1.3.tar.bz2.sig 0000000665 665 Bytes
strongswan.changes 0000067209 65.6 KB
strongswan.init.in 0000008747 8.54 KB
strongswan.keyring 0000003085 3.01 KB
strongswan.spec 0000038608 37.7 KB
strongswan_fipscheck.patch 0000001909 1.86 KB
strongswan_fipsfilter.patch 0000007798 7.62 KB
strongswan_ipsec_service.patch 0000000198 198 Bytes
strongswan_modprobe_syslog.patch 0000001869 1.83 KB
Revision 58 (latest revision is 96)
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 262968 from Marius Tomaschewski's avatar Marius Tomaschewski (mtomaschewski) (revision 58) 
- Updated strongswan-hmac package description (bsc#856322).

- Disabled explicit gpg validation; osc source_validator does it.
- Guarded fipscheck and hmac package in the spec file for >13.1.

- Added generation of fips hmac hash files using fipshmac utility
  and a _fipscheck script to verify binaries/libraries/plugings
  shipped in the strongswan-hmac package.
  With enabled fips in the kernel, the ipsec script will call it
  before any action or in a enforced/manual "ipsec _fipscheck" call.
  Added config file to load openssl and kernel af-alg plugins, but
  not all the other modules which provide further/alternative algs.
  Applied a filter disallowing non-approved algorithms in fips mode.
  (fate#316931,bnc#856322).
  [+ strongswan_fipscheck.patch, strongswan_fipsfilter.patch]
- Fixed file list in the optional (disabled) strongswan-test package.
- Fixed build of the strongswan built-in integrity checksum library
  and enabled building it only on architectures tested to work.
- Fix to use bug number 897048 instead 856322 in last changes entry.
- Applied an upstream patch reverting to store algorithms in the
  registration order again as ordering them by identifier caused
  weaker algorithms to be proposed first by default (bsc#897512).
  [+0001-restore-registration-algorithm-order.bug897512.patch]

- Re-enabled gcrypt plugin and reverted to not enforce fips again
  as this breaks gcrypt and openssl plugins when the fips pattern
  option is not installed (fate#316931,bnc#856322).
  [- strongswan-fips-disablegcrypt.patch]
- Added empty strongswan-hmac package supposed to provide fips hmac
  files and enforce fips compliant operation later (bnc#856322).
Comments 0
openSUSE Build Service is sponsored by
Places