[MIR] strongSwan
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ldns (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
strongswan (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
unbound (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
strongSwan IPsec VPN-solution Main Inclusion Report.
1. Availability:
- In universe and Debian for some time.
2. Rationale:
- We need a supported and functional IPsec VPN solution in Ubuntu.
- At the current time, this is racoon, which hasn't updated in quite a while:
- https:/
3. Security:
- No current CVEs.
- CVE reports in the past: fixed by upstream as seen in:
- https:/
- But as package is in universe, no oversight from security team.
- Ships a daemon that handles connections to IPsec clients (AppArmor'ed by profile).
- Open privileged ports on 500 and 4500 (charon daemon above).
4. Quality assurance:
- Current version doesn't install any working configuration, however this can be done with debconf.
- It's simpler to do things by hand, as with openvpn.
- Upstream is active:
- Next release planned within a month: https:/
- Respond proactively to support queries on their ticketing system: https:/
- Release presentations from time to time: https:/
- Build process runs test suite.
- Upstream runs a run test suite across all configuration scenarios: https:/
- Daily builds for Ubuntu here: https:/
5. UI standards:
- Not applicable
6. Dependencies:
- libgmp3-dev
- libssl-dev
- libldns-dev (universe)
- libunbound-dev (universe)
- libcurl4-
- libsoup2.4-dev
- libpcsclite-dev
- libldap2-dev
- libpam0g-dev
- libkrb5-dev
- libtspi-dev
- libxml2-dev
- libsqlite3-dev
- libmysqlclient-dev
Note that the packages in universe are not part of the core strongSwan functionality and rather are linked to binary packages that are plugins (strongswan-
The building of these plugins could be disabled, but I'd rather offer our users a wide range of plugins by default - rather than have them rebuild strongSwan for functionality they may need.
7. Standards compliance:
- Shipped by Debian
- Lintian clean
- uses dh, source format 3.0 (quilt)
8. Maintenance:
- Currently maintained by a team of volunteers on Debian and Ubuntu.
- Shared git repository on git.debian.org.
description: | updated |
description: | updated |
Changed in strongswan (Ubuntu): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in strongswan (Ubuntu): | |
status: | Incomplete → Confirmed |
no longer affects: | network-manager-strongswan (Ubuntu) |
I understand that the powerpc build currently fails with the developer release package of 5.1.2:
- https:/ /launchpad. net/ubuntu/ +source/ strongswan/ 5.1.2~dr2- 0ubuntu3/ +build/ 5406595
This functioned fine on 5.1.1: https:/ /launchpad. net/ubuntu/ +source/ strongswan/ 5.1.1-0ubuntu17
Upstream improved their test coverage between the releases. I have forwarded this issue upstream:
- https:/ /wiki.strongswa n.org/issues/ 478 /wiki.strongswa n.org/issues/ 479
- https:/
And I'm awaiting access to a powerpc box so I can debug this myself.
My plan for 14.04 is to ship 5.1.2 final, and if not available on time, revert to 5.1.1.