strongswan: import, update, adopt
authorSteven Barth <steven@midlink.org>
Sun, 17 Aug 2014 08:11:02 +0000 (10:11 +0200)
committerSteven Barth <steven@midlink.org>
Sun, 17 Aug 2014 08:11:02 +0000 (10:11 +0200)
Signed-off-by: Steven Barth <steven@midlink.org>
net/strongswan/Config.in [new file with mode: 0644]
net/strongswan/Makefile [new file with mode: 0644]
net/strongswan/files/ipsec.init [new file with mode: 0644]
net/strongswan/files/ipsec.secrets [new file with mode: 0644]
net/strongswan/files/ipsec.user [new file with mode: 0644]
net/strongswan/patches/201-kmodloader.patch [new file with mode: 0644]
net/strongswan/patches/203-uci.patch [new file with mode: 0644]
net/strongswan/patches/300-include-ipsec-user-script.patch [new file with mode: 0644]

diff --git a/net/strongswan/Config.in b/net/strongswan/Config.in
new file mode 100644 (file)
index 0000000..5bb78ae
--- /dev/null
@@ -0,0 +1,16 @@
+menu "Configuration"
+       depends on PACKAGE_strongswan
+
+# --with-routing-table
+config STRONGSWAN_ROUTING_TABLE
+       string
+       prompt "Set the IPsec routing table ID"
+       default "220"
+
+#  --with-routing-table-prio
+config STRONGSWAN_ROUTING_TABLE_PRIO
+       string
+       prompt "Set the IPsec routing table priority"
+       default "220"
+
+endmenu
diff --git a/net/strongswan/Makefile b/net/strongswan/Makefile
new file mode 100644 (file)
index 0000000..8039951
--- /dev/null
@@ -0,0 +1,503 @@
+#
+# Copyright (C) 2012-2014 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=strongswan
+PKG_VERSION:=5.2.0
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
+PKG_SOURCE_URL:=http://download.strongswan.org/ http://download2.strongswan.org/
+PKG_MD5SUM:=5cee4ee1a6ccb74400758b3ace54d46e
+PKG_LICENSE:=GPL-2.0+
+PKG_MAINTAINER:=Steven Barth <cyrus@openwrt.org>
+
+PKG_MOD_AVAILABLE:= \
+       addrblock \
+       aes \
+       af-alg \
+       agent \
+       attr \
+       attr-sql \
+       blowfish \
+       ccm \
+       cmac \
+       constraints \
+       coupling \
+       ctr \
+       curl \
+       des \
+       dhcp \
+       dnskey \
+       duplicheck \
+       eap-identity \
+       eap-md5 \
+       eap-mschapv2 \
+       eap-radius \
+       farp \
+       fips-prf \
+       gcm \
+       gcrypt \
+       gmp \
+       ha \
+       hmac \
+       kernel-libipsec \
+       kernel-netlink \
+       ldap \
+       led \
+       load-tester \
+       nonce \
+       md4 \
+       md5 \
+       mysql \
+       openssl \
+       padlock \
+       pem \
+       pgp \
+       pkcs1 \
+       pkcs8 \
+       pkcs11 \
+       pubkey \
+       random \
+       resolve \
+       revocation \
+       sha1 \
+       sha2 \
+       smp \
+       socket-default \
+       socket-dynamic \
+       sql \
+       sqlite \
+       stroke \
+       test-vectors \
+       unity \
+       uci \
+       updown \
+       whitelist \
+       x509 \
+       xauth-eap \
+       xauth-generic \
+       xcbc
+
+PKG_CONFIG_DEPENDS:= \
+       CONFIG_STRONGSWAN_ROUTING_TABLE \
+       CONFIG_STRONGSWAN_ROUTING_TABLE_PRIO \
+       $(patsubst %,CONFIG_PACKAGE_strongswan-mod-%,$(PKG_MOD_AVAILABLE)) \
+
+PKG_FIXUP:=autoreconf
+PKG_INSTALL:=1
+PKG_BUILD_PARALLEL:=1
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/strongswan/Default
+  SUBMENU:=VPN
+  SECTION:=net
+  CATEGORY:=Network
+  TITLE:=StrongSwan
+  URL:=http://www.strongswan.org/
+endef
+
+define Package/strongswan/description/Default
+ StrongSwan is an OpenSource IPsec implementation for the Linux operating system.
+endef
+
+define Package/strongswan
+$(call Package/strongswan/Default)
+  DEPENDS:= +libpthread +ip \
+       +kmod-crypto-authenc \
+       +kmod-ipsec +kmod-ipsec4 +kmod-ipsec6 \
+       +kmod-ipt-ipsec +iptables-mod-ipsec
+endef
+
+define Package/strongswan/config
+  source "$(SOURCE)/Config.in"
+endef
+
+define Package/strongswan/description
+$(call Package/strongswan/description/Default)
+ This package contains shared libraries and scripts.
+endef
+
+define Package/strongswan-full
+$(call Package/strongswan/Default)
+  TITLE+= (full)
+  DEPENDS:= +strongswan \
+       +strongswan-charon \
+       +strongswan-mod-addrblock \
+       +strongswan-mod-aes \
+       +strongswan-mod-af-alg \
+       +strongswan-mod-agent \
+       +strongswan-mod-attr \
+       +strongswan-mod-attr-sql \
+       +strongswan-mod-blowfish \
+       +strongswan-mod-ccm \
+       +strongswan-mod-cmac \
+       +strongswan-mod-constraints \
+       +strongswan-mod-coupling \
+       +strongswan-mod-ctr \
+       +strongswan-mod-curl \
+       +strongswan-mod-des \
+       +strongswan-mod-dhcp \
+       +strongswan-mod-dnskey \
+       +strongswan-mod-duplicheck \
+       +strongswan-mod-eap-identity \
+       +strongswan-mod-eap-md5 \
+       +strongswan-mod-eap-mschapv2 \
+       +strongswan-mod-eap-radius \
+       +strongswan-mod-farp \
+       +strongswan-mod-fips-prf \
+       +strongswan-mod-gcm \
+       +strongswan-mod-gcrypt \
+       +strongswan-mod-gmp \
+       +strongswan-mod-ha \
+       +strongswan-mod-hmac \
+       +strongswan-mod-kernel-netlink \
+       +strongswan-mod-ldap \
+       +strongswan-mod-led \
+       +strongswan-mod-load-tester \
+       +strongswan-mod-nonce \
+       +strongswan-mod-md4 \
+       +strongswan-mod-md5 \
+       +strongswan-mod-mysql \
+       +strongswan-mod-openssl \
+       +TARGET_x86:strongswan-mod-padlock \
+       +strongswan-mod-pem \
+       +strongswan-mod-pgp \
+       +strongswan-mod-pkcs1 \
+       +strongswan-mod-pkcs8 \
+       +strongswan-mod-pkcs11 \
+       +strongswan-mod-pubkey \
+       +strongswan-mod-random \
+       +strongswan-mod-resolve \
+       +strongswan-mod-revocation \
+       +strongswan-mod-sha1 \
+       +strongswan-mod-sha2 \
+       +strongswan-mod-smp \
+       +strongswan-mod-socket-default \
+       +strongswan-mod-sql \
+       +strongswan-mod-sqlite \
+       +strongswan-mod-stroke \
+       +strongswan-mod-test-vectors \
+       +strongswan-mod-uci \
+       +strongswan-mod-unity \
+       +strongswan-mod-updown \
+       +strongswan-mod-whitelist \
+       +strongswan-mod-x509 \
+       +strongswan-mod-xauth-eap \
+       +strongswan-mod-xauth-generic \
+       +strongswan-mod-xcbc \
+       +strongswan-utils \
+       @DEVEL
+endef
+
+define Package/strongswan-full/description
+$(call Package/strongswan/description/Default)
+ This meta-package contains dependencies for all of the strongswan plugins
+ except kernel-libipsec,
+ socket-dynamic and which are ommitted in favor of the kernel-netlink and
+ socket-default plugins.
+endef
+
+
+define Package/strongswan-default
+$(call Package/strongswan/Default)
+  TITLE+= (default)
+  DEPENDS:= +strongswan \
+       +strongswan-charon \
+       +strongswan-mod-aes \
+       +strongswan-mod-attr \
+       +strongswan-mod-constraints \
+       +strongswan-mod-des \
+       +strongswan-mod-dnskey \
+       +strongswan-mod-fips-prf \
+       +strongswan-mod-gmp \
+       +strongswan-mod-hmac \
+       +strongswan-mod-kernel-netlink \
+       +strongswan-mod-md5 \
+       +strongswan-mod-nonce \
+       +strongswan-mod-pem \
+       +strongswan-mod-pgp \
+       +strongswan-mod-pkcs1 \
+       +strongswan-mod-pubkey \
+       +strongswan-mod-random \
+       +strongswan-mod-resolve \
+       +strongswan-mod-revocation \
+       +strongswan-mod-sha1 \
+       +strongswan-mod-sha2 \
+       +strongswan-mod-socket-default \
+       +strongswan-mod-stroke \
+       +strongswan-mod-updown \
+       +strongswan-mod-x509 \
+       +strongswan-mod-xauth-generic \
+       +strongswan-mod-xcbc \
+       +strongswan-utils
+endef
+
+define Package/strongswan-default/description
+$(call Package/strongswan/description/Default)
+ This meta-package contains only dependencies to match upstream defaults.
+endef
+
+define Package/strongswan-minimal
+$(call Package/strongswan/Default)
+  TITLE+= (minimal)
+  DEPENDS:= +strongswan \
+       +strongswan-charon \
+       +strongswan-mod-aes \
+       +strongswan-mod-gmp \
+       +strongswan-mod-hmac \
+       +strongswan-mod-kernel-netlink \
+       +strongswan-mod-nonce \
+       +strongswan-mod-pubkey \
+       +strongswan-mod-random \
+       +strongswan-mod-sha1 \
+       +strongswan-mod-socket-default \
+       +strongswan-mod-stroke \
+       +strongswan-mod-updown \
+       +strongswan-mod-x509 \
+       +strongswan-mod-xcbc
+endef
+
+define Package/strongswan-minimal/description
+$(call Package/strongswan/description/Default)
+ This meta-package contains only dependencies for a minimal IKEv2 setup.
+endef
+
+define Package/strongswan-charon
+$(call Package/strongswan/Default)
+  TITLE+= IKEv1/IKEv2 keying daemon
+  DEPENDS:= +strongswan
+endef
+
+define Package/strongswan-charon/description
+$(call Package/strongswan/description/Default)
+ This package contains charon, an IKEv2 keying daemon.
+endef
+
+define Package/strongswan-utils
+$(call Package/strongswan/Default)
+  TITLE+= utilities
+  DEPENDS:= +strongswan
+endef
+
+define Package/strongswan-utils/description
+$(call Package/strongswan/description/Default)
+ This package contains the pki & scepclient utilities.
+endef
+
+define BuildPlugin
+  define Package/strongswan-mod-$(1)
+    $$(call Package/strongswan/Default)
+    TITLE:= StrongSwan $(2) plugin
+    DEPENDS:= +strongswan $(3)
+  endef
+
+  strongswan_mod_conf=$(wildcard $(PKG_INSTALL_DIR)/etc/strongswan.d/charon/$(1).conf)
+  define Package/strongswan-mod-$(1)/install
+       $(INSTALL_DIR) $$(1)/etc/strongswan.d/charon
+       $(if $(call strongswan_mod_conf,$(1)), \
+               $(INSTALL_DATA) \
+                       $(call strongswan_mod_conf,$(1)) \
+                       $$(1)/etc/strongswan.d/charon/ \
+       )
+       $(INSTALL_DIR) $$(1)/usr/lib/ipsec/plugins
+       $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/plugins/libstrongswan-$(1).so \
+               $$(1)/usr/lib/ipsec/plugins/
+       $(call Plugin/$(1)/install,$$(1))
+  endef
+
+  Package/strongswan-mod-$(1)/conffiles=$(patsubst $(PKG_INSTALL_DIR)%,%,$(call strongswan_mod_conf,$(1)))
+
+  $$(eval $$(call BuildPackage,strongswan-mod-$(1)))
+endef
+
+CONFIGURE_ARGS+= \
+       --disable-scripts \
+       --disable-static \
+       --disable-fast \
+       --with-systemdsystemunitdir=no \
+       $(if $(CONFIG_PACKAGE_strongswan-utils),--enable-pki --enable-scepclient,--disable-pki --disable-scepclient) \
+       --with-random-device=/dev/random \
+       --with-urandom-device=/dev/urandom \
+       --with-routing-table="$(call qstrip,$(CONFIG_STRONGSWAN_ROUTING_TABLE))" \
+       --with-routing-table-prio="$(call qstrip,$(CONFIG_STRONGSWAN_ROUTING_TABLE_PRIO))" \
+       $(foreach m,$(PKG_MOD_AVAILABLE), \
+         $(if $(CONFIG_PACKAGE_strongswan-mod-$(m)),--enable-$(m),--disable-$(m)) \
+       )
+
+EXTRA_LDFLAGS+= -Wl,-rpath-link,$(STAGING_DIR)/usr/lib
+
+define Package/strongswan/conffiles
+/etc/ipsec.conf
+/etc/ipsec.secrets
+/etc/ipsec.user
+/etc/strongswan.conf
+endef
+
+define Package/strongswan/install
+       $(INSTALL_DIR) $(1)/etc
+       $(CP) $(PKG_INSTALL_DIR)/etc/strongswan.conf $(1)/etc/
+       $(INSTALL_DIR) $(1)/usr/lib/ipsec
+       $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/{libstrongswan.so.*,libhydra.so.*} $(1)/usr/lib/ipsec/
+       $(INSTALL_CONF) ./files/ipsec.secrets $(1)/etc/
+       $(INSTALL_DIR) $(1)/etc/init.d
+       $(INSTALL_BIN) ./files/ipsec.init $(1)/etc/init.d/ipsec
+endef
+
+define Package/strongswan-default/install
+       true
+endef
+
+define Package/strongswan-full/install
+       true
+endef
+
+define Package/strongswan-minimal/install
+       true
+endef
+
+define Package/strongswan-charon/install
+       $(INSTALL_DIR) $(1)/usr/lib/ipsec
+       $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/ipsec/charon $(1)/usr/lib/ipsec/
+       $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/libcharon.so.* $(1)/usr/lib/ipsec/
+endef
+
+define Package/strongswan-utils/install
+       $(INSTALL_DIR) $(1)/usr/sbin
+       $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/ipsec $(1)/usr/sbin/
+       $(INSTALL_DIR) $(1)/usr/bin
+       $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/pki $(1)/usr/bin/
+       $(INSTALL_DIR) $(1)/usr/lib/ipsec
+       $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/ipsec/scepclient $(1)/usr/lib/ipsec/
+endef
+
+define Plugin/duplicheck/install
+       $(INSTALL_DIR) $(1)/usr/lib/ipsec/plugins
+       $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/duplicheck $(1)/usr/lib/ipsec/
+       $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/plugins/libstrongswan-duplicheck.so $(1)/usr/lib/ipsec/plugins/
+endef
+
+define Plugin/eap-radius/install
+       $(INSTALL_DIR) $(1)/usr/lib/ipsec/plugins
+       $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/libradius.so.* $(1)/usr/lib/ipsec/
+       $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/plugins/libstrongswan-eap-radius.so $(1)/usr/lib/ipsec/plugins/
+endef
+
+define Plugin/attr-sql/install
+       $(INSTALL_DIR) $(1)/usr/lib/ipsec
+       $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/pool $(1)/usr/lib/ipsec/
+endef
+
+define Plugin/stroke/install
+       $(INSTALL_DIR) $(1)/etc/ipsec.d/aacerts
+       $(INSTALL_DIR) $(1)/etc/ipsec.d/acerts
+       $(INSTALL_DIR) $(1)/etc/ipsec.d/cacerts
+       $(INSTALL_DIR) $(1)/etc/ipsec.d/certs
+       $(INSTALL_DIR) $(1)/etc/ipsec.d/crls
+       $(INSTALL_DIR) $(1)/etc/ipsec.d/ocspcerts
+       $(INSTALL_DIR) $(1)/etc/ipsec.d/private
+       $(INSTALL_DIR) $(1)/etc/ipsec.d/reqs
+
+       $(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/ipsec.conf $(1)/etc/
+
+       $(INSTALL_DIR) $(1)/usr/lib/ipsec/plugins
+       $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/ipsec/{starter,stroke} $(1)/usr/lib/ipsec/
+       $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/plugins/libstrongswan-stroke.so $(1)/usr/lib/ipsec/plugins/
+endef
+
+define Plugin/updown/install
+       $(INSTALL_DIR) $(1)/usr/lib/ipsec/plugins
+       $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/{_updown,_updown_espmark} $(1)/usr/lib/ipsec/
+       $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/plugins/libstrongswan-updown.so $(1)/usr/lib/ipsec/plugins/
+       $(INSTALL_DIR) $(1)/etc
+       $(INSTALL_CONF) ./files/ipsec.user $(1)/etc/
+endef
+
+define Plugin/whitelist/install
+       $(INSTALL_DIR) $(1)/usr/lib/ipsec/plugins
+       $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/whitelist $(1)/usr/lib/ipsec/
+       $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/plugins/libstrongswan-whitelist.so $(1)/usr/lib/ipsec/plugins/
+endef
+
+define Plugin/kernel-libipsec/install
+       $(INSTALL_DIR) $(1)/usr/lib/ipsec
+       $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/libipsec.so.* $(1)/usr/lib/ipsec/
+endef
+
+$(eval $(call BuildPackage,strongswan))
+$(eval $(call BuildPackage,strongswan-default))
+$(eval $(call BuildPackage,strongswan-full))
+$(eval $(call BuildPackage,strongswan-minimal))
+$(eval $(call BuildPackage,strongswan-charon))
+$(eval $(call BuildPackage,strongswan-utils))
+$(eval $(call BuildPlugin,addrblock,RFC 3779 address block constraint support,))
+$(eval $(call BuildPlugin,aes,AES crypto,))
+$(eval $(call BuildPlugin,af-alg,AF_ALG crypto interface to Linux Crypto API,+kmod-crypto-user))
+$(eval $(call BuildPlugin,agent,SSH agent signing,))
+$(eval $(call BuildPlugin,attr,file based config,))
+$(eval $(call BuildPlugin,attr-sql,SQL based config,+strongswan-mod-sql))
+$(eval $(call BuildPlugin,blowfish,Blowfish crypto,))
+$(eval $(call BuildPlugin,ccm,CCM AEAD wrapper crypto,))
+$(eval $(call BuildPlugin,cmac,CMAC crypto,))
+$(eval $(call BuildPlugin,constraints,advanced X509 constraint checking,))
+$(eval $(call BuildPlugin,coupling,IKEv2 plugin to couple peer certificates permanently to authentication,))
+$(eval $(call BuildPlugin,ctr,Counter Mode wrapper crypto,))
+$(eval $(call BuildPlugin,curl,cURL fetcher plugin,+PACKAGE_strongswan-mod-curl:libcurl))
+$(eval $(call BuildPlugin,des,DES crypto,))
+$(eval $(call BuildPlugin,dhcp,DHCP based attribute provider,))
+$(eval $(call BuildPlugin,dnskey,DNS RR key decoding,))
+$(eval $(call BuildPlugin,duplicheck,advanced duplicate checking,))
+$(eval $(call BuildPlugin,eap-identity,EAP identity helper,))
+$(eval $(call BuildPlugin,eap-md5,EAP MD5 (CHAP) EAP auth,))
+$(eval $(call BuildPlugin,eap-mschapv2,EAP MS-CHAPv2 EAP auth,+strongswan-mod-md4 +strongswan-mod-des))
+$(eval $(call BuildPlugin,eap-radius,EAP RADIUS auth,))
+$(eval $(call BuildPlugin,farp,fake arp respsonses,))
+$(eval $(call BuildPlugin,fips-prf,FIPS PRF crypto,+strongswan-mod-sha1))
+$(eval $(call BuildPlugin,gcm,GCM AEAD wrapper crypto,))
+$(eval $(call BuildPlugin,gcrypt,libgcrypt,+PACKAGE_strongswan-mod-gcrypt:libgcrypt))
+$(eval $(call BuildPlugin,gmp,libgmp,+PACKAGE_strongswan-mod-gmp:libgmp))
+$(eval $(call BuildPlugin,ha,high availability cluster,))
+$(eval $(call BuildPlugin,hmac,HMAC crypto,))
+$(eval $(call BuildPlugin,kernel-libipsec,libipsec kernel interface,))
+$(eval $(call BuildPlugin,kernel-netlink,netlink kernel interface,))
+$(eval $(call BuildPlugin,ldap,LDAP,+PACKAGE_strongswan-mod-ldap:libopenldap))
+$(eval $(call BuildPlugin,led,LED blink on IKE activity,))
+$(eval $(call BuildPlugin,load-tester,load testing,))
+$(eval $(call BuildPlugin,nonce,nonce genereation,))
+$(eval $(call BuildPlugin,md4,MD4 crypto,))
+$(eval $(call BuildPlugin,md5,MD5 crypto,))
+$(eval $(call BuildPlugin,mysql,MySQL database interface,+strongswan-mod-sql +PACKAGE_strongswan-mod-mysql:libmysqlclient-r))
+$(eval $(call BuildPlugin,openssl,OpenSSL crypto,+PACKAGE_strongswan-mod-openssl:libopenssl))
+$(eval $(call BuildPlugin,padlock,VIA PadLock crypto,@TARGET_x86))
+$(eval $(call BuildPlugin,pem,PEM decoding,))
+$(eval $(call BuildPlugin,pgp,PGP key decoding,))
+$(eval $(call BuildPlugin,pkcs1,PKCS1 key decoding,))
+$(eval $(call BuildPlugin,pkcs8,PKCS8 key decoding,))
+$(eval $(call BuildPlugin,pkcs11,PKCS11 key decoding,))
+$(eval $(call BuildPlugin,pubkey,raw public key,))
+$(eval $(call BuildPlugin,random,RNG,))
+$(eval $(call BuildPlugin,resolve,DNS resolver,))
+$(eval $(call BuildPlugin,revocation,X509 CRL/OCSP revocation,))
+$(eval $(call BuildPlugin,sha1,SHA1 crypto,))
+$(eval $(call BuildPlugin,sha2,SHA2 crypto,))
+$(eval $(call BuildPlugin,smp,SMP configuration and control interface,+PACKAGE_strongswan-mod-smp:libxml2))
+$(eval $(call BuildPlugin,socket-default,default socket implementation for charon,))
+$(eval $(call BuildPlugin,socket-dynamic,dynamic socket implementation for charon,))
+$(eval $(call BuildPlugin,sql,SQL database interface,))
+$(eval $(call BuildPlugin,sqlite,SQLite database interface,+strongswan-mod-sql +PACKAGE_strongswan-mod-sqlite:libsqlite3))
+$(eval $(call BuildPlugin,stroke,Stroke,+strongswan-utils))
+$(eval $(call BuildPlugin,test-vectors,crypto test vectors,))
+$(eval $(call BuildPlugin,uci,UCI config interface,+PACKAGE_strongswan-mod-uci:libuci))
+$(eval $(call BuildPlugin,unity,Cisco Unity extension,))
+$(eval $(call BuildPlugin,updown,updown firewall,))
+$(eval $(call BuildPlugin,whitelist,peer identity whitelisting,))
+$(eval $(call BuildPlugin,x509,x509 certificate,))
+$(eval $(call BuildPlugin,xauth-eap,EAP XAuth backend,))
+$(eval $(call BuildPlugin,xauth-generic,generic XAuth backend,))
+$(eval $(call BuildPlugin,xcbc,xcbc crypto,))
diff --git a/net/strongswan/files/ipsec.init b/net/strongswan/files/ipsec.init
new file mode 100644 (file)
index 0000000..391a2ae
--- /dev/null
@@ -0,0 +1,20 @@
+#!/bin/sh /etc/rc.common
+
+START=90
+STOP=10
+
+start() {
+       ipsec start
+}
+
+stop() {
+       ipsec stop
+}
+
+restart() {
+       ipsec restart
+}
+
+reload() {
+       ipsec update
+}
diff --git a/net/strongswan/files/ipsec.secrets b/net/strongswan/files/ipsec.secrets
new file mode 100644 (file)
index 0000000..ddd4956
--- /dev/null
@@ -0,0 +1 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
diff --git a/net/strongswan/files/ipsec.user b/net/strongswan/files/ipsec.user
new file mode 100644 (file)
index 0000000..4351ace
--- /dev/null
@@ -0,0 +1,6 @@
+# This file is interpreted as shell script.
+# Put your custom ip rules here, they will
+# be executed with each call to the script
+# /usr/lib/ipsec/_updown which by default
+# strongswan executes.
+
diff --git a/net/strongswan/patches/201-kmodloader.patch b/net/strongswan/patches/201-kmodloader.patch
new file mode 100644 (file)
index 0000000..7d46156
--- /dev/null
@@ -0,0 +1,28 @@
+--- a/src/starter/netkey.c
++++ b/src/starter/netkey.c
+@@ -31,7 +31,7 @@ bool starter_netkey_init(void)
+               /* af_key module makes the netkey proc interface visible */
+               if (stat(PROC_MODULES, &stb) == 0)
+               {
+-                      ignore_result(system("modprobe -qv af_key"));
++                      ignore_result(system("modprobe af_key 2>&1 >/dev/null"));
+               }
+               /* now test again */
+@@ -45,11 +45,11 @@ bool starter_netkey_init(void)
+       /* make sure that all required IPsec modules are loaded */
+       if (stat(PROC_MODULES, &stb) == 0)
+       {
+-              ignore_result(system("modprobe -qv ah4"));
+-              ignore_result(system("modprobe -qv esp4"));
+-              ignore_result(system("modprobe -qv ipcomp"));
+-              ignore_result(system("modprobe -qv xfrm4_tunnel"));
+-              ignore_result(system("modprobe -qv xfrm_user"));
++              ignore_result(system("modprobe ah4 2>&1 >/dev/null"));
++              ignore_result(system("modprobe esp4 2>&1 >/dev/null"));
++              ignore_result(system("modprobe ipcomp 2>&1 >/dev/null"));
++              ignore_result(system("modprobe xfrm4_tunnel 2>&1 >/dev/null"));
++              ignore_result(system("modprobe xfrm_user 2>&1 >/dev/null"));
+       }
+       DBG2(DBG_APP, "found netkey IPsec stack");
diff --git a/net/strongswan/patches/203-uci.patch b/net/strongswan/patches/203-uci.patch
new file mode 100644 (file)
index 0000000..274ea86
--- /dev/null
@@ -0,0 +1,20 @@
+--- a/src/libcharon/plugins/uci/uci_parser.c
++++ b/src/libcharon/plugins/uci/uci_parser.c
+@@ -78,7 +78,7 @@ METHOD(enumerator_t, section_enumerator_
+               if (uci_lookup(this->ctx, &element, this->package,
+                                          this->current->name, "name") == UCI_OK)
+               {       /* use "name" attribute as config name if available ... */
+-                      *value = uci_to_option(element)->value;
++                      *value = uci_to_option(element)->v.string;
+               }
+               else
+               {       /* ... or the section name becomes config name */
+@@ -93,7 +93,7 @@ METHOD(enumerator_t, section_enumerator_
+               if (value && uci_lookup(this->ctx, &element, this->package,
+                                                 this->current->name, this->keywords[i]) == UCI_OK)
+               {
+-                      *value = uci_to_option(element)->value;
++                      *value = uci_to_option(element)->v.string;
+               }
+       }
+       va_end(args);
diff --git a/net/strongswan/patches/300-include-ipsec-user-script.patch b/net/strongswan/patches/300-include-ipsec-user-script.patch
new file mode 100644 (file)
index 0000000..d96e844
--- /dev/null
@@ -0,0 +1,17 @@
+--- a/src/_updown/_updown.in
++++ b/src/_updown/_updown.in
+@@ -16,11 +16,9 @@
+ # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ # for more details.
+-# CAUTION:  Installing a new version of strongSwan will install a new
+-# copy of this script, wiping out any custom changes you make.  If
+-# you need changes, make a copy of this under another name, and customize
+-# that, and use the (left/right)updown parameters in ipsec.conf to make
+-# strongSwan use yours instead of this default one.
++# Add your custom ip rules to the /etc/ipsec.user file if you need that functionality.
++
++[ -e /etc/ipsec.user ] && . /etc/ipsec.user "$1"
+ # things that this script gets (from ipsec_pluto(8) man page)
+ #