Koozali.org formerly Contribs.org

[HOWTO] Openswan/IPsec on SME Server

guest22

[HOWTO] Openswan/IPsec on SME Server
« on: September 15, 2014, 06:41:49 PM »
This is the place to discuss: http://wiki.contribs.org/Openswan_IPSEC

Offline ReetP

  • *
  • 1,872
Re: [HOWTO] Openswan/IPsec on SME Server
« Reply #1 on: September 15, 2014, 07:02:07 PM »
Don't ask me anything about it though :-)

Thanks for the WikiMonster work HSF.

B. Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

guest22

Re: [HOWTO] Openswan/IPsec on SME Server
« Reply #2 on: January 26, 2017, 12:16:59 PM »
Installing libreswan as per the wiki from smetest the package ldns is not a dependency, whilst it is when installing it from epel.

Offline ReetP

  • *
  • 1,872
Re: [HOWTO] Openswan/IPsec on SME Server
« Reply #3 on: January 26, 2017, 01:51:58 PM »
Installing libreswan as per the wiki from smetest the package ldns is not a dependency, whilst it is when installing it from epel.

Which version ?

As far as I can see at the minute this is the package in the CentOS OS repo and epel:

libreswan-3.15-5.3.el6.x86_64.rpm

That may require ldns

The version in smetest is 3.16 and I think JPP used the srpm from libreswan.org here

https://download.libreswan.org/binaries/rhel/6Server/x86_64/

He built from their source so I guess that ldns is not necessarily a requirement for it - I can't see a require in the spec file for 3.16 or 3.19 from their repo.

Personally I am running my own built 3.18 with 3.19 from the same repo.

For the smeserver-libreswan contrib you need >= 3.16 as there various fixes and additional functionality that was added that is used.

I am going to push both libreswan and smeserver-libreswan packages from test to contribs shortly unless there are any gotchas.

B. Rgds
JC
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

guest22

Re: [HOWTO] Openswan/IPsec on SME Server
« Reply #4 on: January 26, 2017, 01:53:38 PM »
Why would we want to build our own package whilst epel repo has it?

Offline ReetP

  • *
  • 1,872
Re: [HOWTO] Openswan/IPsec on SME Server
« Reply #5 on: January 26, 2017, 03:19:42 PM »
Why would we want to build our own package whilst epel repo has it?

Because it is old :-)

If we don't use the version from EPEL and use our own the we really should try and use the latest IMHO.

https://download.libreswan.org/CHANGES

Hence I am testing 3.19 at the minute, and would suggest that we update our repo to at least 3.18

3.15 has a bug with certificates so the minimum level should really be 3.16

Quote
https://libreswan.org/wiki/FAQ#Libreswan_is_vulnerable_to_NSS_CVE-2014-1568_RSA_Signature_Forgery

Libreswan is vulnerable to NSS CVE-2014-1568 RSA Signature Forgery
Please upgrade NSS to one of 3.17.1, 3.16.1 or 3.16.5.

This only affects libreswan when using X.509 certificates. Raw RSA keys using leftrsasigkey/rightrsasigkey are not affected. Connections using auth=secret (PSK) are also not affected.

See Mozilla Foundation Security Advisory 2014-73

So if you want to use certificates as per the latest version of my contrib....

B. Rgds
JC
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation