Ubuntu
strongswan package

kernel-libipsec not loading

Bug #1309594 reported by Tony Zhou on 2014-04-18

This bug affects 6 people

Affects		Status	Importance	Assigned to	Milestone
	strongswan (Ubuntu)	Fix Released	Medium	Jonathan Davies
	Trusty	Won't Fix	Undecided	Unassigned

Bug Description

Hi,

I'm running Ubuntu 14.04 and installed Strongswan 5.1.2 with strongswan-plugin-kernel-libipsec. The problem is that the plugin kernel-libipsec is not loading even if /etc/strongswan.d/charon/kernel-libipsec.conf has the option "load = yes" been set. Also in syslog it seems that strongswan is not even looking for that plugin.

Here's the log:

Apr 18 11:20:54 vpn charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-24-generic, i686)
Apr 18 11:20:54 vpn charon: 00[LIB] plugin 'test-vectors': loaded successfully
Apr 18 11:20:54 vpn charon: 00[LIB] plugin 'aes': loaded successfully
Apr 18 11:20:54 vpn charon: 00[LIB] plugin 'rc2': loaded successfully
Apr 18 11:20:54 vpn charon: 00[LIB] plugin 'sha1': loaded successfully
Apr 18 11:20:54 vpn charon: 00[LIB] plugin 'sha2': loaded successfully
Apr 18 11:20:54 vpn charon: 00[LIB] plugin 'md4': loaded successfully
Apr 18 11:20:54 vpn charon: 00[LIB] plugin 'md5': loaded successfully
Apr 18 11:20:54 vpn charon: 00[LIB] plugin 'random': loaded successfully
Apr 18 11:20:54 vpn charon: 00[LIB] plugin 'nonce': loaded successfully
Apr 18 11:20:54 vpn charon: 00[LIB] plugin 'x509': loaded successfully
Apr 18 11:20:54 vpn charon: 00[LIB] plugin 'revocation': loaded successfully
Apr 18 11:20:54 vpn charon: 00[LIB] plugin 'constraints': loaded successfully
Apr 18 11:20:54 vpn charon: 00[LIB] plugin 'pkcs1': loaded successfully
Apr 18 11:20:54 vpn charon: 00[LIB] plugin 'pkcs7': loaded successfully
Apr 18 11:20:54 vpn charon: 00[LIB] plugin 'pkcs8': loaded successfully
Apr 18 11:20:54 vpn charon: 00[LIB] plugin 'pkcs12': loaded successfully
Apr 18 11:20:54 vpn charon: 00[LIB] plugin 'pem': loaded successfully
Apr 18 11:20:54 vpn charon: 00[LIB] Padlock not found, CPU is GenuineIntel
Apr 18 11:20:54 vpn charon: 00[LIB] plugin 'padlock': failed to load - padlock_plugin_create returned NULL
Apr 18 11:20:54 vpn charon: 00[LIB] plugin 'openssl': loaded successfully
Apr 18 11:20:54 vpn charon: 00[LIB] plugin 'xcbc': loaded successfully
Apr 18 11:20:54 vpn charon: 00[LIB] plugin 'cmac': loaded successfully
Apr 18 11:20:54 vpn charon: 00[LIB] plugin 'hmac': loaded successfully
Apr 18 11:20:54 vpn charon: 00[LIB] plugin 'ctr': loaded successfully
Apr 18 11:20:54 vpn charon: 00[LIB] plugin 'ccm': loaded successfully
Apr 18 11:20:54 vpn charon: 00[LIB] plugin 'gcm': loaded successfully
Apr 18 11:20:54 vpn charon: 00[LIB] plugin 'attr': loaded successfully
Apr 18 11:20:54 vpn charon: 00[LIB] plugin 'kernel-netlink': loaded successfully
Apr 18 11:20:54 vpn charon: 00[LIB] plugin 'resolve': loaded successfully
Apr 18 11:20:54 vpn charon: 00[LIB] plugin 'socket-default': loaded successfully
Apr 18 11:20:54 vpn charon: 00[LIB] plugin 'stroke': loaded successfully
Apr 18 11:20:54 vpn charon: 00[LIB] plugin 'updown': loaded successfully
Apr 18 11:20:54 vpn charon: 00[LIB] plugin 'eap-identity': loaded successfully
Apr 18 11:20:54 vpn charon: 00[LIB] plugin 'eap-radius': loaded successfully
Apr 18 11:20:54 vpn charon: 00[LIB] plugin 'eap-ttls': loaded successfully
Apr 18 11:20:54 vpn charon: 00[LIB] plugin 'xauth-eap': loaded successfully
Apr 18 11:20:54 vpn charon: 00[LIB] plugin 'addrblock': loaded successfully
Apr 18 11:20:54 vpn charon: 00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency: PUBKEY:DSA
Apr 18 11:20:54 vpn charon: 00[LIB] feature PRIVKEY:DSA in plugin 'pem' has unmet dependency: PRIVKEY:DSA
Apr 18 11:20:54 vpn charon: 00[LIB] feature CERT_DECODE:PGP in plugin 'pem' has unmet dependency: CERT_DECODE:PGP
Apr 18 11:20:54 vpn charon: 00[LIB] feature CERT_DECODE:X509_OCSP_REQUEST in plugin 'pem' has unmet dependency: CERT_DECODE:X509_OCSP_REQUEST
Apr 18 11:20:54 vpn charon: 00[LIB] feature CERT_DECODE:TRUSTED_PUBKEY in plugin 'pem' has unmet dependency: CERT_DECODE:TRUSTED_PUBKEY
Apr 18 11:20:54 vpn charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Apr 18 11:20:54 vpn charon: 00[CFG] loaded ca certificate "C=, O=, CN=" from '/etc/ipsec.d/cacerts/caCert.pem'
Apr 18 11:20:54 vpn charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Apr 18 11:20:54 vpn charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Apr 18 11:20:54 vpn charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Apr 18 11:20:54 vpn charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Apr 18 11:20:54 vpn charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Apr 18 11:20:54 vpn charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/serverKey.pem'
Apr 18 11:20:54 vpn charon: 00[CFG] loaded IKE secret for %any
Apr 18 11:20:54 vpn charon: 00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity eap-radius eap-ttls xauth-eap addrblock
Apr 18 11:20:54 vpn charon: 00[LIB] unable to load 5 plugin features (5 due to unmet dependencies)
Apr 18 11:20:54 vpn charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Apr 18 11:20:54 vpn charon: 00[JOB] spawning 16 worker threads
Apr 18 11:20:54 vpn charon: 07[LIB] created thread 07 [17798]
Apr 18 11:20:54 vpn charon: 08[LIB] created thread 08 [17799]
Apr 18 11:20:54 vpn charon: 09[LIB] created thread 09 [17800]
Apr 18 11:20:54 vpn charon: 10[LIB] created thread 10 [17801]
Apr 18 11:20:54 vpn charon: 11[LIB] created thread 11 [17802]
Apr 18 11:20:54 vpn charon: 12[LIB] created thread 12 [17803]
Apr 18 11:20:54 vpn charon: 13[LIB] created thread 13 [17804]
Apr 18 11:20:54 vpn charon: 15[LIB] created thread 15 [17806]
Apr 18 11:20:54 vpn charon: 14[LIB] created thread 14 [17805]
Apr 18 11:20:54 vpn charon: 16[LIB] created thread 16 [17807]
Apr 18 11:20:54 vpn charon: 06[LIB] created thread 06 [17797]
Apr 18 11:20:54 vpn charon: 05[LIB] created thread 05 [17796]
Apr 18 11:20:54 vpn charon: 04[LIB] created thread 04 [17795]
Apr 18 11:20:54 vpn charon: 03[LIB] created thread 03 [17794]
Apr 18 11:20:54 vpn charon: 02[LIB] created thread 02 [17793]
Apr 18 11:20:54 vpn charon: 01[LIB] created thread 01 [17792]

Thanks,
TZ

Tags:

CVE References

Revision history for this message

Jonathan Davies (jpds) wrote on 2014-04-18:

Forwarded upstream: http://wiki.strongswan.org/issues/575

Jonathan Davies (jpds) on 2014-04-20

Changed in strongswan (Ubuntu):
status:	New → Confirmed

Revision history for this message

Tony Zhou (ttzforj) wrote on 2014-04-20:

Personally, I doubt if it is an upstream problem, since I previously compiled the source code from strongswan.org and that can load kernel-libipsec properly...

Revision history for this message

Martin Willi (martinwilli) wrote on 2014-04-22:

AFAICS, kernel-libipsec is not part of the Ubuntu strongSwan package, hence it can't be enabled.

Not sure if there are that many uses cases for kernel-libipsec on a standard Linux distribution to justify its inclusion; kernel-netlink is preferable on >95% of use cases.

Regards
Martin

Revision history for this message

Tobias Brunner (tobias-strongswan) wrote on 2014-04-22:

While debian/strongswan-plugin-kernel-libipsec.install lists usr/lib/ipsec/plugins/libstrongswan-kernel-libipsec.so the strongswan-plugin-kernel-libipsec package does not actually include that file.

The reason for this is how dh_install is called in debian/rules, due to the -Xlibstrongswan-kernel option all kernel plugins are excluded from the packages. The kernel-netlink/pfroute/pfkey plugins are added manually to the libstrongswan package depending on the target platform (i.e. FreeBSD vs. Linux). I suppose something similar could be done to add the kernel-libipsec plugin to the plugin-kernel-libipsec package.

Revision history for this message

Tony Zhou (ttzforj) wrote on 2014-04-22:

Hi Martin,

strongswan-plugin-kernel-libipsec does provide the plugin (or supposedly) in Ubuntu 14.04.

There are two reasons (or at least mine) to use kernel-libipsec, one is that kernel-libipsec provides a separate interface so that filtering/inspecting the packets would be easier with iptables, and second is that for OpenVZ-based platforms, kernel-libipsec is necessary to make both L2TP/IPSec and IKEv1 to work properly simultaneously (although for L2TP case tunnel mode must be used). I have tested that kernel-netlink alone will fail to forward the packets between the gateway and IKEv1 clients.

Best,
TZ

Jonathan Davies (jpds) on 2014-06-14

Changed in strongswan (Ubuntu):
status:	Confirmed → In Progress
importance:	Undecided → Medium
assignee:	nobody → Jonathan Davies (jpds)

Revision history for this message

Simon Déziel (sdeziel) wrote on 2014-09-17:

@ttzforj, I understand the need for a userspace implementation when using OpenVZ (LXC too?) but for iptables, are you aware of the policy module? I find it very useful and relatively easy to use:

  # Allow only SSH when over IPsec
  iptables -A INPUT -p tcp --dport 22 -m policy --dir in --pol ipsec -j ACCEPT
  iptables -A INPUT -p tcp --dport 22 -j REJECT

Regards,
Simon

Revision history for this message

Tony Zhou (ttzforj) wrote on 2014-09-18:

Hello Simon,

Yes I know the policy module. However I think on OpenVZ, strongswan is unable to forward ipsec traffic to proper interface, which I believe it is an upstream problem: https://wiki.strongswan.org/issues/592

Thanks,
TZ

Revision history for this message

Simon Déziel (sdeziel) wrote on 2014-09-18: Re: [Bug 1309594] Re: kernel-libipsec not loading

Hi Tony

On 09/18/2014 11:28 AM, Tony Zhou wrote:
> However I think on OpenVZ, strongswan is unable to forward ipsec
> traffic to proper interface, which I believe it is an upstream
> problem: https://wiki.strongswan.org/issues/592

This is getting off-topic but I only ever tried to run IPsec in the HW
node context and protect traffic for the VEs. This required disabling
this in the *VE*: sysctl net.ipv4.conf.venet0.disable_policy=1

HTH,
Simon

Revision history for this message

Richard Laager (rlaager) wrote on 2015-03-06:

A patch to fix the kernel-libipsec plugin packaging. Edit (781 bytes, text/plain)

Revision history for this message

Ubuntu Foundations Team Bug Bot (crichton) wrote on 2015-03-06:

#10

The attachment "A patch to fix the kernel-libipsec plugin packaging." seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags:

added: patch

Revision history for this message

Janis Jansons (janhouse) wrote on 2015-08-13:

#11

I wonder why this is not fixed in official Ubuntu repos yet.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-02-18:

#12

Download full text (14.3 KiB)

This bug was fixed in the package strongswan - 5.3.5-1ubuntu1

---------------
strongswan (5.3.5-1ubuntu1) xenial; urgency=medium

This bug was fixed in the package strongswan - 5.3.5-1ubuntu1

---------------
strongswan (5.3.5-1ubuntu1) xenial; urgency=medium

* debian/{rules,control,libstrongswan-extra-plugins.install}
    Enable bliss plugin
  * debian/{rules,control,libstrongswan-extra-plugins.install}
    Enable chapoly plugin
  * debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch
    Upstream suggests to not load this plugin by default as it has
    some limitations.
    https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec
  * debian/patches/increase-bliss-test-timeout.patch
    Under QEMU/KVM for autopkgtest bliss test takes a bit longer then default
  * Update Apparmor profiles
    - usr.lib.ipsec.charon
      - add capability audit_write for xauth-pam (LP: #1470277)
      - add capability dac_override (needed by agent plugin)
      - allow priv dropping (LP: #1333655)
      - allow caching CRLs (LP: #1505222)
      - allow rw access to /dev/net/tun for kernel-libipsec (LP: #1309594)
    - usr.lib.ipsec.stroke
      - allow priv dropping (LP: #1333655)
      - add local include
    - usr.lib.ipsec.lookip
      - add local include
  * Merge from Debian, which includes fixes for all previous CVEs
    Fixes (LP: #1330504, #1451091, #1448870, #1470277)
    Remaining changes:
      * debian/control
        - Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise
        - Update Maintainer for Ubuntu
        - Add build-deps
          - dh-apparmor
          - iptables-dev
          - libjson0-dev
          - libldns-dev
          - libmysqlclient-dev
          - libpcsclite-dev
          - libsoup2.4-dev
          - libtspi-dev
          - libunbound-dev
        - Drop build-deps
          - libfcgi-dev
          - clearsilver-dev
        - Create virtual packages for all strongswan-plugin-* for dist-upgrade
        - Set XS-Testsuite: autopkgtest
      * debian/rules:
        - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking.
        - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in
          tests.
        - Change init/systemd program name to strongswan
        - Install AppArmor profiles
        - Removed pieces on 'patching ipsec.conf' on build.
        - Enablement of features per Ubuntu current config suggested from
          upstream recommendation
        - Unpack and sort enabled features to one-per-line
        - Disable duplicheck as per
          https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
        - Disable libfast (--disable-fast):
          Requires dropping medsrv, medcli plugins which depend on libfast
        - Add configure options
          --with-tss=trousers
        - Remove configure options:
          --enable-ha (requires special kernel)
          --enable-unit-test (unit tests run by default)
        - Drop logcheck install
      * debian/tests/*
        - Add DEP8 test for strongswan service and plugins
      * debian/strongswan-starter.strongswan.service
        - Add new systemd file instead of patching upstream
      * debian/strongswan-starter.links
        - removed, use Ubuntu systemd file instead of linking to upstream
      * debian/usr.lib.ipsec.{charon, lookip, stroke}
        - added AppArmor profiles for charon, lookip and stroke
      * debian/libcharon-extra-plugins.install
        - Add plugins
          - kernel-libipsec.{so, lib, conf, apparmor}
        - Remove plugins
          - libstrongswan-ha.so
        - Relocate plugins
          - libstrongswan-tnc-tnccs.so (strongswan-tnc-base.install)
      * debian/libstrongswan-extra-plugins.install
        - Add plugins (so, lib, conf)
          - acert
          - attr-sql
          - coupling
          - dnscert
          - fips-prf
          - gmp
          - ipseckey
          - load-tester
          - mysql
          - ntru
          - radattr
          - soup
          - sqlite
          - sql
          - systime-fix
          - unbound
          - whitelist
        - Relocate plugins (so, lib, conf)
          - ccm (libstrongswan.install)
          - test-vectors (libstrongswan.install)
      * debian/libstrongswan.install
        - Sort sections
        - Add plugins (so, lib, conf)
          - libchecksum
          - ccm
          - eap-identity
          - md4
          - test-vectors
      * debian/strongswan-charon.install
        - Add AppArmor profile for charon
      * debian/strongswan-starter.install
        - Add tools, manpages, conf
          - openac
          - pool
          - _updown_espmark
        - Add AppArmor profile for stroke
      * debian/strongswan-tnc-base.install
        - Add new subpackage for TNC
        - remove non-existent (dropped in 5.2.1) libpts library files
      * debian/strongswan-tnc-client.install
        - Add new subpackage for TNC
      * debian/strongswan-tnc-ifmap.install
        - Add new subpackage for TNC
      * debian/strongswan-tnc-pdp.install
        - Add new subpackage for TNC
      * debian/strongswan-tnc-server.install
        - Add new subpackage for TNC
      * debian/strongswan-starter.postinit:
        - Removed section about runlevel changes, it's almost 2014.
        - Adapted service restart section for Upstart.
        - Remove old symlinks to init.d files is necessary.
      * debian/strongswan-starter.dirs: Don't touch /etc/init.d.
      * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
      * debian/strongswan-starter.prerm: Stop strongswan service on package
        removal (as opposed to using the old init.d script).
      * debian/libstrongswan.strongswan.logcheck combined into debian/strongswan.logcheck
        - logcheck patterns updated to be helpful
      * debian/strongswan-starter.postinst: Removed further out-dated code and
        entire section on opportunistic encryption - this was never in strongSwan.
      * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
    Drop changes:
      * debian/control
        - Per-plugin package breakup: Reducing packaging delta from Debian
        - Don't build dhcp, farp subpackages: Reduce packging delta from Debian
      * debian/watch: Already exists in Debian merge
      * debian/upstream/signing-key.asc:  Upstream has newer version.

strongswan (5.3.5-1) unstable; urgency=medium

* New upstream bugfix release.

strongswan (5.3.4-1) unstable; urgency=medium

* New upstream release.
  * debian/patches:
    - 03_systemd-service refreshed for new upstream release.
    - 0001-socket-default-Refactor-setting-source-address-when-,
    0001-socket-dynamic-Refactor-setting-source-address-when- and
    CVE-2015-8023_eap_mschapv2_state dropped, included upstream.

strongswan (5.3.3-3) unstable; urgency=high

* Set urgency=high for security fix.
  * debian/patches:
    - CVE-2015-8023_eap_mschapv2_state added, fix authentication bypass when
    using EAP MSCHAPv2.

strongswan (5.3.3-2) unstable; urgency=medium

* debian/rules:
    - make the dh_install override arch-dependent only since it only acts on
    arch:any packages, fix FTBFS on arch:all.

strongswan (5.3.3-1) unstable; urgency=medium

* debian/rules:
    - enable the connmark plugin.
  * debian/control:
    - add build-dep on iptables-dev.
  * debian/libstrongswan-standard-plugins:
    - add connmark plugin to the standard-plugins package.
  * New upstream release.                                       closes: #803772
  * debian/strongswan-starter.install:
    - install new pki --dn manpage to ipsec-starter package.
  * debian/patches:
    - 0001-socket-default-Refactor-setting-source-address-when- and
    0001-socket-dynamic-Refactor-setting-source-address-when- added (taken
    from c761db and 9e8b4a in the 1171-socket-default-scope branch), fix
    source address selection with IPv6 (upstream #1171)

strongswan (5.3.2-1) unstable; urgency=medium

* New upstream release.
  * debian/patches:
    - 05_ivgen-allow-reusing-same-message-id-twice dropped, included upstream.
    - CVE-2015-4171_enforce_remote_auth dropped as well.

strongswan (5.3.1-1) unstable; urgency=high

* New upstream release.
  * debian/patches:
    - strongswan-5.2.2-5.3.0_unknown_payload dropped, included upstream.
    - 05_ivgen-allow-reusing-same-message-id-twice added, allow reusing the
    same message ID twice in sequential IV gen. strongSwan issue #980.
    - CVE-2015-4171_enforce_remote_auth added, fix potential leak of
    authentication credential to rogue server when using PSK or EAP. This is
    CVE-2015-4171.

strongswan (5.3.0-2) unstable; urgency=medium

* debian/patches:
    - strongswan-5.2.2-5.3.0_unknown_payload added, fixes a DoS and potential
      remote code execution vulnerability (CVE-2015-3991).
  * debian/strongswan-starter.lintian-overrides: add override for
    command-with-path-in-maintainer-script since it's there to check for file
    existence.
  * Upload to unstable.

strongswan (5.3.0-1) experimental; urgency=medium

* New upstream release.
  * debian/patches:
    - 01_fix-manpages refreshed for new upstream release.
    - 02_chunk-endianness dropped, included upstream.
    - CVE-2014-9221_modp_custom dropped, included upstream.
  * debian/strongswan-starter.install
    - don't install the _updown and _updown_espmark manpages anymore, they're
    gone.
    - also remove the _updown_espmark script, gone too.
  * debian/copyright updated.

strongswan (5.2.1-6) unstable; urgency=medium

* Ship /lib/systemd/system/ipsec.service as a symlink to
    strongswan.service in strongswan-starter instead of using Alias= in
    the service file. This makes the ipsec name available to invoke-rc.d
    before the service gets actually enabled, which avoids some confusion
    (closes: #781209).

strongswan (5.2.1-5) unstable; urgency=high

* debian/patches:
    - debian/patches/CVE-2014-9221_modp_custom added, fix unauthenticated
    denial of service in IKEv2 when using custom MODP value.

strongswan (5.2.1-4) unstable; urgency=medium

* Give up on trying to run the test suite on !amd64, it now times out on
    both i386 and s390x, our chosen "fast" archs.

strongswan (5.2.1-3) unstable; urgency=medium

* Disable libtls tests again, they are still too intensive for the buildd
    network...

strongswan (5.2.1-2) unstable; urgency=medium

* Cherry-pick commits 701d6ed and 1c70c6e from upstream to fix checksum
    computation and FTBFS on big-endian hosts.
  * Run the test suite only on amd64, i386, and s390x. It requires lots of
    entropy and CPU time, which are typically hard to come by on slower
    archs.
  * Re-enable normal keylengths in test suite.
  * Re-enable libtls tests.
  * Update Dutch translation, thanks to Frans Spiesschaert (closes: #763798).
  * Bump Standards-Version to 3.9.6.

strongswan (5.2.1-1) unstable; urgency=medium

* New upstream release.
  * Stop shipping /etc/strongswan.conf.d in libstrongswan.

strongswan (5.2.0-2) unstable; urgency=medium

* Add systemd integration:
    + Install upstream systemd service file in strongswan-starter.
    + Alias strongswan.service to ipsec.service to match the sysv init script.
    + Drop After=syslog.target (as syslog is socket-activated nowadays), but
      add After=network.target to ensure that charon gets the chance to send
      deletes on exit.
    + Add ExecReload for reload action, since the starter script has one.
    + On linux-any, add build-dep on systemd to ensure that the pkg-config
      metadata file can be found.
    + Add build-dep on dh-systemd, and use systemd dh addon.
  * Remove debian/patches/03_include-stdint.patch.

strongswan (5.2.0-1) unstable; urgency=medium

* New upstream release.
  [ Romain Francoise ]
  * Amend build-dep on libgcrypt to 'libgcrypt20-dev | libgcrypt11-dev'.
  * Drop hardening-wrapper from build-depends (unused since 5.0.4-1).

[ Yves-Alexis Perez ]
  * debian/po:
    - pt_BR.po updated, thanks Adriano Rafael Gomes.            closes: #752721
  * debian/patches:
    03_pfkey-Always-include-stdint.h dropped, included upstream.
  * debian/strongswan-starter.install:
    - replace tools.conf by pki.conf and scepclient.conf.

strongswan (5.1.3-4) unstable; urgency=medium

* debian/control:
    - add build-dep on pkg-config.
  * debian/patches:
    - 03_pfkey-Always-include-stdint.h added, cherry-picked from upstream git:
      always include of stdint.h. Fix FTBFS on kFreeBSD.

strongswan (5.1.3-3) unstable; urgency=medium

* debian/watch:
    - add pgpsigurlmangle to get PGP signature
  * debian/upstream/signing-key.asc:
    - bootstrap keyring by adding Andreas Steffen key (0xDF42C170B34DBA77)
  * debian/control:
    - add build-dep on libgcrypt20-dev, fix FTBFS.              closes: #747796

strongswan (5.1.3-2) unstable; urgency=low

* Disable the new libtls test suite for now--it appears to be a
    little too intensive for slower archs.

strongswan (5.1.3-1) unstable; urgency=low

* New upstream release.
  * debian/control: make strongswan-charon depend on iproute2 | iproute,
    thanks to Ryo IGARASHI <rigarash@gmail.com> (closes: #744832).

strongswan (5.1.2-4) unstable; urgency=high

* debian/patches/04_cve-2014-2338.patch: added to fix CVE-2014-2338
    (authentication bypass vulnerability in IKEv2 code).
  * debian/control: add myself to Uploaders.

strongswan (5.1.2-3) unstable; urgency=medium

* debian/patches/
    - 02_unit-tests-Fix-filtered-enumerator-tests-on-64-bit-b  added, fix
    testsuite failing on 64 bit big-endian platforms (s390x).
    - 03_unit-tests-Fix-chunk-clear-armel added, fix testsuite failing on
    armel.

strongswan (5.1.2-2) unstable; urgency=medium

* debian/rules:
    - use reduced keylengths in testsuite on various arches, hopefully fixing
      FTBFS when the genrsa test runs.

strongswan (5.1.2-1) unstable; urgency=medium

* New upstream release.
  * debian/control:
    - add conflicts against openSwan.                           closes: #740808
  * debian/strongswan-starter,postrm:
    - remove /var/lib/strongswan on purge.
  * debian/ipsec.secrets.proto:
    - stop lying about ipsec showhostkey command.               closes: #600382
  * debian/patches:
    - 01_fix-manpages refreshed for new upstream.
    - 02_include-strongswan.conf.d removed, strongswan.d is now supported
      upstream.
  * debian/rules, debian/*.install:
    - install default configuration files for all plugins.
  * debian/NEWS:
    - fix spurious entry.
    - add a NEWS entry to advertise about the new strongswan.d configuration
      mechanism.

-- Ryan Harper <ryan.harper@canonical.com>  Fri, 12 Feb 2016 11:24:53 -0600

Changed in strongswan (Ubuntu):
status:	In Progress → Fix Released

Revision history for this message

Christian Thiemann (thiemann) wrote on 2016-04-29:

#13

Not fixed in Ubuntu 14.04, still need to compile from strongswan source package with the patch from comment #9.

Revision history for this message

Robie Basak (racb) wrote on 2016-12-07:

#14

This seems unlikely to be fixed in Trusty now. If someone wants to drive this (prepare a minimal backport, etc), then please comment and reopen.

Changed in strongswan (Ubuntu Trusty):
status:	New → Won't Fix

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

A patch to fix the kernel-libipsec plugin packaging. Edit

Add patch

Remote bug watches

debbugs #718291
[open wishlist] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntustrongswan package

kernel-libipsec not loading

Bug Description

CVE References

Other bug subscribers

Patches

Remote bug watches

Ubuntu
strongswan package