Semi-automatic update. These checks were performed:
- built on NixOS
- ran `/nix/store/jd04xpik9zwmy39nh0axfss0m4hmw8yv-strongswan-5.6.2/bin/pki -h` got 0 exit code
- ran `/nix/store/jd04xpik9zwmy39nh0axfss0m4hmw8yv-strongswan-5.6.2/bin/pki --help` got 0 exit code
- ran `/nix/store/jd04xpik9zwmy39nh0axfss0m4hmw8yv-strongswan-5.6.2/bin/pki -h` and found version 5.6.2
- ran `/nix/store/jd04xpik9zwmy39nh0axfss0m4hmw8yv-strongswan-5.6.2/bin/pki --help` and found version 5.6.2
- ran `/nix/store/jd04xpik9zwmy39nh0axfss0m4hmw8yv-strongswan-5.6.2/bin/charon-cmd --help` got 0 exit code
- ran `/nix/store/jd04xpik9zwmy39nh0axfss0m4hmw8yv-strongswan-5.6.2/bin/charon-cmd --version` and found version 5.6.2
- ran `/nix/store/jd04xpik9zwmy39nh0axfss0m4hmw8yv-strongswan-5.6.2/bin/charon-cmd --help` and found version 5.6.2
- ran `/nix/store/jd04xpik9zwmy39nh0axfss0m4hmw8yv-strongswan-5.6.2/bin/ipsec --help` got 0 exit code
- ran `/nix/store/jd04xpik9zwmy39nh0axfss0m4hmw8yv-strongswan-5.6.2/bin/ipsec --version` and found version 5.6.2
- ran `/nix/store/jd04xpik9zwmy39nh0axfss0m4hmw8yv-strongswan-5.6.2/bin/ipsec version` and found version 5.6.2
- ran `/nix/store/jd04xpik9zwmy39nh0axfss0m4hmw8yv-strongswan-5.6.2/bin/swanctl -h` got 0 exit code
- ran `/nix/store/jd04xpik9zwmy39nh0axfss0m4hmw8yv-strongswan-5.6.2/bin/swanctl --help` got 0 exit code
- ran `/nix/store/jd04xpik9zwmy39nh0axfss0m4hmw8yv-strongswan-5.6.2/bin/swanctl -h` and found version 5.6.2
- ran `/nix/store/jd04xpik9zwmy39nh0axfss0m4hmw8yv-strongswan-5.6.2/bin/swanctl --help` and found version 5.6.2
- found 5.6.2 with grep in /nix/store/jd04xpik9zwmy39nh0axfss0m4hmw8yv-strongswan-5.6.2
- found 5.6.2 in filename of file in /nix/store/jd04xpik9zwmy39nh0axfss0m4hmw8yv-strongswan-5.6.2
l2tp saves its secrets into /etc/ipsec.d but strongswan would not read
them. l2tp checks for /etc/ipsec.secrets includes /etc/ipsec.d and if
not tries to write into it.
Solution:
Have the strongswan module create /etc/ipsec.d and /etc/ipsec.secrets
when networkmanager_l2tp is installed.
Include /etc/ipsec.secrets in
/nix/store/hash-strongswan/etc/ipsec.secrets so that it can find l2tp
secrets.
Also when the ppp 'nopeerdns' option is used, the DNS resolver tries to
write into an alternate file /etc/ppp/resolv.conf. This fails when
/etc/ppp does not exist so the module creates it by default.
Added the boolean option:
networking.networkmanager.enableStrongSwan
which enables the networkmanager_strongswan plugin and adds
strongswanNM to the dbus packages.
This was contributed by @wucke13, @eqyiel and @globin.
Fixes: #29873
The NIST elliptic curve groups (ecp192 etc.) are only available if the
OpenSSL plugin is enabled, and these groups are currently the only EC
groups supported on iOS and macOS devices.
Strongswan fails to compile on armv7l-linux with `--enable-aesni` and `--enable-rdrand` enabled. Errors are thrown about impossible constraints in asm (`--enable-rdrand`) or about gcc getting unknown command line parameters about aes (`--enable-aesni`). The options only makes sense on X86_64 processors.
The rdrand plugin is designed for Ivy Bridge processors:
> High quality / high performance random source using the Intel rdrand instruction found on Ivy Bridge processors
The aes-ni plugin also only exists on X86 processors (which have the AES instruction set)
Tested with a local override. The change triggers a (successful) rebuild on my X86_64 system. On armv7-linux this change fixes build errors.
See:
https://wiki.strongswan.org/issues/337
