[Swan-dev] libreswan 3.19 uploaded to debian unstable (unauth OE, debian strategies)
paul at nohats.ca
Thu Jan 26 05:04:50 UTC 2017
On Wed, 25 Jan 2017, Daniel Kahn Gillmor wrote:
(Added swan@ to list for larger exposure)
> i've just uploaded libreswan 3.19 to debian unstable. thanks very much
> for all your work on libreswan!
Awesome! Thank you very much!!
> I've also posted a couple pull requests and issues on github related to
> minor nitpicks i found while packaging. I hope they're helpful.
They've been merged in and will be in 3.20.
> Unauthenticated Opportunistic Encryption
> I've been trying to test out the unauthenticated opportunistic mode, and
> i haven't had as much luck with it as i'd like yet.
> in particular, i was hoping that i could just get the package installed,
> and then do:
> cp oe-upgrade-authnull.conf /etc/ipsec.d/
> systemctl start ipsec
> ipsec whack --trafficstatus
> ping -c 4 libreswan.org
> sleep 5
> ipsec whack --trafficstatus
I've talked to Daniel and we got it to work. Our test server was not up
and running, and his config needed a tweak. The tweak has been pushed
to the docs/example in git as well.
> 000 W.X.Y.Z/32:0 -0-> 18.104.22.168/32:0 => %pass 0 oe-failing
> (22.214.171.124 is the IP address i'm seeing for libreswan.org; i've
> anonymized the source IP address, but i'd be happy to share it in
> private debugging conversation)
We have not yet enabled OE for the libreswan.org domain itself. We don't
want to lock out people (yet :)
> I've also tried browsing to http://oe.libreswan.org/ and gotten the "Oh
> no! You are NOT protected by Opportunistic IPsec!" message, and seen
> "ipsec whack --shuntstatus" tell me:
This is the one we fixed together.
> Despite failing to get this OE mode working, I've uploaded the package
> to debian unstable so that it can reach a wider audience. It's possible
> (though unlikely) that this package could migrate to debian testing in
> time for the upcoming freeze for debian "stretch" (the next stable
> release). To do that, there would need to be no serious bugs found in
> it over the next 10 days.
We should be good, but I hope we can get some other people testing too!
> That said, i'm not sure we necessarily want it in debian stable yet
> anyway. Committing to 3.19 being in debian stable means being willing
> to support that version for several years, and i'm not yet convinced i
> have the bandwidth to do that without serious upstream support. I don't
> know how much y'all want to commit to 3.19 long term anyway.
In that case, I agree it would be nicer to do that for 3.20, which we
are also aiming at RHEL-7.4.
> If it stays out of debian stable for now, but it stabilizes in the near
> future, we can always use the stretch-backports repository to make it
> available for stretch users without committing to a long-term stable
> release (backports are allowed/expected to change more frequently). I
> suspect this approach would give libreswan the better balance between
> exposure and stability for this debian release cycle, but if y'all feel
> differently as upstream, i'd be happy to hear about it. Please let me
We'll be in touch!
More information about the Swan-dev