Ubuntu
strongswan package

please evaluate enabling more plugins to make strongswan more useful

Bug #1640826 reported by Christian Ehrhardt 
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
strongswan (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

Based on a discussion I had related to the zesty merge of latest Strongswan I got this info:

The only (small) problem I have with Strongswan in Xenial is that what's
installed by default doesn't provide enough features to make a good
roadwarrior client compatible with VPN targeting OSX/iOS, Windows and
Android clients.

2 plugins are missing from the default install:

1) eap-mschapv2 is required on the client side to connect to VPN
concentrators configured for Windows 7+ and modern OSX/iOS using IKEv2.
In such scenario, the VPN concentrator identifies itself with a public
key and asks the client to authenticate with MSCHAPv2.

2) xauth-generic is required on the client side to connect to VPN
concentrators configured for Android and older OSX/iOS using IKEv1 and
XAUTH. In such scenario, the VPN concentrator identifies itself with a
public key or a shared secret and asks the client to authenticate with a
XAUTH password.

Currently in Xenial, installing Strongswan only suggests
libcharon-extra-plugins. That seems reasonable since
libcharon-extra-plugins is pretty big on it's own and pulls in
strongswan-tnc-base. Maybe the TNC stuff could be made completely
independent and then making libcharon-extra-plugins a recommends would
be doable?

Definitely worth to look into it, so I opened this bug to track it.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thanks to Simon for bringing that up!

Stored on my personal "I should do" list

Changed in strongswan (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Simon Déziel (sdeziel) wrote :

The eap-mschapv2 and xauth-generic plugins are both provided by libcharon-extra-plugins which is in main.

It seems that you already split the TNC stuff off of libcharon-extra-plugins in https://git.launchpad.net/~paelzer/ubuntu/+source/strongswan/commit/?h=merge-zesty&id=4e1bbd943cb61de280ac9891896b79a549bd910b. So that's a very good start.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

So to clarify what you'd recommend I try to rephrase:
Since those two plugins are needed for the most common cases they should/could be part of the libstrongswan-standard-plugins which are a recommends.

I'm not sure if that would work dependency wise - but if it works would that meet the need that you are reporting?

Revision history for this message
Simon Déziel (sdeziel) wrote : Re: [Bug 1640826] Re: please evaluate enabling more plugins to make strongswan more useful

What I'd like is for someone to install the strongswan package and have
both plugins installed as "recommends" but without the TNC stuff.
Debian/you took care of splitting out the TNC part so that's done
already, thanks.

The 2 plugins are currently in libcharon-extra-plugins [*] so I'd keep
them there but make strongswan-libcharon recommend the package instead
of suggesting it.

If pulling libcharon-extra-plugins is deemed too big I think a new
package named libcharon-standard-plugins would be a good place to ship a
minimal set of plugins.

*: libstrongswan-standard-plugins wouldn't be a good place as the 2
plugins are under the libcharon if you look here:
https://wiki.strongswan.org/projects/strongswan/wiki/PluginList

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

FYI (status update) - I Got to that on merging latest Strongswan, I think it is working pretty well.
The only dependencies left from that are to base charon which makes sense - no cross refs to other plugins. Given that my reviewer agrees that this is a sane change I hope to put it in the zesty release.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package strongswan - 5.5.1-1ubuntu2

---------------
strongswan (5.5.1-1ubuntu2) zesty; urgency=medium

  * Update Maintainers which was missed while merging 5.5.1-1.

 -- Christian Ehrhardt <email address hidden> Mon, 19 Dec 2016 16:02:40 +0100

Changed in strongswan (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.