Koozali.org formerly Contribs.org

Obsolete Releases => SME 8.x Contribs => Topic started by: guest22 on September 15, 2014, 06:41:49 PM

Title: [HOWTO] Openswan/IPsec on SME Server
Post by: guest22 on September 15, 2014, 06:41:49 PM
This is the place to discuss: http://wiki.contribs.org/Openswan_IPSEC
Title: Re: [HOWTO] Openswan/IPsec on SME Server
Post by: ReetP on September 15, 2014, 07:02:07 PM
Don't ask me anything about it though :-)

Thanks for the WikiMonster work HSF.

B. Rgds
John
Title: Re: [HOWTO] Openswan/IPsec on SME Server
Post by: guest22 on January 26, 2017, 12:16:59 PM
Installing libreswan as per the wiki from smetest the package ldns is not a dependency, whilst it is when installing it from epel.
Title: Re: [HOWTO] Openswan/IPsec on SME Server
Post by: ReetP on January 26, 2017, 01:51:58 PM
Installing libreswan as per the wiki from smetest the package ldns is not a dependency, whilst it is when installing it from epel.

Which version ?

As far as I can see at the minute this is the package in the CentOS OS repo and epel:

libreswan-3.15-5.3.el6.x86_64.rpm

That may require ldns

The version in smetest is 3.16 and I think JPP used the srpm from libreswan.org here

https://download.libreswan.org/binaries/rhel/6Server/x86_64/

He built from their source so I guess that ldns is not necessarily a requirement for it - I can't see a require in the spec file for 3.16 or 3.19 from their repo.

Personally I am running my own built 3.18 with 3.19 from the same repo.

For the smeserver-libreswan contrib you need >= 3.16 as there various fixes and additional functionality that was added that is used.

I am going to push both libreswan and smeserver-libreswan packages from test to contribs shortly unless there are any gotchas.

B. Rgds
JC
Title: Re: [HOWTO] Openswan/IPsec on SME Server
Post by: guest22 on January 26, 2017, 01:53:38 PM
Why would we want to build our own package whilst epel repo has it?
Title: Re: [HOWTO] Openswan/IPsec on SME Server
Post by: ReetP on January 26, 2017, 03:19:42 PM
Why would we want to build our own package whilst epel repo has it?

Because it is old :-)

If we don't use the version from EPEL and use our own the we really should try and use the latest IMHO.

https://download.libreswan.org/CHANGES

Hence I am testing 3.19 at the minute, and would suggest that we update our repo to at least 3.18

3.15 has a bug with certificates so the minimum level should really be 3.16

Quote
https://libreswan.org/wiki/FAQ#Libreswan_is_vulnerable_to_NSS_CVE-2014-1568_RSA_Signature_Forgery

Libreswan is vulnerable to NSS CVE-2014-1568 RSA Signature Forgery
Please upgrade NSS to one of 3.17.1, 3.16.1 or 3.16.5.

This only affects libreswan when using X.509 certificates. Raw RSA keys using leftrsasigkey/rightrsasigkey are not affected. Connections using auth=secret (PSK) are also not affected.

See Mozilla Foundation Security Advisory 2014-73

So if you want to use certificates as per the latest version of my contrib....

B. Rgds
JC