[Swan-dev] libreswan 3.19 uploaded to debian unstable (unauth OE, debian strategies)

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Jan 26 02:50:00 UTC 2017

hi all--

i've just uploaded libreswan 3.19 to debian unstable.  thanks very much
for all your work on libreswan!

I've also posted a couple pull requests and issues on github related to
minor nitpicks i found while packaging.  I hope they're helpful.

Unauthenticated Opportunistic Encryption

I've been trying to test out the unauthenticated opportunistic mode, and
i haven't had as much luck with it as i'd like yet.

in particular, i was hoping that i could just get the package installed,
and then do:

    cp oe-upgrade-authnull.conf /etc/ipsec.d/
    systemctl start ipsec
    ipsec whack --trafficstatus
    ping -c 4 libreswan.org
    sleep 5
    ipsec whack --trafficstatus

to see a new association successfully (opportunistically) configured.

However, when i do that, the "ipsec whack --trafficstatus" lines show no
output either time.

if i look at "ipsec whack --shuntstatus" then i see:

 000 Bare Shunt list:
 000 W.X.Y.Z/32:0 -0-> => %pass 0    oe-failing

( is the IP address i'm seeing for libreswan.org; i've
anonymized the source IP address, but i'd be happy to share it in
private debugging conversation)

I've also tried browsing to http://oe.libreswan.org/ and gotten the "Oh
no! You are NOT protected by Opportunistic IPsec!" message, and seen
"ipsec whack --shuntstatus" tell me:

000 A.B.C.D/32:0 -0-> => %pass 0    oe-failing

Any thoughts on what i might be missing or what my next steps for
debugging should be?  I've tried this on hosts that are behind a NAT and
hosts that are not NAT'ed at all.

Packaging in Debian

Despite failing to get this OE mode working, I've uploaded the package
to debian unstable so that it can reach a wider audience.  It's possible
(though unlikely) that this package could migrate to debian testing in
time for the upcoming freeze for debian "stretch" (the next stable
release).  To do that, there would need to be no serious bugs found in
it over the next 10 days.

That said, i'm not sure we necessarily want it in debian stable yet
anyway.  Committing to 3.19 being in debian stable means being willing
to support that version for several years, and i'm not yet convinced i
have the bandwidth to do that without serious upstream support.  I don't
know how much y'all want to commit to 3.19 long term anyway.

If it stays out of debian stable for now, but it stabilizes in the near
future, we can always use the stretch-backports repository to make it
available for stretch users without committing to a long-term stable
release (backports are allowed/expected to change more frequently).  I
suspect this approach would give libreswan the better balance between
exposure and stability for this debian release cycle, but if y'all feel
differently as upstream, i'd be happy to hear about it.  Please let me

I'd really like to try to sort out the OE stuff!  I'll look for you on
over on #swan to try to get that sorted, but i'm also happy to hear any
suggestions on (or off) this mailing list.

Happy hacking,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20170125/fa68ad44/attachment.sig>

More information about the Swan-dev mailing list