strongswan-starter should conflict with openswan due to shared file /usr/sbin/ipsec

Bug #1755693 reported by Trent Lloyd on 2018-03-14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
strongswan (Ubuntu)
Trent Lloyd

Bug Description

strongswan-starter and openswan both share the file /usr/sbin/ipsec however there is no Conflicts relationship

$ apt-file search /usr/sbin/ipsec
openswan: /usr/sbin/ipsec
strongswan-starter: /usr/sbin/ipsec

openswan was deprecated in utopic, so trusty installations may wish to migrate to strongswan ahead of a xenial upgrade. In that case, the package upgrade can fail.

This was previously fixed upstream in Debian:

For apt operation ordering reasons I don't understand, the issue only appears when something else on the system (such as neutron-vpn-agent) depends on (strongswan | openswan). Just installing strongswan and replacing it with openswan or vica-versa doesn't cause the issue to trigger.

The Conflicts already exists in xenial through bionic, just not in trusty. So the upload would only be required in trusty.


 * Users are unable to replace openswan with strongswan on trusty systems, where the next major Ubuntu release (xenial) dropped support for openswan completely but strongswan exists on both
 * Only users on trusty are affected, once upgraded to xenial this change is already in place

[Test Case]

On a trusty machine (e.g. lxd)

add-apt-repository cloud-archive:mitaka # the trusty version of neutron-vpn-agent does not have the dependency on openswan causing the bug to trigger
apt update
apt install neutron-vpn-agent openswan # you can answer no to X509 generation
apt install strongswan

[Regression Potential]

 * I don't believe the conflicts introduces a new issue in terms of a conflict that didn't previously exist, since the packages contain a conflicting file and strongswan-starter depends on strongswan-ike which already has a Conflicts in place. So in terms of the dependency tree they already conflicted, but did not prevent this temporary file conflict.

 * Other regression potential would be package rebuild related -- this package has had security uploads as recently as August 2017 so that risk appears reduced

[Other Info]

 * Same change is already in place from xenial onwards, so no SRU uploads other than trusty are required

Trent Lloyd (lathiat) on 2018-03-14
Changed in strongswan (Ubuntu):
status: New → Confirmed
Trent Lloyd (lathiat) wrote :

debdiff to fix the issue

tags: added: sts
Trent Lloyd (lathiat) on 2018-03-14
description: updated
Eric Desrochers (slashd) on 2018-03-15
Changed in strongswan (Ubuntu Trusty):
assignee: nobody → Trent Lloyd (lathiat)
importance: Undecided → Medium
description: updated
Eric Desrochers (slashd) on 2018-03-15
Changed in strongswan (Ubuntu Trusty):
status: New → In Progress
Eric Desrochers (slashd) wrote :

Sponsored in Trusty.

It is now waiting for the SRU team to approve the upload to start building in trusty-proposed.

- Eric

Eric Desrochers (slashd) on 2018-03-15
Changed in strongswan (Ubuntu):
status: Confirmed → Fix Released

Hello Trent, or anyone else affected,

Accepted strongswan into trusty-proposed. The package will build now and be available at in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at . Thank you in advance!

Changed in strongswan (Ubuntu Trusty):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-trusty
Eric Desrochers (slashd) wrote :

Hi Trent,

Friendly reminder:
Please don't forget to do the verification-done when you have a chance.
As I write this, the package reach it's 28th days in trusty-proposed.

Once verification-done, it'll be eligible for trusty-updates.

- Eric

Eric Desrochers (slashd) wrote :
Download full text (4.5 KiB)

I have followed the steps in [Test Case] provided by Trent and reproduce inside a Trusty LXD container.

* I made sure openswan was installed:
ii openswan 1:2.6.38-1 amd64 Internet Key Exchange daemon

* Then installed strongswan as follow:
# apt install strongswan
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following package was automatically installed and is no longer required:
Use 'apt-get autoremove' to remove it.
The following extra packages will be installed:
  libstrongswan strongswan-ike strongswan-plugin-openssl strongswan-starter
Suggested packages:
  strongswan-tnc-imcvs network-manager-strongswan strongswan-plugin-agent
  strongswan-plugin-certexpire strongswan-plugin-coupling
  strongswan-plugin-curl strongswan-plugin-dnscert strongswan-plugin-dnskey
  strongswan-plugin-duplicheck strongswan-plugin-error-notify
  strongswan-plugin-ipseckey strongswan-plugin-ldap strongswan-plugin-led
  strongswan-plugin-lookip strongswan-plugin-ntru strongswan-plugin-pkcs11
  strongswan-plugin-radattr strongswan-plugin-sql strongswan-plugin-soup
  strongswan-plugin-unity strongswan-plugin-whitelist strongswan-tnc-client
The following packages will be REMOVED:
The following NEW packages will be installed:
  libstrongswan strongswan strongswan-ike strongswan-plugin-openssl
0 upgraded, 5 newly installed, 1 to remove and 44 not upgraded.
Need to get 3574 kB of archives.
After this operation, 12.5 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 trusty-proposed/main libstrongswan amd64 5.1.2-0ubuntu2.8 [1449 kB]
Get:2 trusty-proposed/main strongswan all 5.1.2-0ubuntu2.8 [29.8 kB]
Get:3 trusty-proposed/main strongswan-starter amd64 5.1.2-0ubuntu2.8 [708 kB]
Get:4 trusty-proposed/main strongswan-plugin-openssl amd64 5.1.2-0ubuntu2.8 [189 kB]
Get:5 trusty-proposed/main strongswan-ike amd64 5.1.2-0ubuntu2.8 [1199 kB]
Fetched 3574 kB in 2s (1273 kB/s)
Preconfiguring packages ...
Selecting previously unselected package libstrongswan.
(Reading database ... 42962 files and directories currently installed.)
Preparing to unpack .../libstrongswan_5.1.2-0ubuntu2.8_amd64.deb ...
Unpacking libstrongswan (5.1.2-0ubuntu2.8) ...
Selecting previously unselected package strongswan.
Preparing to unpack .../strongswan_5.1.2-0ubuntu2.8_all.deb ...
Unpacking strongswan (5.1.2-0ubuntu2.8) ...
dpkg: openswan: dependency problems, but removing anyway as you requested:
 neutron-vpn-agent depends on strongswan (>= 5.1) | openswan; however:
  Package strongswan is not configured yet.
  Package openswan is to be removed.
(Reading database ... 43088 files and directories currently installed.)
Removing openswan (1:2.6.38-1) ...
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: stop ordered, but IPsec appears to be already stopped!
ipsec_setup: doing cleanup anyway...
Processing triggers for man-db ( ...


tags: added: verification-done-trusty
removed: verification-needed-trusty
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package strongswan - 5.1.2-0ubuntu2.8

strongswan (5.1.2-0ubuntu2.8) trusty; urgency=medium

  * d/control: Add Conflicts from strongswan-starter to openswan to
    avoid file conflict on upgrade. (LP: #1755693)

 -- Trent Lloyd <email address hidden> Wed, 14 Mar 2018 14:50:05 +0800

Changed in strongswan (Ubuntu Trusty):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for strongswan has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers