The CONTRIBUTING.md requests an (or multiple) SPDX identifier for GPL
licenses. But a lot of packages did use a different, non-SPDX style with a
"+" at the end instead of "-or-later".
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Ipsec user script (/etc/ipsec.user) now get called indirectly by openwrt
"/sbin/hotplug-call". So other packages could also install their scripts
in "/etc/hotplug.d/ipsec".
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
The interface config option allows users to configure logical OpenWRT
interface names in the ipsec section; it allows StrongSwan to listen
and send traffic on specified interface(s). It translates to interfaces_use
StrongSwan option which is a comma sepearted list of network devices
that should be used by charon.
Since StrongSwan can only be started when one of the specified logical
OpenWRT interface is up procd interface triggers are installed to
trigger the reload script.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Since the strongswan-utils package now only contains the aging ipsec
utility, rename it to strongswan-ipsec.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
We currently include the SCEP client in strongswan-utils, which is a
dependency of the strongswan-default meta-package. As it's generally not
recommended to generate keys on embedded devices due to lack of entropy,
move the SCEP client to a separate package, and only depend on it in the
strongswan-full meta-package.
While at it, add scepclient.conf to the package.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
We currently include the PKI tool in strongswan-utils, which is a
dependency of the strongswan-default meta-package. As it's generally not
recommended to generate keys on embedded devices due to lack of entropy,
move the PKI tool to a separate package, and only depend on it in the
strongswan-full meta-package.
While at it, add pki.conf to the package.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Add support to configure strongswan via uci.
uci support is based on the following sections
-ipsec : Global config items belonging in the strongswan.conf file
-remote : Defines the remote peer(s)
-tunnel : Defines the IPSec connections in tunnel mode
-transport : Defines the IPSec connections in transport mode
-crypto_proposal : Defines the different crypto proposals
Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
Signed-off-by: Gino Peeters <peeters.gino@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
The default busybox config used by OpenWrt does not enable floating
point number support for the sleep applet. This can cause an error when
stopping or restarting strongswan:
sleep: invalid number '0.1'
Replace the float with an integer to fix this.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
See https://wiki.strongswan.org/issues/1213
Removed the changes to charon-xpc.c because they didn't apply and are
only used on OS X anyway.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
gmpdh plugin implements DH Groups (same as normal GMP plugin), but links to GMP statically and is stripped of all RSA based stuff. Binary size for plugin is ~20kbytes with no dependency on libgmp (200+ kbytes after squash), easilly fitting into flash space restricted devices.
strongswan-isakmp metapackage defines a minimal set of strongswan plugins (including gmpdh) for ISAKMP / IKEv1 PSK tunnels. Will fit even 4mb routers (like tplink wr841n) with disabled IPv6 support and packages (so its a trade - IPv6 or ipsec tunnels).
Signed-of-by: Mikalai Miadzvedz <brainsucker.na@gmail.com>
Makes kmod-ipsec6 requirement dependent on IPv6 support for packages.
This allows to disable unnecessary IPv6 kernel modules, saving
considerable amount of space.
Signed-off-by: Marcin Jurkowski <marcin1j@gmail.com>
When only strongswan-minimal is selected, libtls.so will not be built
yet package strongswan will still try to copy the file causing build
failure.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Jan Pavlinec