strongSwan IPsec VPN-solution Main Inclusion Request.
1. Availability:
- In universe and Debian for some time.
2. Rationale:
- We need a supported and functional IPsec VPN solution in Ubuntu.
- At the current time, this is racoon, which hasn't updated in quite a while:
- But as package is in universe, no oversight from security team.
- Ships a daemon that handles connections to IPsec clients (AppArmor'ed by profile).
- Open privileged ports on 500 and 4500 (charon daemon above).
Note that the packages in universe are not part of the core strongSwan functionality and rather are linked to binary packages that are plugins (strongswan-libfast, strongswan-plugin-medsrv, strongswan-plugin-unbound).
The building of these plugins could be disabled, but I'd rather offer our users a wide range of plugins by default - rather than have them rebuild strongSwan for functionality they may need.
7. Standards compliance:
- Shipped by Debian
- Lintian clean
- uses dh, source format 3.0 (quilt)
8. Maintenance:
- Currently maintained by a team of volunteers on Debian and Ubuntu.
- Shared git repository on git.debian.org.
strongSwan IPsec VPN-solution Main Inclusion Request.
1. Availability:
- In universe and Debian for some time.
2. Rationale:
- We need a supported and functional IPsec VPN solution in Ubuntu.
- At the current time, this is racoon, which hasn't updated in quite a while:
- https:/ /launchpad. net/ubuntu/ +source/ ipsec-tools
3. Security:
- No current CVEs.
- CVE reports in the past: fixed by upstream as seen in:
- https:/ /www.strongswan .org/blog/
- But as package is in universe, no oversight from security team.
- Ships a daemon that handles connections to IPsec clients (AppArmor'ed by profile).
- Open privileged ports on 500 and 4500 (charon daemon above).
4. Quality assurance: /wiki.strongswa n.org/projects/ strongswan/ roadmap /wiki.strongswa n.org/projects/ strongswan/ issues /www.strongswan .org/documentat ion.html
- Current version doesn't install any working configuration, however this can be done with debconf.
- It's simpler to do things by hand, as with openvpn.
- Upstream is active:
- Next release planned within a month: https:/
- Respond proactively to support queries on their ticketing system: https:/
- Release presentations from time to time: https:/
- Build process runs test suite.
5. UI standards:
- Not applicable
6. Dependencies: openssl- dev | libcurl3-dev | libcurl2-dev
- libgmp3-dev
- libssl-dev
- libldns-dev (universe)
- libunbound-dev (universe)
- libcurl4-
- libsoup2.4-dev
- libpcsclite-dev
- libldap2-dev
- libpam0g-dev
- libkrb5-dev
- libfcgi-dev
- clearsilver-dev (universe)
- libtspi-dev
- libxml2-dev
- libsqlite3-dev
- libmysqlclient-dev
Note that the packages in universe are not part of the core strongSwan functionality and rather are linked to binary packages that are plugins (strongswan- libfast, strongswan- plugin- medsrv, strongswan- plugin- unbound) .
The building of these plugins could be disabled, but I'd rather offer our users a wide range of plugins by default - rather than have them rebuild strongSwan for functionality they may need.
7. Standards compliance:
- Shipped by Debian
- Lintian clean
- uses dh, source format 3.0 (quilt)
8. Maintenance:
- Currently maintained by a team of volunteers on Debian and Ubuntu.
- Shared git repository on git.debian.org.